SPF, DKIM, and DMARC are useful mechanisms for protecting your domain and email communications from misuse by cybercriminals (email spoofing, phishing). The three protocols complement each other and are described below.
1 - SPF
A SPF (Sender Policy Framework) record is used to verify the sender address of an email via DNS.
Specifically, an entry is created in the zone of the sender's domain, which contains the sending mail server. This allows verification that the sending mail server is authorized to send emails on behalf of this domain.
1.1 - SPF Syntax
Below is an example of an SPF record:
Subdomain | TYPE | Value |
| TXT |
|
The root domain (@) is specified here as the "subdomain". This means that when sending from [email protected], the SPF record of the root domain is used. If, for example, emails are sent via [email protected], the SPF record for "subdomain.domain.tld." must be set up:
Subdomain | TYPE | Value |
| TXT |
|
An SPF record must always be created as a TXT record. Further information about TXT records can be found in the article: TXT Records
The value of an SPF record must always begin with "v=spf1". This indicates the current version number.
For example, if you send emails via the server mti99999999.secure-node.com and want to verify them with an SPF record, the SPF record for the example domain domain.tld must be modified as follows:
Subdomain | TYPE | Value |
| TXT |
|
The example shows how the server's hostname is included in the SPF record using the "include:" directive. This specifies that an SPF check should also be performed for this hostname. The server's SPF record should then contain the IP addresses that should be allowed.
If you want to allow a specific IPv4 address directly, you must configure this using the tag "ip4:":
Subdomain | TYPE | Value |
| TXT |
|
As shown in the first example, you can combine multiple expressions. It's also recommended to include the expressions "a" and "mx" in the SPF record. The "a" expression checks all IPv4 entries for the domain. The "mx" expression tests all IPv4 addresses in the domain's MX records. If the sender's address is among them, the email passes the SPF check.
At the end of the SPF record, you'll find the expression "-all". This means that all emails that fail the SPF check must be rejected. Alternatively, you can use "~all". This indicates that emails that fail the SPF check are accepted but also flagged. We recommend using "-all" to only allow mail servers that are listed in the SPF record.
2 - DKIM
A DKIM (DomainKeys Identified Mail) record is used to authenticate a sender. This is achieved by adding a digital signature to emails.
The signature is created on the sender's server using a private key and included in the email header. The public key is stored as a DNS record for the sender's domain.
The recipient's server can use the public key to verify the signature and thus determine whether the sender is authenticated or if the email was altered during transmission.
2.1 - DKIM Syntax
Below is an example of a DKIM entry:
Subdomain | TYPE | Value |
| TXT |
|
The subdomain consists of two parts: first, the "selector," which is defined by your email provider (in our example, "default"), and second, the subdomain "_domainkey", which is indicates that it is a DKIM record.
The DKIM record is usually stored as a TXT record directly within the corresponding domain. However, it's also possible for it to be a CNAME record pointing to another domain and stored there as a TXT record.
The value consists of several tags. Every DKIM record must begin with the DKIM version, "v=DKIM1;". "k=rsa;" describes the cryptographic algorithm, which is usually RSA. The public key begins with "p=", followed by a long, unique string. You also receive this key from your email provider.
3 - DMARC
A DMARC record (Domain-based Message Authentication Reporting and Conformance) determines what happens to an email after it has been checked with SPF and verified with DKIM.
3.1 - DMARC Syntax
Below is an example of a DMARC entry:
Subdomain | TYPE | Value |
| TXT |
|
The subdomain "_dmarc" indicates that this is a DMARC record. This record is also inherited by all other subdomains unless explicitly disabled in the DMARC record. This means that a DMARC under the root domain (@) also applies to, for example, examplesubdomain.domain.tld.
The DMARC specification requires a DNS record of type TXT containing the corresponding value.
The value consists of several tags. Every DMARC record must begin with the DMARC version "v=DMARC1;". "p=quarantine;" describes the policy you want to use. "p=none;" and "p=reject;" can also be used instead:
p=none;- If SPF and DKIM fail, the email will still be delivered to the recipient (not recommended).p=quarantine;- If SPF and DKIM fail, the recipient's server should move the email to the spam folder.p=reject;- If SPF and DKIM fail, the email will be blocked.
The tags "rua=mailto:" and "ruf=mailto:" specify which email addresses the receiving mail server should send a response to:
rua=mailto:- Aggregated reports: Receive daily statistics showing which IP addresses sent emails on your behalf.ruf=mailto:- Forensic reports (real-time error messages): Whenever an email fails DMARC validation, the recipient server sends you a copy of the email for further analysis.