Configuring SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting, and Conformance) are essential steps to help improve email deliverability and protect against email spoofing and phishing attacks.
More and more email providers are now enforcing these and will block your email if they are not set up correctly.
Here’s a guide on how to correctly configure these email authentication mechanisms:
SPF (Sender Policy Framework):
What is SPF? SPF is an email authentication protocol that allows the owner of a domain to specify which mail servers are authorised to send emails on behalf of that domain.
Configuration Steps:
- Access DNS Records:
-
- Log in to your domain registrar or DNS hosting provider’s control panel.
- Locate the DNS management section.
- Create SPF Record:
-
- Add a new TXT record.
- Set the TXT value to your SPF record. This will reference each system that is allowed to send email from your domain. For example:
“v=spf1 include:spf.protection.outlook.com include:amazonses.com ip4:100.2.30.4 -all”
In this example, the SPF record authenticates all emails sent from Office 365 (include:spf.protection.outlook.com), Amazon SES (include:amazonses.com ) and from the IP address 100.2.30.4
-
- The “-all” indicates that these are the only allowed senders from your domain, and email from anywhere else is not authentic.
- Modify the “include:” part to include the SPF records of the email services you use. These services could be CRMs, bulk mailing systems or other online services that send mail from your domain. They usually have guidance on how to configure SPF for their specific service as well.
- Modify the “IPv4:” to include any IP address of servers that can send email directly from your domain. Such as web servers with contact forms.
- Test Your SPF Record:
-
- Use online SPF validation tools to check if your SPF record is configured correctly. SPF Check & SPF Lookup – Sender Policy Framework (SPF) – MxToolBox
DKIM (DomainKeys Identified Mail):
What is DKIM? DKIM adds a digital signature to outgoing emails, allowing the recipient to verify that the email was sent by an authorized sender and that it hasn’t been tampered with in transit.
The configuration steps for DKIM will vary for different email services, so it is important to look for documentation from the service provider to make sure you get it right.
We use Microsoft 365 as an example below.
Setting up DKIM for Office 365:
1. Accessing Office 365 Admin Center:
- Log in to the Office 365 Admin Center using your administrator credentials.
2. Navigate to Security Admin Center:
- Go to the “Admin Centers” section, and then click on “Security” to access the Security Admin Center.
- Next navigate to ”Email & Collaboration / Policies and Rules”.
- Select “Threat Policies” then “Email Authentication Settings”.
- Now Navigate to the “DKIM” tab.
3. Enable DKIM:
- In the DKIM tab you will see all your registered domains in Office 365. Select the one you wish to enable DKIM for.
- If DKIM is not already enabled, click on the “Enable” button.
4. Generate DKIM Key:
- After enabling Office 365 will generate a DKIM key pair for your domain.
5. Copy the DKIM Selector and DNS Record:
- Follow the instructions to copy the DKIM selector records. For Office 365 these are CNAME records and typically start with “selector1” and “selector2”.
- Copy the entire DNS record provided for that selector.
6. Add DKIM DNS Record:
- Open your DNS management console with your domain registrar or DNS provider.
- Add a new CNAME record with the host being the DKIM selector and the value being the entire DNS record you copied in the previous step.
- Do this for both “selector1” and “selector2” records.
- Save the DNS record.
7. Verify DKIM Setup:
- Return to the Email Authentication Settings page and navigate to the “DKIM” section.
- Verify that the DKIM status for your domain shows as “Enabled.”
- It can often take a few minutes to a few hours for the new DNS records to be recognised, so you may need to try again later.
8. Send a Test Email:
- Send a test email from your Office 365 account.
- Use an email authentication or DKIM verification tool to confirm that the DKIM signature is valid. MX Tool Box has a good one here – https://mxtoolbox.com/SuperTool.aspx?action=dkim
DMARC (Domain-based Message Authentication, Reporting, and Conformance):
What is DMARC? DMARC builds on SPF and DKIM, providing a way for senders to instruct email receivers on how to handle unauthenticated emails.
Configuration Steps:
- Create DMARC Record:
-
- Add a TXT record in your DNS settings for DMARC.
- For example: v=DMARC1; p=quarantine; rua=mailto:dmarc@example.com; ruf=mailto:dmarc@example.com
The “p” indicates the policy and can be set to “none”, “quarantine” or “reject”
- Specify Reporting Email Addresses:
-
- Set “rua” (Aggregate Reports) or “ruf” (Forensic Reports) to the email address where you want to receive DMARC reports.
- This can be an internal email address or you can use a 3rd party like Valimail (https://www.valimail.com/) to monitor these for you.
- It’s important to monitor these reports so you can identify legitimate emails and potentially spoofed or malicious emails.
- Test DMARC Configuration:
-
- Use a DMARC reporting tool to check if your DMARC configuration is effective. DMARC Check Tool – Domain Message Authentication Reporting & Conformance Lookup – MxToolBox
Additional Tips:
- Use an online Wizard to help create your records: You can use tools to help you create the most appropriate SPF, and DMARC record for your organisation. Here are two examples:
DMARC Record Wizard – dmarcian
SPF Record Generator – MxToolBox
- Monitor Reports Regularly: Regularly review DMARC reports to identify and address any issues.
- Gradual Deployment: Consider a gradual deployment of these records to avoid disruptions.
- Regularly Update Keys: Rotate DKIM keys periodically for enhanced security.
Remember to consult the documentation provided by your email service provider for specific instructions tailored to your setup.
If you need any assistance with your email security please get in touch, we’d be happy to help. Contact | Greystone
