Configuring SPF/DKIM/DMARC

Discover our Public Cloud offer

Shared Hosting for Everyone, imagined by developers, for developers.

Discovering the Public Cloud

Here are three methods for authenticating your e-mails and thereby reducing abusive e-mail use (spam, phishing, etc.).

Sender Policy Framework

SPF makes a TXT type DNS request to the sender’s domain ("MAIL FROM” in the message headers) to find out the list of servers allowed to send e-mails and compare it with the IP address of the sender’s server.

SPF: explanatory diagram
SPF: explanatory diagram

Components

Mechanism
ALLDefault result
AAn IN A (or AAAA) record that can be resolved as the sender’s address
IP4IPv4 range
IP6IPv6 range
MXA Mail eXchanger record pointing to the sender’s address
EXISTSThe domain is resolved at any address
INCLUDEAn included rule passes the test
PTRThe IP address domain corresponds to the specified domain and the latter points to the IP in return
Qualifiers
+Favorable result
?Neutral result
~Slight “SOFTMAIL” failure (e-mail accepted but marked)
-Total failure (e-mail normally rejected)
Modifiers
exp=some.example.comTo get the reason for the failure results
redirect=some.example.comTo link to a rule record in another domain

An SPF record is created by default and can be found in the DNS records tab for the domain:

SPF record
SPF record

This explicitly allows our servers to send e-mails and sends a neutral result for the other sender servers.

This technology may have an impact on e-mail redirects: as the sender server is not necessarily the e-mail server belonging to the original e-mail sender.

DomainKeys Identified Mail

DKIM is used to authenticate the domain name by adding a signature to all of the outgoing e-mails.

DKIM: explanatory diagram
DKIM: explanatory diagram

To generate a pair of keys, go to Domains > Details for the relevant domain name > Configuration.

Administration interface: configure DKIM
Administration interface: configure DKIM
Administration interface: DKIM configuration result
Administration interface: DKIM configuration result

A TXT record will then be created and can be found in the DNS records tab:

DKIM record
DKIM record

Domain-based Message Authentication, Reporting and Conformance

DMARC is a protocol that standardizes authentication by telling the addressees what actions to take should one of the authentication methods fails. It will check that:

  • the domain corresponds to the pair of DKIM keys (field d=),
  • the sender server is specified in the SPF record for the domain (MAIL FROM),
  • the domain is in the e-mail’s FROM field.
DMARC: explanatory diagram
DMARC: explanatory diagram

To use DMARC, DKIM and SPF must already be implemented.

Parameters

Variables
vProtocol version: v=DMARC1 (required)
pctPercentage of messages to filter (default: 100)
adkimCoherency with DKIM
s = strict mode - the DKIM signature domain must precisely match the FROM
r = relax mode (default)
aspfCoherency with SPF (s or r)
pProcedure in case of failure - main domain (required)
none = delivers the e-mail normally
quarantine = treats the e-mail as suspect (spam score, flag, etc.)
reject = rejects the e-mail
spProcedure in case of failure - subdomain (none, quarantine or reject)
rufAddressee for the detailed failure reports
foConditions for sending a detailed report
1 = DKIM and/or SPF failure
d = DKIM failure
s = SPF failure
0 = DKIM and SPF failure (default)
ruaDestination for aggregated failure reports

To implement it, a TXT record needs to be created in the DNS records tab for the domain:

DMARC record
DMARC record


Explanatory diagrams reused from Global Cyber Alliance