Configuring SPF/DKIM/DMARC

Discover our Public Cloud offer

Shared Hosting for Everyone, imagined by developers, for developers.

Discovering the Public Cloud

Here are three methods for authenticating your e-mails and thereby reducing abusive e-mail use (spam, phishing, etc.).

Sender Policy Framework

SPF makes a TXT type DNS request to the sender’s domain ("MAIL FROM" in the message headers) to find out the list of servers allowed to send e-mails and compare it with the IP address of the sender’s server.

SPF: explanatory diagram
SPF: explanatory diagram

Parameters

Mechanism
ALLDefault result
AAn IN A (or AAAA) record that can be resolved as the sender’s address
IP4IPv4 range
IP6IPv6 range
MXA Mail eXchanger record pointing to the sender’s address
EXISTSThe domain is resolved at any address
INCLUDEAn included rule passes the test
PTRThe IP address domain corresponds to the specified domain and the latter points to the IP in return
Qualifiers
+Favorable result
?Neutral result
~Slight “SOFTMAIL” failure (e-mail accepted but marked)
-Total failure (e-mail normally rejected)
Modifiers
exp=some.example.comTo get the reason for the failure results
redirect=some.example.comTo link to a rule record in another domain

This technology may have an impact on e-mail redirects as the sender server is not necessarily the e-mail server belonging to the original e-mail sender.

At alwaysdata

A SPF record is created by default and can be found in the DNS records tab for the domain:

SPF record
SPF record
  • include:_spf.alwaysdata.com explicitly allows our servers to send e-mails,
  • ~all sends a slight “SOFTMAIL” failure result for the other sender servers.

If the domain doesn’t use alwaysdata’s DNS servers, you must then, in the DNS service provider, add include:_spf.alwaysdata.com to the SPF registration.

DomainKeys Identified Mail

DKIM is used to authenticate the domain name by adding a signature to all of the outgoing e-mails. Concretely, this works with two keys:

  • a private key that is known - and kept secret - from the domain’s mail delivery servers;
  • a public key that corresponds to a DNS registration of the TXT type.
DKIM: explanatory diagram
DKIM: explanatory diagram

Setup

To generate a pair of keys, go to Domains > Details of [example.org] - 🔎 > Configuration.

Administration interface: configure DKIM
Administration interface: configure DKIM
Administration interface: DKIM configuration result
Administration interface: DKIM configuration result

The TXT record will automatically be created and available in the DNS records tab:

DKIM record
DKIM record

If the domain doesn’t use alwaysdata’s DNS servers, this record must be recopied with your DNS service provider.

Domain-based Message Authentication, Reporting and Conformance

DMARC is a protocol that standardizes authentication by telling the addressees what actions to take should one of the authentication methods fails. It will check that:

  • the domain corresponds to the pair of DKIM keys (field d=),
  • the sender server is specified in the SPF record for the domain (MAIL FROM),
  • the domain is in the e-mail’s FROM field.
DMARC: explanatory diagram
DMARC: explanatory diagram

To use DMARC, DKIM and SPF must already be implemented.

Parameters

Variables
vProtocol version: v=DMARC1 (required)
pctPercentage of messages to filter (default: 100)
adkimCoherency with DKIM
s = strict mode - the DKIM signature domain must precisely match the FROM
r = relax mode (default)
aspfCoherency with SPF (s or r)
pProcedure in case of failure - main domain (required)
none = delivers the e-mail normally
quarantine = treats the e-mail as suspect (spam score, flag, etc.)
reject = rejects the e-mail
spProcedure in case of failure - subdomain (none, quarantine or reject)
rufRecipient of the detailed failure reports
foConditions for sending a detailed report
1 = DKIM and/or SPF failure
d = DKIM failure
s = SPF failure
0 = DKIM and SPF failure (default)
ruaRecipients of aggregated failure reports

To implement it, a TXT DNS record needs to be created. At alwaysdata, you will find it in the DNS records tab of the domain:

DMARC record
DMARC record

Explanatory diagrams reused from Global Cyber Alliance