Terms

Everything you need to know about SPF, DKIM and DMARC records

HTTPS

HTTPS je zabezpečené šifrované připojení mezi prohlížečem a webem. Chrání přihlašování, formuláře i platební údaje a zabraňuje čtení nebo úpravám dat po cestě.

Více informací

SPF - Sender Policy Framework

What is SPF?

SPF (Sender Policy Framework) is an email authentication method that allows domain owners to specify which servers are authorized to send emails on behalf of their domain. SPF record is published in DNS as a TXT record.

How does SPF work?

  1. When an email customNameserver receives a message, it checks the SPF record of the sender domain in DNS
  2. It compares the IP address of the sending customNameserver with the list of allowed IP addresses in the SPF record
  3. Based on this comparison, it decides whether to accept, reject or mark the email as suspicious
Example SPF record:
v=spf1 include:_spf.google.com include:spf.protection.outlook.com ip4:192.168.1.10 ~all

Explanation::

  • v=spf1 - SPF protocol version
  • include:_spf.google.com - allows Google Workspace servers
  • include:spf.protection.outlook.com - allows Microsoft 365 servers
  • ip4:192.168.1.10 - allows specific IP address
  • ~all - soft fail for other servers
SPF Benefits::
  • Protects against domain spoofing
  • Improves email deliverability
  • Reduces the likelihood that your emails end up in spam
  • Helps protect your domain reputation

DKIM - DomainKeys Identified Mail

What is DKIM?

DKIM (DomainKeys Identified Mail) is a method of digitally signing emails that allows the recipient to verify that the email actually comes from the domain listed as the sender and that it was not altered during transmission.

How does DKIM work?

  1. The sending customNameserver creates a cryptographic hash from the email content
  2. The hash is signed using the domain private key
  3. The signature is added to the email header as DKIM-Signature
  4. The receiving customNameserver gets the public key from DNS and verifies the signature
Example DKIM header:
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
  d=example.com; s=selector1;
  h=from:to:subject:date;
  bh=2jUSOH9NhtVGCQWNr9BrIAPreKQjO6Sn7XIkfJVOzv8=;
  b=dzdVyOfAKCdLXdJOc9G2q8LoXSlEniSbav+yuU4zGeeruD00lszZ...
Example DKIM record in DNS:
selector1._domainkey.example.com TXT "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA..."

Explanation::

  • v=DKIM1 - DKIM protocol version
  • k=rsa - cryptographic algorithm type
  • p=... - public key in Base64 encoding
DKIM Benefits::
  • Ensures email integrity
  • Confirms sender authenticity
  • Improves trustworthiness with email providers
  • Helps fight phishing and spam

DMARC - Domain-based Message Authentication

What is DMARC?

DMARC (Domain-based Message Authentication, Reporting, and Conformance) is an email authentication protocol that combines SPF and DKIM. It allows domain owners to specify a policy for handling emails that do not pass authentication.

How does DMARC work?

  1. The receiving customNameserver checks SPF and DKIM records
  2. It checks the DMARC policy of the domain
  3. It applies the specified action (none, quarantine, reject)
  4. Optionally sends reports about results to the specified email address
Example DMARC record:
_dmarc.example.com TXT "v=DMARC1; p=quarantine; rua=mailto:dmarc@example.com; ruf=mailto:dmarc-failures@example.com; sp=reject; adkim=r; aspf=r"

Explanation::

  • v=DMARC1 - DMARC protocol version
  • p=quarantine - policy for domain (quarantine = quarantine)
  • rua=mailto:dmarc@example.com - address for aggregate reports
  • ruf=mailto:dmarc-failures@example.com - address for detailed failure reports
  • sp=reject - policy for subdomains
  • adkim=r - relaxed DKIM alignment
  • aspf=r - relaxed SPF alignment
DMARC policies::
  • none - monitoring only
  • quarantine - quarantine (spam)
  • reject - email rejection
DMARC Benefits::
  • Provides reports on domain usage
  • Allows gradual policy tightening
  • Protects against phishing and spoofing
  • Improves overall email communication security

How To Set Up Your Domain

Step-by-step implementation guide

1SPF
  1. Identify all servers that send emails for your domain
  2. Create SPF record in DNS
  3. Start with soft policy (~all)
  4. Test and gradually tighten to -all
2DKIM
  1. Generate key pairs (private/public)
  2. Configure email customNameserver
  3. Publish public key in DNS
  4. Test email signing
3DMARC
  1. Start with p=none policy
  2. Set up reporting email
  3. Analyze received reports
  4. Gradually tighten policy
Important tips:
  • Gradual approach:} Always implement gradually and test
  • Monitoring:} Monitor reports before tightening policies
  • Testing:} Use testing tools before deployment
  • Backup:} Always backup original DNS records
  • Documentation:} Keep records of all changes
Back to domain check