Securing Email Communications: SPF, DKIM, and DMARC Setup
Just a quick write-up/reference document today on email security, particularly in light of the increasing threats from spoofing and phishing attempts. With Google and Yahoo's upcoming requirement for DMARC implementation starting February 2024, it's important to ensure our organization's email communications are properly secured so that we can avoid getting flagged and sent straight to spam.
Setting up SPF (Sender Policy Framework)
- Access the DNS records for our domain
- Create a new TXT record
- Input the SPF record details
- Set the TTL to one hour
Important: Include every possible mail source or SMTP server sending valid mail for our domain in the SPF record.
Basic SPF syntax: v=spf1 <valid mail sources> <enforcement rule>
Example:
v=spf1 ip4:192.168.0.10 ip4:192.168.0.12 include:spf.protection.outlook.com -all
Implementing DKIM (DomainKeys Identified Mail)
- Access the DNS records for our domain
- Obtain CNAME record information from our mail provider
- If using Office 365, enable DKIM to receive DNS record data
Example DKIM CNAME records for Microsoft 365:
- Hostname:
selector1._domainkeyPoints to:selector1-<CustomDomain>._domainkey.<InitialDomain> - Hostname:
selector2._domainkeyPoints to:selector2-<CustomDomain>._domainkey.<InitialDomain>
Configuring DMARC (Domain-based Message Authentication, Reporting, and Conformance)
- Access the DNS records for our domain
- Set up DMARC TXT records in DNS
- Use the following basic syntax:
- Hostname:
_dmarc - TXT Value:
v=DMARC1; p=reject; pct=100; rua=mailto:rua@contoso.com; ruf=mailto:ruf@contoso.com
- Hostname:
Final Steps
After setting up all records, double check the configuration and run some tests:
- Use a tool like MxToolbox to verify correct record configuration
- Conduct a real-world test by sending emails to and from an external address
All example values were pulled form various Learn Microsoft documents.