In this guide we'll walk through three primary authentication measures configurable for your email and web services to prevent and secure your domain from being used by unauthenticated means.
SPF Authentication (Sender Policy Framework)
An SPF record is a TXT record you can add to your domains DNS zone to authenticate which hosts are authorised to send mail on behalf of your domain.
For example, in a hypothetical context- you have an email service hosted with Google, however your website is hosted with Serversaurus, in this case you need to authenticated both Google and Serversaurus to send emails on behalf of your domain, in this circumstance the TXT record entry would be:
v=spf1 include:_spf.serversaurus.com.au include:_spf.google.com ~all
The above entry permits the following hosts and directives:
v=spf1 - The SPF version is specified
+a - Authorises the IP configured in the domains A record
+mx - Includes the sender configured in the MX records
include:_spf.serversaurus.com.au - Authorises Serversaurus' outgoing mail gateways
include:_spf.google.com - Authorises Google's outgoing mail gateways
~all - Directs SPF policies to be always applied, however the ~ symbol directs a Soft Fail (this can be specified to be more or less strict)
To create a SPF record, you can revise the available directives and tailor a record most suitable for your practice. DMARC Analyzer have a informative guide outlining the available mechanisms for SPF configuration: https://www.dmarcanalyzer.com/spf/spf-record/
DKIM Authentication (Domain Keys Identified Mail)
DKIM authentication is a practice implemented to detect and prevent forged sender address (otherwise known as spoofing). By implementing a DKIM signature, the receiver is able to verify the email has been sent and authorised by the owner, this is implemented by adding the DKIM signature as a header to sent emails, the receiving server is then able to check whether DKIM signature is valid or not, and decode the encrypted contents of the email, when the DKIM check has passed, the server ascertains the contents of the email has not been altered.
Generating a DKIM key can been completed within the management panel of your email provider (for example within cPanel you can use the Email Deliverability function to generate and install a DKIM record), if you have multiple providers sending mail on your behalf, you need to generate DKIM keys from each providers management console, a DKIM record is most commonly configured by a TXT record, however some providers (such as MailChimp and SendGrid) will provide a CNAME record for DKIM authentication.
DMARC (Domain-based Message Authentication, Reporting, and Conformance)
DMARC is an email validation system designed to protect your company’s domain from being used for email spoofing, phishing scams and other cyber crimes, this practice combines the existing authentication methods configured using SPF and DKIM. Reporting is one of the major benefits of implementing a DMARC policy, the reports are used to track your mail environment and identify how your domain is being used.
By implementing a DMARC record you direct remote mail servers how to handle emails from your domain which have been sent without DKIM or SPF authentication, DMARC has three policies available:
None: This policy is used to simply monitor your email activity.
Quarantine: When the quarantine policy is instated, if mail is not authenticated using SPF or DKIM the remote mail server is directed to quarantine the mail. Quarantine usually results in emails being received to your spam folder however some mail servers will filter these emails before reaching your inbox.
Reject: The reject policy is the most strict, this directs remote server to refuse any emails being sent without SPF or DKIM authentication. Of course you only want to use this policy once you've thoroughly tested your mail environment using either the None or Quarantine policy.
Depending on whether you are using DKIM or SPF, you can configure DMARC to rely on either authentication method (or both) and adjust the level of strictness when it comes to identifying SPF/DKIM authentication practices.
You can also specify which email address should receive DMARC reports and which intervals notifications should be sent, be aware servers won't always honor intervals longer than 24 hours.
For cPanel users, you can generate a DMARC record within the Zone Editor function, by selecting Add Record, then create a DMARC record using the Advance Options tab to add additional rules.
To create a record without the assistance of the cPanel functions, you can revise the policies available by visiting the DMARC website: https://dmarc.org/overview/
As usual, if ever in need of assistance please contact our support team at firstname.lastname@example.org.