Email remains one of the most essential tools for business communication-but it’s also one of the most exploited by cybercriminals. To protect your domain and maintain trust with your recipients, you can implement email authentication methods which prevent unauthorized parties from sending emails from a domain not owned.
What is SPF, DKIM and DMARC?
SPF, DKIM and DMARC are DNS records used to authenticate mail servers and certify they can send from their domain specified.
SPF (Sender Policy Framework) records list the specific authorized mail servers.
DKIM (DomainKeys Identified Mail) is a signature to certify emails. Its also used to verify that an email hasn’t been altered and was sent by a valid source.
DMARC (Domain-based Message Authentication Reporting and Conformance) are a list of rules for what to do after SPF and DKIM verification.
Many email clients provide options to view additional informatio for senders, where you’ll see some of these verification details too.
This guide quicklys goes over these key components of email security and how to configure them correctly to secure internal as well as third-party email sources.
Setting Up SPF (Sender Policy Framework)
How to Set Up SPF:
List All Legitimate Senders: Identify all services and platforms that send email using your domain—this includes your mail servers, cloud email providers (like Microsoft 365 or Google Workspace), and third-party tools (such as marketing platforms or CRMs).
First, check if they provide set values to set within your domain DNS manager. If not, you’ll need to create one.
Create Your SPF Record
Use a TXT record in your DNS settings. Start with “v=spf1”, then add mechanisms like:
“ip4:” to specify IP addresses,
“mx” for your domain’s mail servers,
“include:” to authorize used third-party services.
Example SPF Record
v=spf1 mx include:spf.yourdomain.com ip4:123.123.123.123 -allThe -all tag at the end tells external mail servers to reject any email not coming from the listed sources.
Implementing DKIM (DomainKeys Identified Mail)
If Hosting Mail Server:
You’ll need to generate a key. You can utilize tools like OpenDKIM to create a public/private key, or online third-party tools such as Dmarcly.
Once generated, add it to your DNS as a TXT record, under a selector name (e.g., default._domainkey.yourdomain.com).
Example DKIM Record:
v=DKIM1; k=rsa; p=YourPublicKeyHereConfigure Your Server: You’ll then need to link your private key with your mail server software so that outgoing emails are automatically signed.
If Using Third-Party Providers:
Most platforms (e.g., SendGrid, Mailchimp, Salesforce) let you generate a DKIM record from their admin panel. You’ll generally need to copy then:
Create TXT or CNAME records in DNS and paste provided values.
Enable DKIM signing in the provider’s dashboard.
Best Practice
It’s good practice to rotate your DKIM keys regularly (e.g., 6-12 months) for improved security.
Enforcing Policies with DMARC
DMARC ties SPF and DKIM together and tells receiving servers how to handle messages that fail authentication checks.
Creating a DMARC Record:
Publish a TXT record at _dmarc.yourdomain.com that includes:
- Policy (p=): none, quarantine, or reject.
- Reporting email (rua=): Where to send aggregate reports.
Example Record:
v=DMARC1; p=none; rua=mailto:[email protected];Gradually Increase Enforcement
Start with “p=none” to gather data without affecting mail flow.
- Monitor reports for some time
- Move to quarantine once any issues have been found and corrected
- Increase the enforcement percentage (pct=25, then pct=100).
After testing, feel free to set “p=reject” to block all unauthorized mail.
Use alignment settings like aspf=r (relaxed SPF) or adkim=s (strict DKIM) depending on your organization’s tolerance for enforcement.
Publish and Test
After adding these records, make sure to verify they have propagated globally with tools like SPF checkers or DNS validators to ensure they are working and have propagated. Be mindful of the 10 DNS lookup limit, and limit use of mechanisms such as ptr, which can lead to unnecessary lookups.
Advanced Tips for Email Security
BIMI: Consider implementing Brand Indicators for Message Identification to display your logo in supported inboxes.
Forensic Alerts: Use ruf=mailto:[email protected] to receive real-time notifications when messages fail DMARC.
Subdomain Control: Add sp=reject to enforce DMARC policies on subdomains.
Regular Audits: Review DMARC reports regularly to catch new sending sources or potential abuse.
Securing your domain with SPF, DKIM, and DMARC isn’t just a one-time task—it’s an ongoing process of configuration, monitoring, and adjustment. By layering these protocols together, your organization can prevent spoofing, improve deliverability, and protect its reputation.
These best practices are essential for businesses of all sizes that rely on email for internal and external communication, marketing, and customer engagement.
Leave a Reply