Leadify SecureMark

Protecting Your Email Domain with SPF, DKIM, and DMARC

To keep your email domain safe from unauthorized use, three key tools—SPF, DKIM, and DMARC—work together to verify that emails claiming to be from your domain are genuine. Here’s a breakdown of how each one works and why they’re essential for email security:

1. SPF (Sender Policy Framework)

   SPF allows you to specify which servers are authorized to send emails on behalf of your domain. When an email is received, SPF checks if the email came from an approved source. If it didn’t, the message may be flagged, moved to spam, or even rejected.

2. DKIM (DomainKeys Identified Mail)

   DKIM adds a digital signature to each of your emails, which the receiving server can verify. This signature is unique and can confirm that the email’s content hasn’t been tampered with in transit. If the content has been altered, the DKIM check will fail, signaling that something might be wrong.

3. DMARC (Domain-based Message Authentication, Reporting & Conformance)

   DMARC is a policy layer that ties SPF and DKIM together. It tells email receivers how to handle emails that fail SPF or DKIM checks (for example, whether to flag, quarantine, or reject them). DMARC also provides reporting, so you can see any suspicious email activity using your domain and understand how often SPF or DKIM checks fail.

How SPF, DKIM, and DMARC Work Together:

• SPF checks if an email came from a trusted sender.
• DKIM verifies that the email hasn’t been altered in transit.
• DMARC enforces your domain policy on emails that fail these checks and offers reporting for better insight.

With SPF, DKIM, and DMARC configured, you’re helping to prevent phishing, spoofing, and other forms of email fraud, keeping your domain secure and maintaining trust with your recipients.

Here's a quick guide on setting up SPF (Sender Policy Framework) for an email domain:

1. Identify the Sending Servers

   Determine all IP addresses and third-party services (like email marketing tools or CRMs) authorized to send emails for your domain.
2. Access Your Domain’s DNS Settings

   Log in to your domain’s DNS management portal (often found in your domain registrar's settings or DNS hosting provider).
3. Create a New TXT Record

   Look for an option to add a new "TXT" record in the DNS settings. This will contain your SPF information.
4. Define the SPF Policy

   Construct your SPF record in the format below, including all servers allowed to send on behalf of your domain:

   v=spf1 ip4:YOUR_IP_ADDRESS include:THIRD_PARTY_DOMAIN ~all

   • Replace YOUR_IP_ADDRESS with the IP(s) of your authorized mail server(s).
   • Use include:example.com for any third-party senders.
   • End with ~all for a "soft fail" (less strict) or -all for a "hard fail" (more strict).
5. Save the Record

   Save the TXT record. DNS changes may take some time to propagate (up to 48 hours).
6. Test the SPF Record

   Use an SPF testing tool (like MXToolbox) to verify the SPF record is set up correctly.

Example SPF Record:

For a domain using its own server and a third-party service:

After setup, emails from unauthorized servers should be marked accordingly by receiving servers, improving deliverability for legitimate emails.

Here's a brief guide to setting up DKIM (DomainKeys Identified Mail) for your email domain:

1. Generate the DKIM Key Pair

   In your email server or service provider’s settings, generate a DKIM key pair (public and private keys). The private key will sign your emails, while the public key will be added to your DNS.
2. Copy the Public Key

   After generating the keys, copy the public key provided. You’ll use this in your domain’s DNS settings.
3. Access Your Domain's DNS Settings

   Log in to your domain’s DNS management portal (usually through your domain registrar or DNS hosting provider).
4. Add a New TXT Record for DKIM

   Create a new TXT record. Enter a unique selector for the record name (e.g., selector._domainkey.yourdomain.com), where "selector" is a unique identifier chosen during key generation.
5. Enter the DKIM Public Key

   In the TXT record's value, paste the public key text provided by your email service or server.
6. Save the Record

   Save the TXT record. It may take up to 48 hours for DNS changes to propagate.
7. Enable DKIM Signing on the Email Server

   In your email service’s or server’s settings, enable DKIM signing so that outgoing emails are signed with the private key.
8. Test the DKIM Setup

   Use a tool like MXToolbox or Gmail’s "View Original" option to check that emails from your domain are signed with DKIM.

Example DKIM TXT Record:

If your selector is "default," the record name might be:

And the value will look like:

This setup helps receiving servers verify that your emails are authentic, reducing the risk of spoofing.

Here's a quick guide on setting up DMARC (Domain-based Message Authentication, Reporting & Conformance) for your email domain:

1. Set Up SPF and DKIM First

   Ensure that SPF and DKIM records are correctly set up for your domain, as DMARC relies on them for email authentication.
2. Decide on Your DMARC Policy

   Determine the DMARC policy you want to start with:

   • none: Only monitors and reports without taking action on failed messages.
   • quarantine: Flags or moves failed emails to the spam/junk folder.
   • reject: Blocks emails that fail DMARC checks.
3. Access Your Domain's DNS Settings

   Log in to your domain’s DNS management portal (usually through your domain registrar or DNS hosting provider).
4. Add a New TXT Record for DMARC

   In the DNS settings, add a TXT record with the name _dmarc.yourdomain.com
5. Enter the DMARC Policy in the TXT Record’s Value

   The TXT record should look like: v=DMARC1; p=none; rua=mailto:you@yourdomain.com; ruf=mailto:you@yourdomain.com; pct=100

   • p= specifies the DMARC policy (none, quarantine, or reject).
   • rua= is the email address where you want aggregate reports sent.
   • ruf= is the email address for forensic (detailed) reports.
   • pct= sets the percentage of messages subjected to the DMARC policy (usually set to 100).
6. Save the Record

   Save the TXT record. It may take up to 48 hours for DNS changes to propagate.
7. Monitor DMARC Reports

   Regularly check your DMARC reports to see how well your domain's emails are authenticated and make adjustments to the policy if needed.

Example DMARC TXT Record:

For monitoring only:

Starting with p=none allows you to monitor email activity before enforcing stricter policies.