Shared Hosting for Everyone, imagined by developers, for developers.Discovering the Public Cloud
Here are three methods for authenticating your e-mails and thereby reducing abusive e-mail use (spam, phishing, etc.).
SPF makes a
TXT type DNS request to the sender’s domain ("MAIL FROM" in the message headers) to find out the list of servers allowed to send e-mails and compare it with the IP address of the sender’s server.
|A||An IN A (or AAAA) record that can be resolved as the sender’s address|
|MX||A Mail eXchanger record pointing to the sender’s address|
|EXISTS||The domain is resolved at any address|
|INCLUDE||An included rule passes the test|
|PTR||The IP address domain corresponds to the specified domain and the latter points to the IP in return|
|~||Slight “SOFTMAIL” failure (e-mail accepted but marked)|
|-||Total failure (e-mail normally rejected)|
|exp=some.example.com||To get the reason for the failure results|
|redirect=some.example.com||To link to a rule record in another domain|
This technology may have an impact on e-mail redirects as the sender server is not necessarily the e-mail server belonging to the original e-mail sender.
A SPF record is created by default and can be found in the DNS records tab for the domain:
include:_spf.alwaysdata.comexplicitly allows our servers to send e-mails,
~allsends a slight “SOFTMAIL” failure result for the other sender servers.
If the domain doesn’t use alwaysdata’s DNS servers, you must then, in the DNS service provider, add
include:_spf.alwaysdata.com to the SPF registration.
DKIM is used to authenticate the domain name by adding a signature to all of the outgoing e-mails. Concretely, this works with two keys:
To generate a pair of keys, go to Domains > Details of [example.org] - 🔎 > Configuration.
TXT record will automatically be created and available in the DNS records tab:
If the domain doesn’t use alwaysdata’s DNS servers, this record must be recopied with your DNS service provider.
DMARC is a protocol that standardizes authentication by telling the addressees what actions to take should one of the authentication methods fails. It will check that:
To use DMARC, DKIM and SPF must already be implemented.
|v||Protocol version: v=DMARC1 (required)|
|pct||Percentage of messages to filter (default: 100)|
|adkim||Coherency with DKIM|
|s = strict mode - the DKIM signature domain must precisely match the FROM|
|r = relax mode (default)|
|aspf||Coherency with SPF (s or r)|
|p||Procedure in case of failure - main domain (required)|
|none = delivers the e-mail normally|
|quarantine = treats the e-mail as suspect (spam score, flag, etc.)|
|reject = rejects the e-mail|
|sp||Procedure in case of failure - subdomain (none, quarantine or reject)|
|ruf||Recipient of the detailed failure reports|
|fo||Conditions for sending a detailed report|
|1 = DKIM and/or SPF failure|
|d = DKIM failure|
|s = SPF failure|
|0 = DKIM and SPF failure (default)|
|rua||Recipients of aggregated failure reports|
To implement it, a
TXT DNS record needs to be created. At alwaysdata, you will find it in the DNS records tab of the domain:
Explanatory diagrams reused from Global Cyber Alliance