Securing your domain name for email (continuation)
In the last post I wrote about the importance of email security and the available methods to achieve it. Now it's time to go a bit deeper and show how to do it and and to check it, starting with the most basic of of methods SPF.
Setting up a SPF Record
An SPF record is essentially a TXT DNS record that specifies which mail servers are authorized to send emails on behalf of your domain, this record is then validated by the receiving e-mail server to confirm if the received e-mail comes from an authorized source.
To set up a SPF record a TXT record is set up at the root of the domain, usually named as '@', with the content looking something like this:
v=spf1 ip4:192.0.2.0 ip4:192.0.2.1 include:examplesender.email -all
This SPF record example can then be broken down into four parts:
v=spf1 is the mandatory part of the record and indicates the version of SPF that is used (currently only version 1 is supported).
ip4:192.0.2.0and ip4:192.0.2.1 indicate that the mail servers with these IP addresses are authorized to send emails from the domain.
include:examplesender.email indicates that the mail servers that are authorized by the SPF record of examplesender.email are also authorized to send emails from this domain.
-all indicates that no other mail servers are authorized to send emails from the domain.
Most of the SPF records will look something like the example above and if you want to validate your record you can always use an SPF record validator software.
SPF record options
The SPF record can include many variations and if you want to know more, I would recommend a visit to open-spf.org
Set Up DKIM for Your Domain
DKIM is an email authentication method that uses a digital signature to let the receiver of an email know that the message was sent and authorized by the owner of a domain.
DKIM uses public key encryption to check email. The sending email service generates a string of characters known as a hash using the content of each outbound email. The sending service then encrypts the hash with its private key and adds it to the email header.
To set up DKIM for your domain, you need to follow these steps:
Generate a pair of keys for your domain: a private key and a public key. You can use online tools like to help you generate your keys.
Publish your public key in your DNS records as a TXT record. The TXT record should have a specific format and syntax, as defined in RFC 6376. You can use online tools like DNS Checker to verify that your TXT record is published correctly.
Configure your email service or software to sign your outbound emails with your private key. This will vary from software to software, but here's a couple of links for Postfix and Exchange Online.
Finally, test your set up with online tools like MXToolbox.
Set Up DMARC for Your Domain
DMARC is an email authentication method that uses a digital signature to let the receiver of an email know that the message was sent and authorized by the owner of a domain. It leverages SPF and DKIM to guarantee the provenance of an email.
To achieve this, the receiving email service can verify the DMARC signature by looking up the public key of the sending domain in its DNS records. The receiving service and decrypt the hash with the public key and compares it with the hash it generates from the received email content. If the hashes match, it means that the email has not been tampered with and that it comes from a legitimate source.
How does DMARC work?
To understand how DMARC works we start with setting up SPF and DKIM, either of them would do, but preferably both, more on this below.
When an email is received, the receiving server does a DNS lookup and checks for an existing DMARC record.
If found, the receiving server will then perform a DMARC alignment test to verify if:
In the case of SPF, the "envelope from" email address within the email header matches the "return-path" address. Essentially checking if the return path is the same as the sender.
In the case of DKIM, the value behind the email sender domain tag matches the domain the email was sent from.
If both authentications are set up, both alignment tests are performed.
Alignment can be "strict", where the sender an return path need to be precise match, or "relaxed", where top level sender and return-path domains need to match, but subdomains are allowed.
To know more about DMARC, you can go to DMARC.org.
DMARC policies
the method of verification explained above is controlled by the DMARC policy for the domain.
The DMARC policy provides instructions to the incoming server on what to do with an emails that fail authentication.
There are 3 options or "policies":
“none” – the email should be treated as if no DMARC was set up. This provides no additional security but can be used to analyze the DMARC reports without influencing email deliverability.
“quarantine” – allows the email but usually the message go to the spam folder.
“reject” – discard the email that failed the check.
Policies can also be customized. A "quarantine" policy, could instruct the email server to send only 10% of emails with a failed check to the spam folder and ignore, with a "none" policy the other 90%.
DMARC record
A DMARC record looks something like this:
v=DMARC1; p=reject; rua=mailto:dmarc-rua@exemple.com,mailto:dmarc_agg@valid.email,mailto:postmasters@examplecom; ruf=mailto:dmarc-ruf@example.com
Let's break this into it's parts and explain 1 by 1:
v=DMARC1 is the identifier of the DMARC version and must always be included in the DNS record
p=reject is the policy chosen to use. This policy rejects all emails that fail the DMARC check.
rua=mailto:dmarc-rua@example.com,mailto:dmarc_agg@valid.email,mailto:postmasters@example.com. These addresses will receive daily aggregate reports about emails failing verification. All addresses must be proceeded with "mailto:" statement as in the example.
ruf=mailto:dmarc-ruf@example.com. This is the email address where individual failure reports will be sent to in real-time.
For more in depth information visit the DMARC.org resources site.
And that's it, if your domain has these 3 methods set up, you are contributing to a safer email ecosystem.