There are three main email standards to help prevent spoofing and phishing of your organization. These standards also help ensure your outgoing messages aren’t marked as spam.
- Sender Policy Framework (SPF) lets the domain owner authorize IP addresses that are allowed to send email for the domain. Receiving servers can verify that messages appearing to come from a specific domain are sent from servers allowed by the domain owner.
- Domain Keys Identified Mail (DKIM) adds a digital signature to every sent message. Receiving servers use the signature to verify messages are authentic, and weren’t forged or changed during transit. Without DKIM, messages sent from your organization or domain are more likely to be marked as spam by receiving mail servers.
- Domain-based Message Authentication, Reporting, and Conformance (DMARC) helps prevent hackers and other attackers from impersonating a domain. DMARC also lets you request reports from email servers that get messages from your organization or domain. These reports have information to help you identify possible authentication issues and malicious activity for messages sent from your domain.
SPF Record Format
To turn on SPF for your domain, add a Domain Name System (DNS) TXT record.
Basic SPF Example
v=spf1 include:yourdomain.com ~all
Advanced SPF Example
v=spf1 mx ip4:22.21.214.113/16 ip4:102.233.66.21/29 a:domain.com a:anotherdomain.com include:domain.com include:anotherdomain.com ~all
SPF Record Tags
| Tag | Description | Options |
|---|---|---|
| v | represents the protocol version. It MUST be the first tag in the SPF record. | v=spf1 |
| mx | uses the A record IPs of the MX records for the current domain. If used on its own then it uses the A record of the current domain (a). If you put a domain or host name after it then it uses that A record | mx or mx:domain.com |
| a | Authorized domain for sending mail. If used on its own then it uses the A record of the current domain (a). If you put a domain or host name after it then it uses that A record(a:domain.com) | a or a:domain.com |
| ip4 | Specifies an IP address or IP CIDR Range that is allowed to send mail for the domain. | ip4:1.2.3.4 (IP Address) or ip4:1.2.3.4/11 (IP Range) |
| ip6 | Specifies an IPv6 IP Address or IP CIDR Range that is allowed to send mail for the domain. | ip6:xxxxx23 (IP Address) or 2001:xxxx23::/36 (IP Range) |
| include | often used if you use a 3rd party service to send mail or have multiple domains/sub-domains that send email. | include:domain.com |
| exists | performs an A record lookup on the domain used to see if one exists. If the A record exists then this passes. | exists:domain.com |
| all | This tag MUST go at the end of your record and provides instruction of what a recipient should do if there is not a match to your SPF record. | (-all), treat mail as suspicious. (~all), neutral recommendation. (?all) up to the recipient. |
DKIM Record Format
To enable DKIM signatures for your domain, add a Domain Name System (DNS) TXT record. Note: some mail providers may use a CNAME record. DKIM keys are generated by your mail provider. The text record will typically be auto generated with a matching host and value.
Basic DKIM Host Example
yoursite._domainkey
Basic DKIM Value Example
v=DKIM1; k=rsa; p=YoUrKeYhAsH
DKIM Record Tags
| Tag | Description | Options |
|---|---|---|
| s= | Indicates the selector record name used with the domain to locate the public key in DNS. The value is a name or number created by the sender. | s= is included in the DKIM signature. |
| d= | Indicates the domain used with the selector record (s=) to locate the public key. The value is a domain name owned by the sender. | d= is included in the DKIM signature. |
| p= | indicates the public key used by a mailbox provider to match to the DKIM signature. | |
| v= | version of the DKIM record. The value must be DKIM1 and be the first tag in the DNS record. | |
| t= | indicates the domain is testing DKIM or is enforcing a domain match in the signature header between the “i=” and “d=” tags. | t=y indicates the domain is testing DKIM. t=s requires a match. |
| g= | is the granularity of the public key. | |
| h= | indicates which hash algorithms are acceptable. | The default value is to allow for all algorithms but you can specify sha1 and sha256. |
| k= | Key type | |
| n= | Note field for administrators, not end users. | |
| s= | indicates the service type to which this record applies. The default value is a wildcard asterisk (*) which matches all service types. |
DMARC Record Format
To turn on DMARC for your domain, add a Domain Name System (DNS) TXT record
Basic DMARC Example
v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com
Advanced DMARC Example
v=DMARC1; p=reject; rua=mailto:postmaster@yourdomain.com, mailto:dmarc@yourdomain.com; pct=100; adkim=s; aspf=s
DMARC Record Tags
| Tag | Description | Options |
|---|---|---|
| v (required) | DMARC version. | Must be DMARC1. |
| P (required) | Instructs the receiving mail server what to do with messages that don’t pass authentication. | none = Take no action. quarantine = send to recipient’s spam folder. reject—sends a bounce message to the sending server. |
| pct (optional) | Specifies the percent of unauthenticated messages that are subject to the DMARC policy. If you don’t use this option in the record, your DMARC policy applies to 100% of messages sent from your domain. | 0 to 100 |
| rua (optional) | Email address to receive reports about DMARC activity for your domain. The email address must include mailto: | mailto:dmarc@yourdomain.com |
| ruf (optional) | Send failure reports. Failure reports are also called forensic reports and may not be supported by all mail providers. | mailto:ruf@yourdomain.com |
| sp (optional) | Sets the policy for messages from subdomains of your primary domain. Use this option if you want to use a different DMARC policy for your subdomains. | none = Take no action. quarantine = send to recipient’s spam folder. reject—sends a bounce message to the sending server. |
| adkim (optional) | Sets the alignment policy for DKIM, which defines how strictly message information must match DKIM signatures. | s—Strict alignment. The sender domain name must exactly match the corresponding d=domainname in the DKIM mail headers. r—Relaxed alignment (default). Allows partial matches. |
| aspf (optional) | Sets the alignment policy for SPF, which specifies how strictly message information must match SPF signatures. | s—Strict alignment. The sender domain name must exactly match the corresponding d=domainname in the DKIM mail headers. r—Relaxed alignment (default). Allows partial matches. |
DMARC Notes
- The v and p tags must be listed first, other tags can be in any order.
- If your domain uses Brand Indicators for Message Identification (BIMI), the DMARC p option must be set to quarantine or reject. BIMI doesn’t support DMARC policies with the p option set to none. DMARC policy must have a pct value of 100. BIMI doesn’t support DMARC policies with the pct value set to less than 100.
- Configure DomainKeys Identified Mail (DKIM) and Sender Policy Framework (SPF) before configuring DMARC. DKIM and SPF should be authenticating messages for at least 48 hours before turning on DMARC.
You May Also Like
- Moving Your Website to a New Domain? Consider the Following…
- How to Secure a Memcached Server from UDP Attacks
- Supercharge Your Website with These Free Vector Graphics and Icon Packs
- Is It Worth Running Your Own Nameserver? Here’s What You Need to Know
- QR Codes Gone Wrong: The Threat of Quishing Attacks