What are SPF, DKIM and DMARC records
The SPF, DKIM and DMARC records are three e-mail authentication protocols designed to ensure that e-mails arrive correctly to the recipients, thus preventing them from ending up in the SPAM folder and sending e-mails impersonating our identity, an activity known as phishing.
Below we indicate the operation of each record and some examples of its use.
SPF
The SPF, or Sender Policy Framework, indicates who can send an email from a given domain in order to protect against sender spoofing.
It is common for large email service providers (such as Google) to require the presence of this record in order to prevent fraud and spam. Otherwise, e-mails addressed to them may be rejected or classified as SPAM.
Parameters
SPF rules are evaluated sequentially from left to right based on the parameters included:
-
v=spf1 - Indicates the start of the rule and which version of SPF is to be used.
-
mx - Authorizes the servers listed in the MX records to send mail on behalf of "dominiosw.com".
-
a - Authorizes the IP listed in the A record to send mail on behalf of "dominiosw.com".
-
ptr - Authorizes any host that ends in "dominiosw.com" to send mail.
-
ip4:1.2.3.4 - Authorizes IP "1.2.3.4" to send mail on behalf of "dominiosw.com".
-
all - Depending on the prefix, indicates how to handle cases where there is no match for any of the above parameters. It is included at the end of the SPF rule.
Prefixes
The following prefixes can be used with each of the parameters (with the exception of the first one):
-
+ Authorized sender. If no prefix is specified, the default prefix is assumed.
-
- Unauthorized sender is rejected.
-
~ Unauthorized sender, will be marked with a special header, but will not be rejected.
Examples
An example of a characteristic SPF:
v=spf1 mx a ~all
-
mx: The servers of the MX records are authorized (as no prefix is included + is assumed).
-
a: The IP of record A is authorized.
-
~all: Those that do not match the above rules are not authorized, but will not be rejected, they will be marked with a special header.
v=spf1 mx -all
-
mx: MX record servers are authorized (as no prefix is included, + is assumed).
-
-all: Those that do not match the above rules are not authorized and will be rejected.
v=spf1 -mx a ip4:1.2.3.4 ~all
-
-mx: MX record servers are not authorized, they will be rejected.
-
a: The IP of record A is authorized.
-
ip4:1.2.3.4: The IP "1.2.3.4" will be marked as neutral.
-
~all: Those that do not match the above rules, are not authorized, but will not be rejected, they will be marked with a special header.
DKIM
DKIM, or DomainKeys Identified Mail, includes a key that allows the recipient of an email to verify that the sender is really who they say they are. Like SPF and DMARC records, its purpose is to prevent fraud and spam.
An example of DKIM would be:
DKIM: swmanuales
Clave DKIM: v=DKIM1; g=*; k=rsa; p=MIGfMA0GCGGGGGb3DQEBAQUAA4G000BiQKBgQD0000VKvGjmSb4FkI70000e1KqV01eQ70n0000D5bpRfo8ZGcab0000+3+O0mPI7wYblklU0000T0A3LVJk+QTwX00007VA7EiL0utBMW0000iZLJ8Exyzoajql0000RRJmyhngY/0000t0yq21pdlYLrJa0000CfaniL/8gKQGQID0000
DMARC:
DMARC or, Domain-based Message Authentication, Reporting and Conformance, is a complement to the previous methods (SPF and DKIM) aimed at preventing fraud and spam. It allows to establish:
- Action policy for suspicious emails that have not passed both SPF and DKIM validation systems.
- Generation of aggregated reports with statistics on SPF and DKIM validation failures, among others.
- Generation of forensic reports with details on the emails that fail in the validation processes.
Parameters
The parameters of the DMARC rules allow to configure their behavior, these are the most basic ones:
-
v=DMARC1; - Indicates the start of the rule.
-
p=none; - Monitoring and reporting policy. The email will be delivered as normal, but the receiving servers will monitor behavior and generate reports. It is used to verify performance and check if an attempt is being made to impersonate your domain as an email sender.
-
p=quarantine; - The receiver will mark as SPAM or quarantine emails that do not pass both validation systems (DKIM/SPF).
-
p=reject; - Receiver will reject emails that do not pass both validation systems (DKIM/SPF).
-
sp=none;/sp=quarantine;/sp=reject; - [Optional] Different policy for subdomains. If this parameter is not present, the previous parameter ("p=none;/quarantine;/reject;") will take effect on the domain and subdomains.
-
rua=mailto:[email protected]; - [Optional] E-mail address to send aggregated reports to.
-
ruf=mailto:[email protected]; - [Optional] E-mail address to send forensic reports to.
-
aspf=s; - [Optional] Strict SPF validation. The domain must be identical to the one appearing in the SPF rule, subdomains of it are not accepted.
-
adkim=s; - [Optional] Strict DKIM validation. The domain must be identical to the one that appears in the SPF rule, subdomains of it are not accepted.
Examples
A basic example of DKIM would be:
v=DMARC1; p=none;
-
p=none; - Monitoring and reporting policy. The rule does not include an email address for receiving reports, so no reports will be generated. The e-mail will be delivered as normal, nothing is done for e-mails that do not pass the validation systems.
v=DMARC1; p=none; sp=reject; rua=mailto:[email protected];
-
p=none; - Monitoring and reporting policy. E-mail will be delivered as normal, nothing is done for e-mails that do not pass the validation systems.
-
sp=reject; - Emails coming from subdomains (example: "correo.dominiosw.com") will be rejected if they do not pass both validation systems (DKIM/SPF).
-
rua=mailto:informes@swmanuales; - Aggregate reports will be sent to the specified email address.
Important: Before creating a DMARC record, you must have SPF and DKIM records created and running.
You can use the following services to generate DMARC rules:
https://dmarcian.com/dmarc-record-wizard/
https://mxtoolbox.com/DMARCRecordGenerator.aspx
Automatically create advanced SPF - DKIM - DMARC DNS records
You can create a DKIM key from SWPanel, you will need to access your service dashboard:
Then, go to the Service management > DNS management (left menu):
-
Automatically create advanced DNS records SPF - DKIM - DMARC: This will automatically create SPF - DKIM - DMARC records
These are the records that are automatically created from SWPanel: