Introduction

This is written specifically for confident IT users. If you are not in this category, please get support from someone who is. This article shows you the main steps to set up SPF, DKIM and DMARC for your email systems; it is not a comprehensive technical guide, but it is a sound starting point.

The 3 techniques of SPF, DKIM and DMARC can only be set up by you if your email is on your own domain (eg. name@owndomain.co.uk). There are other methods for improving email security that are not related to domains, but this article does not cover them.


Why is email security important?

One click from one user on a malicious email attachment can compromise a whole organisation (scripts, data leakages, ransomware, privilege exploits, etc). Spam email and phishing email are easy ways for hackers to break into a network.


What if I host my website with Skylime?

You’re in luck! You only need to set up DMARC. We automatically set up SPF and DKIM for each domain connected to your hosting.

However, if you decide to host your email elsewhere, eg. Google Gmail, you will have to change your DNS settings for SPF and DKIM. Also, if you want to change the defaults you will need to tweak the settings.


What are SPF, DKIM and DMARC?

SPF, DKIM and DMARC are 3 techniques to improve your email security. These are only possible if you have your own domain (eg @skylime.co.uk).

They are email security protocols. Two can be used separately, but they compliment each other, so using them all provides the best protection.

  1. Sender Policy Framework (SPF) restricts who can send emails from your domain.
  2. DomainKeys Identified Mail (DKIM) is “email signing”.
  3. Domain-based Message Authentication, Reporting and Conformance (DMARC) determines what happens to unauthenticated mail.

There are other methods too, that are not connected to use of domain names, eg. good password discipline, use of message encryption.


How to set up SPF, DKIM and DMARC

What you need to start

As a non-expert, you should be able to set these up as long as you are comfortable with accessing web hosting and domain registration accounts.

In addition you must —

  1. have access to your domain’s DNS settings so that you can add or edit TXT records
    • your web hosting account is the usual route to use
    • your domain registrar account is an alternative if you have no web hosting
  2. add a TXT record for each protocol that you want, using the instructions below
    • you may need to look up certain settings from elsewhere, eg. IP addresses

If you are not comfortable with this you should ask an expert to do this for you. If you host with Skylime you can send us a ticket (note – there may be a charge depending on your service level).


How do I create an SPF record?

The SPF record is a simple text string in your domain’s DNS, and the parameters have 4 sections.

Preparation

  1. Find and note your email provider’s IP, domain or mail server address (or addresses if more than one)
    • if from hosting account, log in and check
    • if from elsewhere, eg. Google, log in and check there
  2. If you use any forwarding services, look up and note the domain names related to these.
    • you can either log into your email forwarding account, or check your current DNS records

Action

  1. Log into your hosting or domain registrar account —
    • with Skylime you log into your cPanel account, and
      • find the DNS Zone Editor and select Manage
      • select + Add Record and choose Add “TXT” Record option
    • with non-cPanel accounts accessing the DNS editor will be slightly different
  2. Add a new TXT record to your domain’s DNS (see diagram below) —
    • Name (‘Valid zone name’) is where you enter your domain name
    • TTL is server delay; usually you can leave this as default value (here it is 14400)
    • Type is TXT; if not already correct, change it by clicking the dropdown
    • Record (‘Text’) is where you enter the 4-section parameter string (see options below)
    • Click the Save Record button to complete
DNS record in cPanel
Screenshot of new DNS record in cPanel

If you make a mistake or need to change your settings for any other reason, you can go back to the DNS Zone Editor and edit any record. Be careful because wrong entries can completely stop websites and emails from working.

Hosting with Skylime

When you check your DNS records you should find an automatic entry for SPF for each of your domains with the following Record “v=spf1 ip4:11.22.33.44 include:relay.mailchannels.net -all” (IP address matches your cPanel).

Typical example

Example of SPF entry in DNS records in cPanel

4 tags in Record [1] v=spf1 [2] ip4:22.23.24.25 a:skylime.co.uk [3] include:relay.mailchannels.net [4] -all


What does this mean?

1

SPF version

2

Authorised Address

3

Authorised 3rd party domain

4

Fail policy
v=spf1ip4:22.23.24.25 a:skylime.co.ukinclude:relay.mailchannels.net-all
Options   
There is no other version at presentYou can use any / all of these –
— a single IP address
— multiple IP addresses, listed individually or through a range — your domain name
– your mail server name
A secondary domain can be authorised to send email on behalf of the primary domain, eg gmail. If multiple domains are authorized, they should be listed as separate “includes” with max of 10 allowed./ ~ / +/ ?
(-) Hard fail — reject emails from servers not listed
(~) Soft fail — mark emails from unlisted servers as possible spam
(+) All authorised — NOT RECOMMENDED
(?) Neutral — unspecified
Examples   
v=spf1individual IP —
ip4:22.23.24.25
ip6:3FFE:0000:0000:0001:0200:F8FF:FE75:50DF

IP range —
ip4:22.23.24.0/20
ip6:2001:db8:1234::/48

by domain name — a:skylime.co.uk

by mail server — mx:mail.skylime.co.uk
include:freeagent.com include:yahoo.com include:msn.co.uk-all — a hard fail
~all — a soft fail
+all — all authorised
?all — neutral

How do I create a DKIM record?

The DKIM record is a text string with 3 required DKIM tags and several optional ones. Ideally, your mail server will provide a tool that allows you to create a pair of electronic keys on the server (eg. see ). The public key is used in your DNS record.

Preparation

  1. Check if your hosting includes auto-generated DKIM keys, ie. the records already exist
    • for example with Skylime, a default pair of keys is created for all domains with websites hosted or parked with us
    • check your DNS records for TXT records that include {selector}._domainkey.{yourdomain.com} in the Name field
  2. If your domain doesn’t yet have a DKIM record, you must create a public and private DKIM key for your domain
    • most mail servers usually provide a method for this; you will need to check up on the process
    • if not, you will have to use a specialist DKIM key provider

Action

  1. Don’t do anything if your domain already has a DKIM record set up
    • however, changing your email system to Gmail requires a new domain key set up with Google
  2. Otherwise, log into your hosting or domain registrar account —
    • with Skylime you log into your cPanel account, and
      • find the DNS Zone Editor and select Manage
      • select + Add Record and choose Add “TXT” Record option
    • with non-cPanel accounts accessing the DNS editor will be slightly different
  3. Add a new TXT record to your domain’s DNS.
    • Name (‘Valid zone name’) is where you enter 2 of the 3 required DKIM tags —
      • SELECTOR (a short alphanumeric string supplied to you by provider of DKIM)
      • .domainkey.
      • DOMAIN
    • TTL is server delay; usually you can leave this as default value (here it is 14400)
    • Type is TXT; if not already correct, change it by clicking the dropdown
    • Record (‘Text’) is where you enter the details provided by your DKIM key provider (see options below)
      • ideally all tags should be provided as one to copy & paste
      • optional tags may precede the compulsory one, eg. —
        • v=DKIM1;
        • k=rsa;
      • compulsory tag —
        • p=PUBLIC KEY (a long alphanumeric string)
    • Check that what you have inputted is correct (copy & paste is best)
      • 1 small error can block all your emails
    • Click the Save Record button to complete

Typical example

2 tags in Name[1] google._domainkey. [2] skylime.co.uk

3 tags in Record[option] v=DKIM1; [option] k=rsa; [3] p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCG/hRlA+1hcecwXwP3aWnUeyRp+z0Ijqa097ntn8qgB/jLTgTUvDU0wKaM4PAfc9SKdLg4cDtAx6QvksijLXL+JDWImglBY8jVDsUQYgsT/ChwHpKDWFtZr4l+uXaEKYcdKAxN3NWFEHY/d/f6ic/p5jDEE7gM5xkGiczm2oNhVQIDAQAB


What does this mean?

1

Selector

2

Domain
Optional
Version
Optional
Key Type

3

Public Key
googleskylime.co.ukv=DKIM1k=rsap=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCG/hRlA+1hcecwXwP3aWnUeyRp+z0Ijqa097ntn8qgB/jLTgTUvDU0wKaM4PAfc9SKdLg4cDtAx6QvksijLXL+JDWImglBY8jVDsUQYgsT/ChwHpKDWFtZr4l+uXaEKYcdKAxN3NWFEHY/d/f6ic/p5jDEE7gM5xkGiczm2oNhVQIDAQAB
Options    
The Record Name used as a selector with the domainThe Domain Name helps locate the public keyThere is no other version at presentThe type of cryptographic key usedA random set of upper & lower case letters, numbers & punctuation marks published to DNS as part of the record
Examples    
2B8U4DAB93D58YR

default

20191216210413pm
yourdomain.com

bbc.co.uk
v=DKIM1k=rsa
k=ed25519
p=QC1TaNgLlSyQMNWVLNLvyY/neDgaL2oqQE8T5illKqCgDtFHc8eHVAU+nlcaGmrKmDMw9dbgiGk1ocgZ56NR4ycfUHwQhvQPMUZw0cveel/8EAGoi/UyPmqfcPibytH81NFtTMAxUeM4Op8A6iHkvAMj5qLf4YRNsTkKAV


How do I create a DMARC record?

The DMARC record is a text string with only 2 required tags, v (version) and p (policy). There are other tags which are optional, but there is no consensus yet on which are recommended.

Preparation

  1. Check that SPF and DKIM have been set up.
    • DMARC does not work without them.
      • EITHER check your DNS
      • OR use a DMARC wizard
  2. Set up a new email address specifically to receive DMARC reports
    • DMARC needs an email address to send reports to
      • keep reports separate from normal email
Use a DMARC wizard

This is the easiest way to check SPF and DKIM are set up, to create your DMARC policy, and to check your DMARC record afterwards.

There are many sites that offer this tool: MXToolbox, DMARC Analyzer (requires sign up), Dmarcian and more. The Dmarc.org site also provides a list of utilities for generating DMARC records, message validation and more. Most of these sites also have tools to validate your DMARC record once DNS propagation has taken place.

Action

  1. Log into your hosting or domain registrar account
    • with Skylime you log into your cPanel account, and
      • find the DNS Zone Editor and select Manage
      • select + Add Record and choose Add “TXT” Record option
    • with non-cPanel accounts accessing the DNS editor will be slightly different
  2. Add a new TXT record to your domain’s DNS.
    • Name (‘Valid zone name’)
      • _dmarc.DOMAIN
    • TTL is server delay; usually you can leave this as default value (here it is 14400)
    • Type is TXT; if not already correct, change it by clicking the dropdown
    • Record (‘Text’) is where you enter the 2 required DMARC tags and any optional ones
      • 2 compulsory tags first
        • v=DMARC1;
        • p=none; (options)
      • optional tags follow
        • fo=1; (options)
        • rua=mailto:name@domain
    • Click the Save Record button to complete

Typical example

1 tag in Name_dmarc.skylime.co.uk

4 tags in Record[1] v=DMARC1; [2] p=none; [option] fo=1; [option] rua=mailto:reports@skylime.co.uk


What does this mean?

1

Version

2

Policy
Optional
Report Options
Optional
Report Destiny
v=DMARC1 p=none fo=1rua=mailto:reports@skylime.co.uk
Options   
There is no other version at presentWhat to do with failed message

none
quarantine
reject
0: generate reports if both DKIM and SPF fail
1: generate reports if either DKIM or SPF fail
d: generate report if DKIM fails
s: generate report if SPF fails
An email address should be set up specifically for reports

mailto:test@example.com;
Examples   
v=DMARC1p=none
p=quarantine
p=reject
fo=0
fo=1
fo=d
fo=s
mailto:test@example.com

Glossary

If you feel we’ve missed an important definition for this particular page please drop us an email and we will add it.

SPF

Sender Policy Framework guarantees that your email has come from your domain and not someone else’s. It prevents domain spoofing where an email from one address pretends to come from another.

SPF has three major elements:

  1. a policy framework
  2. an authentication method
  3. specialized headers in the email

DKIM

DomainKeys Identified Mail (DKIM) guarantees that your email content has not been intercepted and altered. DKIM uses an encryption algorithm to create a pair of electronic keys — a public and a private key. The private key is kept private on the server it was created on, which is usually your mail server. The public key is placed in the DNS TXT record.

DMARC

Domain-based Message Authentication, Reporting and Conformance (DMARC) ties the first two protocols together with a consistent set of policies. It also links the sender’s domain name with what is listed in the From: header and also has some better reporting back from mail recipients.

It’s an email authentication, policy and reporting protocol that’s actually built around both SPF and DKIM. It has three basic purposes:

  1. verifies that a sender’s email messages are protected by both SPF and DKIM,
  2. tells the receiving mail server what to do if neither of those authentication methods passes, and
  3. it provides a way for the receiving server to report back to the sender about messages that pass and/or fail the DMARC evaluation.

DMARC basically builds on SPF and DKIM to ensure that, when an email is received, the information contained in both records matches the “friendly from” domain (e.g., me@my-domain.com) that the user actually sees and the from address that’s contained in the message’s header.

DMARC uses SPF and DKIM and provides a set of instructions to receiving email servers with what to do if they receive unauthenticated mail.


Related Terminology

Email Spoofing

Email Phishing

Email Spam

IP Address

Message Encryption

Security Protocols


Articles about this

CSO article on SPF, DKIM & DMARC

Higher Logic article on SPF, DKIM & DMARC


Organisations with close involvement

DKIM.ORG

DMARC.ORG


Google

Microsoft


Image Attributions

email securityHeader Image — “Email scam” by mohamed Hassan from Pixabay

Pin It on Pinterest

Share This