Product » Xeams » Knowledge Base

Document information

Document ID:5144
Subject:How to use SPF, DKIM and DMARC for your domain
Creation date:8/10/17 1:29 PM
Last modified on:8/10/17 1:29 PM


How to use SPF, DKIM and DMARC

Implementing SPF, DKIM and DMARC is a daunting task and many administrators are reluctant in implementing these technologies simply because they are not very easy to implement, particularly DKIM and DMARC. This article not only explains why these technologies are important but also how easy they are to implement in Xeams.

Benefits

SPF
SPF prevents forgery by designating a handful of IP addresses where emails can originate for your domain. SPF check will fail if a spammer sends a forged message from their own IP, allowing Xeams and other servers to treat that as spam.

It is very easy to forge sender's email address but is very difficult to forge an IP address. This makes SPF very effective in combating email forgeries.
DKIM
DKIM ensures the message was actually composed by someone belonging to the domain they claim to be part of. Additionally, it ensures the message is not modified in transit. Technically, the message is digitally signed by the email server before leaving and this signature is verified by the receiving end, allowing the receiving end to verify the authenticity of the message.

Xeams can assign a score to any incoming message where DKIM signature does not match.
DMARC
DMARC builds on top of SPF and DKIM. This not only helps prevent forgery but also provides a sophisticated reporting mechanism allowing the senders to fine tune their SPF and DKIM rules.

Xeams adds score if DMARC alignment fails. Additionally, it can also process incoming reports from and send outbound reports to other email servers on the Internet.

TIP

SPF, DKIM and DMARC affect both incoming emails from the Internet as well as emails that go out from your server to other domains on the Internet.

Implementing for your domain

All three mechanisms require a TXT record in your DNS server. In addition to the TXT record, DKIM also requires creating a public/private key pair for DKIM signature. Xeams can automatically create these signatures for you without using any other third-party tool, saving you precious time and effort.

Determine which servers/machine will send emails for your domain to the Internet. It is very common to have only one machine send out-bound emails within your company, which is usually the email server.

Example 1:

Assume every out-bound email goes through your email server. In that case, your SPF record will look like:
v=spf1 mx ~all

Example 2:

For the sake of argument, assume you have a third-party company that sends out-bound emails on your behalf and their public IP address is 201.202.203.204. In that case, your SPF record will look like:
v=spf1 mx ip4:201.202.203.204/32 ~all

Example 3:

Taking the above examples one step further, assume you have out-sourced your HR department to another company that also uses SPF and can send emails on your behalf. The domain name of that company is friendlyHR.com. In that case, the SPF record will become:
v=spf1  mx ip4:201.202.203.204/32 include:friendlyhr.com ~all
Notice the ending ~all at the end of each record. This means a SOFTFAIL. An alternative approach is to use a -all, which indicates a FAIL. Receiving server will most likely reject any incoming message that fails an SPF test and see a -all in the SPF record. Further analysis will be performed when a ~all is used before considering it a forged message.


Relatively speaking, implementing DKIM is probably the most difficult of these three mechanism since it involves creating public/private keys. However, it is a breeze creating these keys in Xeams. Following steps demonstrate how to accomplish this goal.

  • Login to the web interface of your Xeams as admin
  • Select DKIM under Filter Management
  • Enter your domain name in the New Domain field on the right hand side
  • Enter an arbitrary value for Selector. Conventionally, it is recommended to use current date in YYYYMMDD format.
  • Click Add
  • System will automatically generate a public/private key using random values and display the public key on the following page. You need to paste this key in the TXT record of your DNS server.
  • When pasting the public key, ensure you use the host name display on the page, which will be in the following format: selector._domainKey.yourdomain.com


Since DMARC provides a mechanism for reporting, its associated DNS record contains appropriate information to handle these reports. Additionally, companies can gradually rollout DMARC. For example, you can initially ask other companies to just submit reports to your Xeams without considering them spam if DMARC alignment fails. Once you are confident the reports you see in Xeams does not include any failed status for your IP addresses, you can make the rule a bit tighter.

Example 1:

When first using DMARC, set the policy (p) to none.
"v=DMARC1; p=none; rua=mailto:dmarc.rua@yourdomain.com"
This ensures the receiving servers will not consider your email junk even if DMARC does not align.

Example 2:

Once you do not see any abnormalities in the DMARC reports, consider changing the policy to quarantine. The DNS record will then look like:
"v=DMARC1; p=quarantine; rua=mailto:dmarc.rua@yourdomain.com"
The email address specified above (dmarc.rua@yourdomain.com) is a special address handled automatically by Xeams to accept incoming reports from other servers.






Add a comment to this document

Do you have a helpful tip related to this document that you'd like to share with other users? Please add it below. Your name and tip will appear at the end of the document text.
Your name:
Your email:
Hide my email address
Verification code:
Enter the verification code you see above more submitting your tip
Tip:Please limit tips to 1000 characters