You have a website and a business email address using the same domain name and you come across the acronyms SPF, DKIM and DMARC in relation to email and are wondering what they are exactly and whether something needs to be done about your email settings.
The first question might be: Do they really matter?
And the answer is: Yes.
Why? Because there are malicious systems out there on the interwebs that will send - sooner or later - mail that claims to be from you. This is called email spoofing. The other reason is that people you send mail to are using software that is on the look out for spoof mail, and there is a chance that your genuine mail might be wrongly identified as spoof/spam. You want to make sure spoof mail goes straight into people's spam folders (or is rejected outright if it is especially malicious) and your genuine mail does not suffer the same fate. How?
This is where SPF, DKIM and DMARC come in. They are three tools to verify that mail is genuine and not spoof.
SPF stands for: Sender Policy Framework. In a nutshell, it is a record of which servers (computers connected to the internet) are authorised to send mail using your email address. It is the simplest record to set up. It is a line of text sitting alongside the other admin records for your domain name - records that are collectively known as DNS settings.
The first thing you might want to do is check to see if you currently have an SPF record for your domain. There are a number of websites that let you run that check. One is this: https://mxtoolbox.com/SuperTool.aspx
On that page, click the arrow next to the main action button to select the SPF Record Lookup.
However, if - like clients of Handcrafted Websites - you have hosting with a CPanel admin area, you don't need to rely on sites like the above to check how well-configured you email system is. The CPanel functionality includes a check of how the email system is configured, so all you need to do is to log into the CPanel admin area at the URL that begins with your domain name and ends with /cpanel, like so:
Once logged in, scroll down to the email section and click the icon marked: Email Deliverability.
You then see your domain name and a button to the right marked: Manage. Click that button.
On the following page are two important checks. One is a check of the SPF record.
If you have no SPF record at the moment, the system will suggest one. It should look like this:
v=spf1 a mx ~all
That states that emails are genuine if sent from any of the servers currently listed in the DNS records for your main domain name and for the mail servers (the MX servers) that are listed there. The ~all at the end indicates that email which is from elsewhere should be allowed through, but should be marked as spam.
Alternatively, the SPF record can include the IP address of the main server that hosts your domain name, like so:
v=spf1 a mx ip4:18.104.22.168 -all
That should be the same IP address you see in the General Information section on the home page of your CPanel admin area:
The important point to remember here is that this rule now limits how you send mail. It limits you to only sending mail via the servers currently associated with your domain name. If you later decide you want to use Gmail to send your business mail, for instance, you need to edit that SPF record. In that case, the SPF record would be:
v=spf1 a mx include:_spf.google.com ~all
There are useful online tools to generate SPF records, including: https://www.spf-record.com/generator
DKIM is a second form of email authentication. The acronym stands for Domain Key Identied Mail. If DKIM is activated for your mail system and set up correctly, then each email you send with your business email address will have a digital signature added to the email header (the header contains the meta-data for the email that is normally hidden from recipients). The recipient's email software can then check that signature with an encrypted record that is stored in your domain name's DNS records.
The encrypted record will look like this:
v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAA[lots-more-encryption]RrqN/t0YvuAQIDAQAB;
Again, CPanel is your godsend here. Back on the Email Deliverability page, where you can manage the settings for your domain name, you will see a section dealing with DKIM.
If there is no DKIM record, you will see a warning. In that case, the system will generate one for you and ask if you want to install it. Then it will display a second warning.
This is because - as mentioned above - the record will limit your options going forward, i.e. limit you to sending mail through the servers currently associated with your domain name. If you want to move your mail later to something like one of the Microsoft Office business accounts, you will need to make sure the encrypted key is also installed on those other servers that will be authorised to send mail on your behalf.
After installing the DKIM record, you might want to make another check to see if it passes an independent test. Again, you can do that on the page below by putting your domain name in the white box followed by a colon and the word default, like so: mydomainname.co.uk:default and then selecting the DKIM lookup test in the dropdown menu for the button: https://mxtoolbox.com/SuperTool.aspx
Finally, DMARC. This stands for: Domain-Based Message Authentication, Reporting, & Conformance. It isn't a third form of email authentication, rather it is a set of instructions about what should happen if an email fails either or both of the SPF and DKIM tests of authentication. It also enables you to instruct the system to send you reports about the emails that use your email address (very useful if malicious systems start hijacking your email address).
To create a DMARC record you need to leave the Email Deliverability page of your CPanel admin area, return to the home page that has all the icons on it, go to the Domains section and click the icon marked: Zone Editor.
Then you will see your domain name and a button marked: Manage. Click that to see a list of all the DNS records for your domain name. Scroll down to see if there is a DMARC record. If there is, in the left column (Name), you will see a row that begins with: _dmarc.mydomainname.co.uk
If there is no DMARC record, scroll back to the top of the page and click the Add Record button, and in the dropdown menu showing the list of records, select: Add "DMARC" Record. You then see the following form:
The best configuration to begin with is the default one that you will see on the form. The crucial addition you need to make is the email address to send reports. The important reports are those of the failures - the mail that has been identified as fake that could be damaging the reputation of your business.
The options on the form are these:
Policy (p) - defines how email received from your domain is handled. See below*.
Subdomain Policy (sp) - defines how your email received from your sub-domains is handled.
DKIM mode (adkim) - defines whether email that fails your DKIM policy should be delivered (Relaxed) or rejected (Strict).
SPF mode (aspf) - defines whether email that fails your SPF policy should be delivered (Relaxed) or rejected (Strict).
Percentage (pct) - defines the percentage of emails which should have your DMARC policy applied.
Generate Failure Reports When (fo) - you can choose to receive a report either only when all checks fail, or when any check fails.
Report Format (rf) - choose AFRF.
Report Interval (ri) - how often you'd like to receive reports (in seconds - 86400 = 24 hours).
Send Aggregate Mail Reports To (rua) - aggregate reports for all mail - both mail that passess and mail that fails the tests.
Send Failure Reports To (ruf) - reports with the full email messages that failed DMARC authenticator.
*The all-important setting is the first, the Policy setting. Set this to "none" initially to reduce the likelihood of genuine mail being wrongly flagged as spam. Then, when you see that genuine mail is not being flagged as spam, change your policy to Quarantine, with a low Percentage (maybe 20%) of emails. That percentage can later be increased.
Finally, once you see that all genuine emails are being correctly authenticated and only spam/spoof mail is being quarantined, you can switch to a Reject policy.
If you are having problems with your genuine mail being wrongly flagged as spam or with malicious systems hijacking your business email address, contact Handcrafted Websites for help configuring your SPF, DKIM and DMARC records to help tackle the problem.