• Books
• Code
• Design
• Guides
• Hosting
• Lists
• Marketing
• Security
• Software
• Abbreviation

• Forum
• Contact us
• Links
• Site map

Home / guides   Print version

SPF and DMARC mail security

SPF (Sender Policy Framework) and DMARC (Domain-based Message Authentication, Reporting & Conformance) are security protocols to make email autentication more secure and to fight SPAM.

If you have a domain name, you are asked to add some fields in your DNS record,
that tells wich server(s) are allowed to send email comming from that specific domain.
And how email should be treated that are or are not send from that server.

Google, Yahoo and later Microsoft starting using it in 2024. So if you don't implement it, mails send by your domain are more likly to be seen as spam.

 

The config for this is mostly done in the DNS-server.
I will use for this example bind/named.

SPF - Sender Policy Framework

This record will list the authorized servers allowed to send emails on behalf of your domain.
Example SPF Record:
yourdomain.com. IN TXT "v=spf1 a mx ~all"

Version Tag:
Start with "v=spf1".
Servers:
a for dns name. in this the mx record noted higher in the file.
exemaple : IN MX 10 mail.yourdomain.com.
In this case the mail server recieves and sends mail.
You can chose to include IP addresses using the "ip4:" or "ip6:" tags.
v=spf1 ip4:192.168.222.1/24 ~all
(allow any server in the range 192.168.222.1 - 192.168.222.254 )

Include Statement:
If you're using a third-party email provider, use the "include" statement to authorize them, for example, "include:spf.protection.outlook.com".
or another domain you own: "include:mail.yourotherdomain.com".

All Tag:
End the record with an "all" tag to indicate how to handle unauthorized senders. Use "~all" (soft fail) or "-all" (hard fail).

DMARC - Domain-based Message Authentication, Reporting & Conformance

This record tells what to do when emails get recieved and to what email to send DMARC reports to.

Simple example:
_dmarc IN TXT "v=DMARC1; p=none;rua=mailto:postmaster@yourdomain.com"

More strict:
_dmarc IN TXT "v=DMARC1; p=quarantine; pct=100; rua=mailto:postmaster@yourdomain.com; ruf=mailto:ruf@yourdomain.com"

Send to spam (p=quarantine), reject (p=reject) or take no action (p=none).
It is recommended to start with none, After enough time monitoring the effects of p=none, you can increase the DMARC policy to p=quarantine for the domain.

You can also use the pct= value to gradually affect more messages and verify the results.

• pct=10
• pct=25
• pct=50
• pct=75
• pct=100

RUF and RUA is where the reports are send to. At a minimum RUA is required.
ruf Reporting URI for forensic reports -> ruf=mailto:authfail@example.com
rua Reporting URI of aggregate reports -> rua=mailto:authfail@example.com

 

There are several site that let you test your config:

• dmarcadvisor.com/spf-check/
• mxtoolbox.com/dmarc.aspx

 

TOP