by: General2 Comments on SPF + DKIM + DMARC Overview

Tools against SPAM and domain spoofing:

  • SPF – Whitelist of hosts that are allowed to send email on behalf of the organization.
  • DKIM – Digital signatures (keys) used to verify if the message really came from the organization.
  • DMARC – Tells the receiver servers what todo with the emails that fail SPF and/or DKIM.

SFP (Sender Framework Policy) is one more weapon to fight E-Mail Spam.

The idea is to use the DNS records (TXT format) to advertise what sources are legitimately allowed to originate email for your domain, reduce the chances of spoofing. See example:

  • Record name
    • (empty) or “*”
  • Value
    • “v=spf1 a mx include:mailvendor.com ~all”

Configure your DNS server using TTL type which is plain text to inform the rules of the domain:

  • .         IN         TXT         “v=spf1 mx
    • Only the IP in MX record is allowed to send emails for this domain.
  • .         IN         TXT         “v=spf1 a
    • Only IPs with an A record are allowed.
  • .         IN         TXT         “v=spf1 -all
    • Reject anything that does not comply.
  • .         IN         TXT         “v=spf1 ~all
    • Accept but flag any non-compliant e-mail.

Configure Reverse DNS (rDNS):

Our guides on configuring DNS and rDNS records within the Linode Manager are linked below:

  • If your server is located in a VPS (AWS, GCP, Linone, etc) you can go into your cloud dash panel and edit the reverse DNS to your domain or sub-domain.
  • If you are the owner of the server set up a local DNS Resolver. I recommend BIND9 DNS software.

Once SFP and rDNS are complete, confirm that these records have been configured correctly by running the following commands:

dig +short DOMAIN.COM
dig -x 1.1.1.1 +short

The first will check the SFP in DNS records.

The second will check the rDNS.

In my example, DOMAIN.COM has set SPF to 1.1.1.1, so 1.1.1.1 should also be reversed to DOMAIN.COM.

DKIM (Domain Keys Identified Mail) is an authentication method designed to detect forged senders.

It requires to copy/paste the key generated by the outgoing email server to the DNS records using the TXT format. See example:

  • Record name
    • itytzkakk._domainkey.
  • Value
    • “v=DKIM1; k=rsa; p=4GNADCBiQKBgQCgzjLMIGfMA0GCSqGSIb3DQEBAQUAAo9D2g8sCXXcad9/S5HAAG7m5yVMnSN5TCaYBDR30YhU/BAG8o8B93nkMGZwe9FAaUtD+qTMDp2dByA9n1rtPvssQbXUnwgmUD20e1lKOjyi/Yrbgr4JCNlP+7HTFviRfoMdtzfIBfK8Nkl0JeZ3GvNkQfwIDAQABRDtyuGSdFWtaS”

DMARC (Domain-based Message Authentication, Reporting & Conformance) it defines the policy to be applied when SPF and/or DKIM fail.

It also requires a DNS record using the TXT format. See example:

  • Record name
    • _dmarc.
  • Value
    • “v=DMARC1; p=reject; fo=1; pct=100”

Description of the syntax:

  • v DMARC1
    • DMARC protocol version.
  • p reject
    • Apply this policy ‘none’, ‘quarantine’, or ‘reject’.
  • pct 100
    • The percentage tag instructs the percentage of email the policy must be applied.
  • fo 1
    • Forensic options ‘0’ to generate reports if both DKIM and SPF fail or ‘1’ to generate reports if either DKIM or SPF fails.

WEB TOOLS

2 Replies to “SPF + DKIM + DMARC Overview”

  1. Pingback: Safety Tips and Techniques for Server – DFT Blog
  2. Pingback: Using SSMTP with Google SMTP Relay on Ubuntu 20.04 – DFT Blog

Comments are closed.