Categories
Email

SPF, DKIM and DMARC

Mail delivery tools to help with email delivery and reduce spam flagging.

Overview

Emails make up a large part of running any business. Unfortunately, spam makes up a large part of emails. As spam filtering services become more robust, there is a need for new methods of verifying email that is not spam. This is where SPF, DKIM and DMARC come in.


SPF

An SPF record (sender policy framework) is a DNS TXT record that is use to verify what domains or IP addresses are allowed to send emails for that domain. This is an effective tool to combat email spoofing and other phishing attacks, as well as protect your domain’s reputation.

While SPF has been around for a long time, most mail servers did not actively check for SPF. However, this is changing, and today, most servers will actively check for domain SPF records. Several mail provider will flag mail as spam if the sending server does not have an SPF record, including Gmail.

Most email hosting services (including cPanel) will generate an SPF record by default. This is what an SPF record looks like.

v=spf1 +a +mx +ip4:66.84.45.120 +ip4:66.84.45.169 ~all

This record is formatted in a way that any mail server will be able to interpret. It contains information on what domains and IPs are permitted to send email for that domain. It also tells the receiving server what to do with emails that fail this check.

How does SPF work?

While this may seem complicated, the process is actually quite simple.

When someone sends an email to a mail server that is checking for SPF records (most mail servers at this point), it will check the sending domains DNS records to see if it has an SPF record included.

If the domain does not have an SPF record, it will treat it as a neutral result. It may only flag the mail that it could not find an SPF record for, or it may reject it outright. This is determined by the receiving server.

If it finds an SPF record, it will check to see if the email came from a server that is allowed to send emails for that domain. It also checks for a flag that tells it what to do with emails that fail that check.

The chart showing how SPF record verification works.

Let’s look at the earlier example to see what we can find out more about this SPF record.

v=spf1 +a +mx a:mailfilter.com -all
^      ^                    ^
flag   mechanisms           qualifier

This can be broken into three parts

  • v=spf1
    • flag
    • This flag tells mail servers that this is an SPF record
  • +a +mx a:mailfilter.com
    • mechanisms
    • This part shows what servers are allowed to send mail for this domain
      • +a refers to the IP address of the blank (or @) A record for the domain
      • +mx refers to the IP address of the MX records for the domain
      • a:mailfilter.com refers to the A record of mailfilter.com
  • -all
    • qualifier
    • This is the qualifier that tells the receiving server what to do with emails that fail the check. In this case, it is set to hard fail
      • -all is a hard fail, most servers will reject this email
      • ~all is a soft fail. most servers will flag the email, but still receive it
      • ?all is neutral, most servers will receive the email

Most hosting services will create an SPF record as part of it’s default zone file. If your zone file currently does not have an SPF record, you can add one to start getting the benefits that an SPF record can provide. You can find several SPF record generators on the internet (https://www.spfwizard.net/ is a popular one), or you can submit a ticket and we can add one for you.

Back to Top


DKIM

DKIM or Domain Keys Identified Mail is a method used by mail servers to check for forged email headers. This is also a great way to cut down on spam and phishing emails and protect your domain’s reputation.

How DKIM does this is more complex than how SPF records work, and we can’t get into the details here. Basically, the sending server creates an encrypted hash of the email headers. The headers are a part of the email that is not typically displayed in mail clients, but contain information on the email, such as where the email originated.

Once the email is received, the receiving server will decrypt the hash using the public key found in the DKIM TXT record and use it to check if the headers were altered. If the headers were altered, the email is rejected.

While not all hosting plans will generate a DKIM record automatically, there are tools online that will assist you in generating a DKIM.

If you have a cPanel shared hosting, you can manage your DKIM records from the Email Delivery app in the Emails section of cPanel.

cPanel Email

Back to Top


DMARC

DMARC, or Domain-based Message Authentication, Reporting & Conformance is a system for verifying emails that uses both SPF and DKIM. It also adds reporting capabilities to email verification.

While this can be a great tool for heavy email users, its use is beyond the scope of this guide.

You can find more information on DMARC here.

Back to Top


If you have any further questions, please be sure to reach out to our support staff by using our chat service in your client area or by submitting a ticket.