Tired of having your emails go into client junk / spam folders? You can increase the deliverability of your emails while protecting your brand and clients using free tools to create SPF, DKIM and DMARC records. With these free records in place, you can help block phishing, ransomware, and spam messages.

Email service providers like Gmail and Office 365 are increasingly sending unauthenticated emails to spam or rejecting them outright. This article will show you how to add an SPF, DKIM and DMARC record to your domain to help prevent this while keeping most malicious actors out. Note, this article is only intended for my personal use and comes with no guarantee of any kind.

However, be aware of the security risks involved with DMARC.

 

SPF Record

Sender Policy Framework (SPF), is an email authentication protocol which defines all senders authorized to send email on behalf of your domain. Along with DKIM and DMARC, SPF works to protect your domains’ reputation, enhances email deliverability, and provides added email security by helping to prevent domain spoofing.

Even if you don’t have an email hosting service for your domain OR the domain is simply Parked; you should still have a basic SPF record set to the following:

  • TYPE: TXT
  • NAME: @
  • VALUE: v=spf1 -all
    • This SPF record tells mail servers that the domain sends no mail at all. Learn more about SPF Syntax.

With an SPF record set, spammers will have a harder time trying to send out fraudulent emails that appear to come from your domain (email domain spoofing). Setting an SPF record allows you to specify which Internet Protocol (IP) addresses are allowed to send emails on behalf of your domain. Any emails sent from an IP address not listed in the SPF record will be flagged as suspicious and delivered to the recipients’ spam folder.

Check to see if you already have an SPF record set for your domain using any one of the free SPF Checker tool websites below. I like to run all three:

SPF Record Checker Tools

SPF Record Generator Tools

If you already have an SPF record (and it is correct), skep to the DKIM section below. Otherwise, you should generate an SPF record for your domain using any one of the free SPF Record Generator tools listed below. Note, your existing email hosting provider may already provide you with a free SPF Record and it should be the first source you should go to.

Adding an SPF Record

Assuming that your domain nameservers are hosted by your domain registrar, access your account. Locate the DNS records area and add a new text (TXT) record.

  • The Type should be set to TXT
  • The Name should be blank or @
  • The Value should be set to the generated SPF Record.
  • The Time to Live (TTL) should be set to 1 hour.

Once created, go ahead and run any one (or all 3) of the free SPF checker tools listed above. This will ensure that you’ve added the SPF Record correctly.

 

DKIM Record

DomainKeys Identified Mail (DKIM) is used for the authentication of an email that’s being sent. Like SPF, DKIM is an open standard for email authentication that is used for DMARC alignment. A DKIM record exists in the DNS, but it is a bit more complicated than SPF. DKIM’s advantage is that it can survive forwarding, which makes it superior to SPF and a foundation for securing your email.

DKIM Record Checker Tools

DKIM Record Generator Tools

Note, your existing email hosting provider may already provide you with a free DKIM Record and it should be the first source you should go to. Otherwise, use any one of the following free DKIM Record Generator tools.

Adding a DKIM Record

Assuming that your domain nameservers are hosted by your domain registrar, access your account. Locate the DNS records area and add a new text (TXT) record.

  • The Type should be set to TXT
  • The Name should be default._domainkey
  • The Value should be set to the generated DKIM Record.
  • The Time to Live (TTL) should be set to 1 hour.

If you want a placeholder while you generate a new DKIM record you can use the following:

  • TYPE: TXT
  • NAME: *._domainkey
  • VALUE: v=DKIM1; p=none;

TXT records have a limit of 255 characters. This limit is imposed by the DNS protocol itself. If you need to add a DKIM record that is longer than 255 characters, you’ll need to split the value/content of the record into multiple strings. This is done by splitting the DKIM record in half and encapsulating each string in double quotes. For example (note the double quotes ( ” ” ) in the middle of the P value):

“v=DKIM1; k=rsa; p=MIGfMA0GCSqG””SIb3DQEBAQUM”

However, some DNS hosting providers will automatically add quotes at the beginning and end of TXT record, so you’ll need to skip the beginning and ending quotes and only enter the double quotes between the string. Do not add any line breaks between the strings.

Once the DKIM record has been created, go ahead and run any one (or all 3) of the free DKIM checker tools listed above. This will check to see that you’ve added the DKIM record correctly.

 

DMARC Record

Domain-based Message Authentication, Reporting, and Conformance (DMARC), is a mechanism for policy distribution by which an organization, that is the originator of an email, can communicate domain-level policies and preferences for email validation, disposition, and reporting.

The DMARC Record standardizes how mail originators associate and authenticate domain identifiers with emails, handle email policies using those identifiers, and report about email using those identifiers.

According to RFC 7489, the DMARC mechanism for policy distribution enables the strict handling of emails that fail authentication checks, such as SPF and/or DKIM. If neither of those authentication methods passes, DMARC tells the receiver how to handle the email, such as to junk (quarantine) or reject the email.

DMARC Record Checker Tools

DMARC Record Generator Tools

  • EasyDMARC DMARC Record Generator
    • NOTE: You will first need to have your domain SPF and DKIM records deployed and authenticating messages before setting up DMARC.

Adding a DMARC Record

Assuming that your domain nameservers are hosted by your domain registrar, access your account. Locate the DNS records area and add a new text (TXT) record.

  • The Type should be set to TXT
  • The Name should be _dmarc
  • The Value should be set to the generated DMARC Record.
  • The Time to Live (TTL) should be set to 1 hour.

If you want a placeholder while you generate a new DMARC record you can use the following:

  • TYPE: TXT
  • NAME: _dmarc
  • VALUE: v=DMARC1; p=none;

Once created, go ahead and run the free DMARC checker tool listed above. This will ensure that you’ve added the DMARC Record correctly.

For more information on DMARC I recommend the following article on Demystifying DMARC: A guide to preventing email spoofing.

 

Email Spoofing Test

 

Potential DMARC Security Risks

I have assisted many clients with properly setting up their SPF, DKIM and DMARC DNS records. But now they must monitor their reporting inbox for DMARC reports to ensure email deliverability remains high.

Since DMARC reports and reporting is relatively new for most people, a malicious actor could potentially use this to their advantage.

For example, the DMARC reporting and forensic email addresses are publicly visible. One could simply email, one or both of those addresses, an attachment containing malicious code. The person responsible for reviewing the DMARC reports might open one of these malicious messages on accident. Chances of that are low you say? Well, the attacker can increase their odds of success by sending many spoofed email messages. In turn, these would generate a number of DMARC reports. The DMARC report reviewer might then be more inclined to let their guard down. It only takes one time.

I also think this vector is ideal for phishing. For example, I can see sending someone an email, to one or both of the DMARC addresses, with a ‘download report‘ button or link. That link would then redirect them to a ‘report download page‘, but wait… you have to sign in first. Then bingo, bango, bongo, ‘all your networks are belong to me‘ as the script kiddies say.

Some DMARC policies are even set ‘quarantine‘ rather than ‘reject‘ which directs all illegitimate emails to recipients’ junk/spam folders. But this still puts the potentially malicious email within reach of the client who may, albeit temporarily, let their guard down for one reason or another. This is why I recommend setting your DMARC policy to Reject (p=reject). Someone would then need to regularly monitor for legitimate email senders through the DMARC Aggregate Reports.

Heck, an attacker can even send an email with a legitimate report attached which then attempts to, via social engineering, manipulate the reviewer to compromising their security in some way.

Interesting thought experiment, but maybe I’m wrong. Won’t be the first time.

 

Conclusion

I hope my article on increasing email deliverability and spoofing protection using SPF, DKIM, and DMARC records has helped you. I welcome your thoughts, questions or suggestions regarding this article.

You may support my work and future improvements by sending me a tip using your Brave browser or by sending me a one time donation using your credit card.

Let me know if you found any errors within my article or if I may further assist you by answering any additional questions you may have.

 

Editors Note:

  • This article was first published on October 5th, 2023 and was revised on February 8th, 2024 to include my idea regarding the potential security risks posed by having publicly visible DMARC reporting and forensic email addresses.
  • This article was revised on February 27th, 2024 to include a link to a handy Email Spoofing Tester to verify your DNS record setup is secured.
  • This article was revised on March 6th, 2024 to include default records for each record SPF, DKIM and DMARC.