In this guide we will walk through three primary authentication measures configurable for your email and web services to prevent and secure your domain from being used by unauthenticated means.
SPF Authentication (Sender Policy Framework)
An SPF record is a TXT record you can add to your domains DNS zone to authenticate which hosts are authorised to send mail on behalf of your domain.
For example, in a hypothetical context- you have an email service hosted with Google, however your website is hosted with Serversaurus, in this case you need to authenticated both Google and Serversaurus to send emails on behalf of your domain, in this circumstance the TXT record entry would be:
v=spf1 +a +mx include:_spf.serversaurus.com.au include:_spf.google.com ~all
The above entry permits the following hosts and directives:
v=spf1 - The SPF version is specified
+a - Authorises the IP configured in the domains A record
+mx - Includes the sender configured in the MX records
include:_spf.serversaurus.com.au - Authorises Serversaurus' outgoing mail gateways
include:_spf.google.com - Authorises Google's outgoing mail gateways
~all - Directs SPF policies to be always applied, however the ~ symbol directs a Soft Fail (this can be specified to be more or less strict)
To create a SPF record, you can revise the available directives and tailor a record most suitable for your practice. DMARC Analyzer have a informative guide outlining the available mechanisms for SPF configuration: https://www.dmarcanalyzer.com/spf/spf-record/
As usual, if you're unsure or would like help please write to us at firstname.lastname@example.org so we can help you identify the best configuration for your SPF record.
DKIM Authentication (Domain Keys Identified Mail)
DKIM authentication is a practice implemented to detect and prevent forged sender address (otherwise known as spoofing). By implementing a DKIM signature, the receiver is able to verify the email has been sent and authorised by the owner, this is implemented by adding the DKIM signature as a header to sent emails, the receiving server is then able to check whether DKIM signature is valid or not, and decode the encrypted contents of the email, when the DKIM check has passed, the server ascertains the contents of the email has not been altered.
Generating a DKIM key can been completed within the management panel of your email provider (for example within cPanel you can use the Email Deliverability function to generate and install a DKIM record), if you have multiple providers sending mail on your behalf, you will need to generate DKIM keys for each provider, a DKIM record is most commonly configured by a TXT record, however some providers (such as MailChimp) will provide a CNAME record for DKIM authentication.
DMARC (Domain-based Message Authentication, Reporting, and Conformance)
DMARC is an email validation system designed to protect your company’s domain from being used for email spoofing, phishing scams and other cyber crimes, this practice combines the existing authentication methods configured using SPF and DKIM, an important benefit of implementing a DMARC record is reporting- you are able to configure reports to be sent to your administrator to identify how users have attempted to use your domain name.
By implementing a DMARC record, you are telling the receiving servers how to handle emails which have been sent without DKIM or SPF authentication- DMARC has different protocols you are able to set- for example, whether to quarantine or reject unauthenticated emails.
Depending on whether you are using DKIM or SPF, you can configure DMARC to rely on either authentication method (or both) and adjust the level of strictness when it comes to identifying SPF/DKIM authentication practices.
You can also specify which email address should receive DMARC reports to and which intervals notifications should be sent.
For cPanel users, you can generate a DMARC record within the Zone Editor function, you will notice when selecting Add Record, there is an option to create a DMARC record, this function provides an easy automated configuration for the record type with options to tailor the record under the Advanced Options.
To create a record without the assistance of the cPanel functions, you can revise the policies avaliable by visiting the DMARC website: https://dmarc.org/overview/
As usual, if ever in need of assistance, please contact our Support Team at email@example.com.