Email Protection using SPF, DKIM, DMARC
Tired of having your emails go into client junk / spam folders? You can increase the deliverability of your emails while protecting your brand and clients using free tools to create SPF, DKIM and DMARC records. With these free records in place, you can help block phishing, ransomware, and spam messages.
Email service providers like Gmail and Office 365 are increasingly sending unauthenticated emails to spam or rejecting them outright. This article will show you how to add an SPF, DKIM and DMARC record to your domain to help prevent this while keeping most malicious actors out. Note, this article is only intended for my personal use and comes with no guarantee of any kind.
SPF Record
Sender Policy Framework (SPF), is an email authentication protocol which defines all senders authorized to send email on behalf of your domain. Along with DKIM and DMARC, SPF works to protect your domains’ reputation, enhances email deliverability, and provides added email security by helping to prevent domain spoofing.
Even if you don’t have an email hosting service for your domain OR the domain is simply Parked; you should still have a basic SPF Record set to the following:
- v=spf1 -all
- This SPF Record tells mail servers that the domain sends no mail at all. Learn more about SPF Syntax.
With an SPF record set, spammers will have a harder time trying to send out fraudulent emails that appear to come from your domain (email domain spoofing). Setting an SPF record allows you to specify which Internet Protocol (IP) addresses are allowed to send emails on behalf of your domain. Any emails sent from an IP address not listed in the SPF record will be flagged as suspicious and delivered to the recipients’ spam folder.
Check to see if you already have an SPF record set for your domain using any one of the free SPF Checker tool websites below. I like to run all three:
SPF Record Checker Tools
- DMARCLY SPF Checker Tool
- MXToolBox SPF Checker Tool
- After the free check click the green “Find Problems” button for even more details.
- EasyDMARC SPF Checker Tool
SPF Record Generator Tools
If you already have an SPF record (and it is correct), skep to the DKIM section below. Otherwise, you should generate an SPF record for your domain using any one of the free SPF Record Generator tools listed below. Note, your existing email hosting provider may already provide you with a free SPF Record and it should be the first source you should go to.
Adding an SPF Record
Assuming that your domain nameservers are hosted by your domain registrar, access your account. Locate the DNS records area and add a new text (TXT) record.
- The Type should be set to TXT
- The Name should be blank or @
- The Value should be set to the generated SPF Record.
- The Time to Live (TTL) should be set to 1 hour.
Once created, go ahead and run any one (or all 3) of the free SPF checker tools listed above. This will ensure that you’ve added the SPF Record correctly.
DKIM Record
DomainKeys Identified Mail (DKIM) is used for the authentication of an email that’s being sent. Like SPF, DKIM is an open standard for email authentication that is used for DMARC alignment. A DKIM record exists in the DNS, but it is a bit more complicated than SPF. DKIM’s advantage is that it can survive forwarding, which makes it superior to SPF and a foundation for securing your email.
DKIM Record Checker Tools
- EasyDMARC DKIM Checker Tool (easiest to use)
- Simply enter your domain, leave Selector blank and check the box to “Detect all selectors”.
- DMARCLY DKIM Checker Tool
- For the selector enter: default or whatever selector you may have set.
- MXToolBox DKIM Checker Tool
- Again, for the selector enter: default or whatever selector you may have set.
DKIM Record Generator Tools
Note, your existing email hosting provider may already provide you with a free DKIM Record and it should be the first source you should go to. Otherwise, use any one of the following free DKIM Record Generator tools.
- DMARCLY DKIM Record Generator Tool
- Enter the domain name, for DKIM selector enter: default, set key length as needed.
- EasyDMARC DKIM Record Generator Tool
- Enter the domain name, for DKIM selector enter: default, set key length as needed.
Adding a DKIM Record
Assuming that your domain nameservers are hosted by your domain registrar, access your account. Locate the DNS records area and add a new text (TXT) record.
- The Type should be set to TXT
- The Name should be default._domainkey
- The Value should be set to the generated DKIM Record.
- The Time to Live (TTL) should be set to 1 hour.
Once created, go ahead and run any one (or all 3) of the free DKIM checker tools listed above. This will ensure that you’ve added the DKIM Record correctly.
DMARC Record
Domain-based Message Authentication, Reporting, and Conformance (DMARC), is a mechanism for policy distribution by which an organization, that is the originator of an email, can communicate domain-level policies and preferences for email validation, disposition, and reporting.
The DMARC Record standardizes how mail originators associate and authenticate domain identifiers with emails, handle email policies using those identifiers, and report about email using those identifiers.
According to RFC 7489, the DMARC mechanism for policy distribution enables the strict handling of emails that fail authentication checks, such as SPF and/or DKIM. If neither of those authentication methods passes, DMARC tells the receiver how to handle the email, such as to junk (quarantine) or reject the email.
DMARC Record Checker Tools
- DMARC Tester (recommended)
- EasyDMARC Record Checker Tool
DMARC Record Generator Tools
- EasyDMARC DMARC Record Generator
- NOTE: You will first need to have your domain SPF and DKIM records deployed and authenticating messages before setting up DMARC.
Adding a DMARC Record
Assuming that your domain nameservers are hosted by your domain registrar, access your account. Locate the DNS records area and add a new text (TXT) record.
- The Type should be set to TXT
- The Name should be _dmarc
- The Value should be set to the generated DMARC Record.
- The Time to Live (TTL) should be set to 1 hour.
Once created, go ahead and run the free DMARC checker tool listed above. This will ensure that you’ve added the DMARC Record correctly.
For more information on DMARC I recommend the following article on Demystifying DMARC: A guide to preventing email spoofing
Conclusion
I hope my article on increasing email deliverability and spoofing protection using SPF, DKIM, and DMARC records has helped you. I welcome your thoughts, questions or suggestions regarding this article.
You may support my work and future improvements by sending me a tip using your Brave browser or by sending me a one time donation using your credit card.
Let me know if you found any errors within my article or if I may further assist you by answering any additional questions you may have.
