Month: June 2023

Domain-based Message Authentication, Reporting, and Conformance (DMARC) records can be used with SPF and/or DKIM records to help protect domains against email spoofing.

A DMARC record is added to DNS as a TXT record. There are 5 key parts to a DMARC record:

• The Host Name: This is always _dmarc
  
  The host name is required in a DMARC record
• The Version Number: This is always v=DMARC1, which means the first version of DMARC.
  
  The version number is required in a DMARC record
• The Policy: This tells mail servers what to do if a message fails SPF and/or DKIM checks. The policy can be to reject an email, quarantine and email, or to do nothing. Setting p=reject means messages won’t be delivered if they fail checks. Setting p=none means the receiving mail server can decide what to do. Setting p=quarantine means the mail will get delivered but it will be marked as spam.
  
  A policy is required in a DMARC record.
• The Reports Address: This lets you collect statistics on email usage on your domain and how often messages fail SPF and DKIM checks. The general format is rua=mailto:dmarcreport@example.com, where you replace dmarcreport@example.com, with an address that should receive the statistics.
  
  A Reports address is optional in a DMARC record.
• The Authentication Methods: You can specify if SPF and/or DKIM should be checked, and whether the checks should apply to sub-domains.
  
  Authentication methods are optional.

A DMARC record if you only want statistics

You can add this record if you want statistics about email usage without doing anything else.

Host Name: _dmarc
Text: v=DMARC1; p=none; rua=mailto:dmarcreport@example.com

Replace dmarcreport@example.com with an address that should receive reports about messages sent from the domain.

A DMARC record if you want to quarantine mail

You can add this record if you want to quarantine mail that fails checks.

Host Name: _dmarc
Text: v=DMARC1; p=quarantine; rua=mailto:dmarcreport@example.com

You can remove ; rua=mailto:dmarcreport@example.com if you do not want to receive statistics.

Additional Information About DMARC Records

Authentication methods can be SPF, DKIM, or both. The methods also include whether you want Strict matching or Relaxed matching.

Strict matching means the domain in the From address must match the domain in the headers. Relaxed means the domain in the From address can match with the domain or subdomain in the headers. If you send email from name@example.com but the message comes from name@mail.exmaple.com, strict matching will not authenticate the message. Relaxed matching will authenticated the message. If you mail host uses sub-domains, you may want to use relaxed matching.

You can add one type of DKIM matching and/or one type of SPF matching, but you can’t use both relaxed and strict matching for the same type of authentication. Here are some options you can add to your record:

You can visit the DMARC FAQ for more detailed information.

DomainKeys Identified Mail (DKIM) records are a way to authenticate email sent from a domain. DKIM requires setup in DNS and on the sending email server(s).

A DKIM record is added to DNS as a TXT record. The record contains a public digital key. The sending email servers are set up with a private digital key. When an email is sent, the sending server uses the email and the private key to generate a digital signature. The signature is added to the email headers. Receiving email servers verify the digital signature using a public key from the TXT record. If an email has fake headers or has been tampered with, the signature won’t be valid. A separate DMARC record can be used to tell mail servers what to do if the signature isn’t valid.

The sending email server uses a private digital key to generate a digital signature which is added to the email headers. The receiving email server verifies the signature using a public digital key from the DKIM DNS record. If an email has fake headers or has been tampered with, the signature won’t be valid.

How to Add a DKIM Record

Contact your email provider if you want to use DKIM. Your provider will give you a TXT record to add to your domain. The record will have a selector and signature. You can add the record as a TXT record:

  Host Name: selector._domainkey
(replace selector with the selector name provided by your email host)
Text: paste the signature text provided by your email host

The email host will then verify that the record was added. After they verify, they can start using a private key to sign outgoing email from your domain. 

DKIM Records with Pair Networks

If you use Pair Networks for email, you can set up DKIM through the Account Control Center:

1. Log in to the Account Control Center
2. In the left sidebar, click Domains
3. In the drop-down, click Manage Your Domain Names
4. Click the domain you want to add DKIM to
5. Scroll down to the DomainKeys Identified Mail (DKIM) section, and click Change DKIM Settings
6. Click Activate DKIM
   If you use Pair Networks name servers, the records are added automatically and you don’t need to do anything else. You can skip the rest of these steps.
   If you use Pair Domains Custom DNS, you will need to manually add the records
7. In a new browser tab, log into the Domain Name Management System
8. Click the domain to update
9. Click Domain Address Settings
10. If Custom DNS is already on for your domain, you can skip this step.
    If you are turning on Custom DNS, read the earning, agree to the Terms of Service, and click Enable
11. Click Add New Record
12. Select TXT from the Add New Record menu
13. Paste the DKIM Hostname from the Account Control Center into the Host Name box
14. Paste the DKIM TXT Record Value from the Account Control Center into the Text box
15. Click Add Record

Sender Policy Framework (SPF) records are a way to authenticate emails sent from a domain. Spam and phishing emails often use fake From and Reply-To addresses to hide the actual senders. An SPF record lists mail servers that are allowed to send email from a domain. If an email is sent from a server that is not listed in the SPF record, the receiving email host knows the message is spam.

An SPF record is added to Custom DNS as a TXT. You want to make sure that any mail servers you use are included in the record. A server missing from the records may cause undelivered mail.

How to Add an SPF Record

Contact your email provider(s) to get their recommended records. If you use multiple providers, all of them need to be combined into a single record.

When you have the information, you can add the record to Custom DNS as a TXT record:

1. Log into to the Domain Name Management System
2. Click the domain to update
3. Click Domain Address Settings
4. If Custom DNS is already on for your domain, you can skip this step.
   If you are turning on Custom DNS, read the earning, agree to the Terms of Service, and click Enable
5. Click Add New Record
6. Select TXT from the Add New Record menu
7. Enter @ as the Host Name, or leave the field blank
8. Enter the SPF record from the into the Text box
9. Click Add Record

SPF Records with Pair Networks

If you use Pair Networks for email, you can create a default SPF record that will include any Pair Networks server that might send email for a domain. You can follow these steps to generate the SPF record:

1. Log into the Account Control Center
2. Click Domains
3. Click Manage Your Domain Names
4. Click the domain to update
5. Click Change SPF Settings
6. If you use Pair Networks name servers, you can click Activate SPF to activate the record. Then you can skip the rest of these steps
   If you use Pair Domains name servers, copy the displayed SPF record
7. In a new browser tab, log into to the Domain Name Management System
8. Click the domain to update
9. Click Domain Address Settings
10. If Custom DNS is already on for your domain, you can skip this step.
    If you are turning on Custom DNS, read the earning, agree to the Terms of Service, and click Enable
11. Click Add New Record
12. Select TXT from the Add New Record menu
13. Enter @ as the Host Name, or leave the field blank
14. Paste the SPF record from the Account Control Center into the Text box
15. Click Add Record

Please Note: If you use additional email services like mailing lists, you should contact your service provider to find out what additional information might need to be added to the SPF record.

Additional Information About SPF Records

The host name for SPF records is usually @. That means the record is for the domain itself. It affects email from mailbox@example.com. If you want the record to affect email from mailbox@subdomain.example.com, you can enter subdomain as the host name.

The Text field always starts with v=spf1 which means the record uses the first version of SPF. That is followed by a list of servers authorized to send email. The servers may be listed as IP addresses and/or host names. These are the primary ways you can list the mail servers:

Mechanism	Meaning
a	the A record for the domain itself
a:host_name	the A record for host_name
include:host_name	include the TXT record for host_name
ip4:ipv4_address	the specified IPv4 address or addresses
ip6:ipv6_address	the specified IPv6 address or addresses
mx	the mx record for the domain itself
mx:host_name	the mx record for host_name

There are additional mechanisms, but you are unlikely to use them unless your mail host requests them.

The record ends with a qualifier and the word all. This tells mail servers what to do with messages that come from unauthorized servers.

Using ~all is a soft failure. This means messages that fail SPF checks will be flagged as likely spam but the messages are still delivered.

Using -all is a hard failure. This means message that fail SPF checks will not be delivered.

SPF Lookup Limits

Mail Servers are limited to 10 DNS lookups that can be performed when checking SPF records. It is unlikely that you will encounter this limit, but it is possible.

When checking the SPF record, the IP4 and IP6 mechanisms do not require lookups because they contain the actual IP addresses. Each A, MX, and INCLUDE mechanism will require at least one lookup. Each A requires one to find the IP address of the domain or host name. Each MX requires at least two. The first is to find the mail server(s) listed in the MX record. Then each mail server in the MX record has to be checked to find the corresponding IP address(es). If a domain has multiple MX records, each record needs to be checked and counts as an additional DNS lookup.