SPF, DKIM, DMARC Setting


SPF record

SPF record protects your domain from counterfeit and allows to prevent emails sent from your addresses from being recognized as spam. SPF is set for the address used in envelope-from (SMTP envelope). You can read more about SPF record here. Read our article (in Russian) to learn more about common mistakes and frequent errors in SPF setting.

To set SPF record:

  1. Open the site of your provider who has DNS zone of your domain administration;
  2. Use the login and password to enter «Control Panel»;
  3. Open DNS zone administration section of the domain yoy need;
  4. Add a new TXT record. Example of such record: "v=spf1 ip4:165.165.165.0/24 ip4:136.136.136.0/20 a mx ~all"

Some providers put quotes for SPF records themselves, that is why you can contact your hosting provider to specify if there is need for quotes or proceed by analogy with the other domain TXT records, if there are any.

Postmaster Mail checks SPF record validity once a week. 

DKIM signature

DKIM signature allows to confirm that the address indicated in «From» header is the real address of the email sender, it also increases emails deliverability.  You can read more about DKIM here.

To set DKIM:

1. Generate the key pair (private and public key);

Key pair generation with Open SSL usage

Key pair generation with OpenDKIM usage

To generate a private key enter openssl genrsa -out privatekey.pem 1024 in command line, where «privatekey.pem»  is private key file, «1024» — key length.

Example of the result:

image

To generate public key enter openssl rsa -pubout -in privatekey.pem -out publickey.pem, where «publickey.pem» is public key file.

Example of the result:

image

To generate the keys use enter opendkim-genkey -d example.ru -s mail, where «example.ru» is your domain, «mail» - selector.

Herewith, mail.private file with the private key and mail.txt file with a ready public key in DNS-record format will be created in the current directory.

2. Put the private key into the file in the directory with a limited access at your sending server. Pay your attention, post server must have access to this file;

3. Activate DKIM support on your post server. Some servers have default DKIM support, others allow to activate in with free programs;

4. Open the site of your provider who has DNS zone of your domain administration;

5. Use the login and password to enter «Control Panel»;

6. Open DNS zone administration section of the domain;

7. Add a new TXT record indicating the generated public key in "p" tag. Remember that it can take 48 hours to update the record. Example of the TXT record:

image

8. Some registrars put quotes for TXT (SPF and DKIM) records themselves, that is why enter the record or copy it the same way as it is given in the instruction – with quotes.

You can check DKIM signature setting correctness by DKIM-Signature presence in the email headers, as well as by dkim=pass line in "Authentication-Result" header.

Example of DKIM signature in email headers:

  

Parameter [d] in DKIM signature must coincide with the domain name you want to study statistics of in Postmaster Mail.

If you do not know how to set the signature in an email, contact your system administrator or the support team of your hosting.

It is not possible to see statistics in Postmaster without DKIM signature.

DMARC

DMARC (Domain-based Message Authentication, Reporting and Conformance) — a technical specification created by a group of organizations in order to combat spammers that forge senders’ addresses.

Setting DMARC domain owners can make rules of processing emails that are received from the domains which do not pass authentication. Use our article (in Russian) to think over all the steps of setting DMARC policy in advance.

Preparation for DMARC setting:

Before DMARC setting you need to:

  1. Set SPF record;
  2. Set DKIM Signature.

This is because DMARC technology uses these tools. If a sent email does not pass DKIM and SPF check (both), it does not pass DMARC as well. If an email passes at least one of them (DKIM or SPF), it passes DMARC, too.

DMARC setting

To set DMARC:

  1. Open the site of your provider who has DNS zone of your domain administration;
  2. Use the login and password to enter «Control Panel»;
  3. Open DNS zone administration section of the domain you need;
  4. Add a new TXT record of the following type _dmarc.example.com in accordance with the chosen policy, where instead of example.com you need to put your domain.

Example of the record: "v=DMARC1;p=none;rua=mailto:rua@example.com;ruf=mailto:ruf@example.com;fo=s"

Some providers put quotes for TXT records themselves. You can contact your hosting provider to specify if there is need for quotes or proceed by analogy with the other domain TXT records, if there are any.

In TXT record it is allowed to use the following tags:

Tag name

Purpose

Example

Needed

Addition

v

Record retrieved version

v=DMARC1

yes

p

Mail receiver policy

p=reject

yes

none — no actions are needed to be taken regarding messages delivery

quarantine — put emails in Spam folder

reject  reject emails

aspf

Alignment check mode for SPF record

aspf=s

no

r (relaxed) — allow partial alignment

for example, subdomains of the domain

s (strict) — allow full alignment only

pct

Percentage of emails from the domain to which

DMARC policy is to be applied

pct=40

no

sp

Mail receiver policy for subdomains

sp=reject

no

none — no actions are needed to be taken regarding messages delivery

quarantine — put emails in Spam folder

reject  — reject emails

rua

Address for aggregated reports

rua=mailto:admin@test.ru

no

If you want to get reports (rua) to a domain that differs from the domain with DMARC, you need to set a special TXT record for that domain. For example, if the domain with DMARC is example.com and you want to get reports to test.ru domain, you need to add the following TXT record to DNS of  test.ru domain: example.com._report._dmarc.test.ru with "v=DMARC1".

Examples 

  1. Reject all the emails that do not pass DMARC: "v=DMARC1; p=reject" 
  2. Reject all the emails that do not pass DMARC and send aggregated reports to admin@test.ru account: "v=DMARC1; p=reject; rua=mailto:admin@test.ru"
  3. Get to quarantine 30% of emails that come from your domain but do not pass DMARC: "v=DMARC1; p=quarantine; pct=30"
DMARC policy “v=DMARC1; p=none” does not protect your domain from spoofing. Use it only as an intermediate step of DMARC setting.
Обновлено 26 августа 2024 г.