Email DNS

SPF


Sender Policy Framework - A list of rules for accepting and denying emails from a particular source.

All domains should have this, even if you don't use emails. It prevents your domain being spoofed.

If you don't use email AT ALL on your domain, set this SPF record:

mcraxford.co.uk. in TXT “v=spf1 -all”


List can contain:
• Hostnames
• IP addresses
• Other Lists
• DNS Record Links
• The word ‘all’


The items are qualified with +, -, ~ or ?

+ Means accept from the source (This is default if nothing is specifed)
- Means specfically deny from souce (usually covered by the '-all')
~ means not authorised, but don't block the mail
? means no comment (usually seen to be ‘accept mail from here'


The best one to use is an IP list, this does not rely on the DNS record, or any hostname. This does however need to contain all IPs of your mailserver.

ip4:1.2.3.4 ip4:5.6.7.8
#OR
+ip4:1.2.3.4 +ip4:5.6.7.8


Other lists are referenced as:

include:this.domain.com include:other.domain.org
#OR
+include:this.domain.com +include:other.domain.org


DO NOT INCLUDE YOUR OWN DOMAIN!

DNS record links can allow items in the DNS list to send mail. Only really A and MX records are useful here

a mx
#OR
+a +mx


The spf record should end with ~all or -all

-all
#NEVER
+all
#This allows ANY server to pass SPF checks on your domain


This softfails or hardfails anything not listed before the world "all"

The rules are processed in order left to right:

mcraxford.co.uk. in TXT “v=spf1 -all +ip4:77.68.4.247/32 +a +mx”


This record denied ALL email, even if its from 77.68.4.247/32 , because the rule checking stops after the first match.

DMARC


Domain-based Message Authentication, Reporting & Conformance

This is a DNS record that indicates what a receiver should do if an email fails either SPF, DKIM or both

The options are - accept mail, pass to junk/spam, or reject

It also can contain details of where to send reports on failed messages.

The detail levels are - 0 (send if both dkim AND spf fail), 1 (Send if either fail), d (send if dkim fails), s (send if spf fails)

The reports will tell you how many failed messages, and what failed.

Syntax:

_dmarc.domain.com in TXT "v=DMARC1 p=<choice> rua=mailto:address@company.com fo=<detail-level>

DKIM


Domain Keys Identified Mail

So SPF should cover email spam right?

Unfortunatly, Hostnames and IP can be spoofed. Outdated DNS records can permit email from IPs that are no longer owned by the domain owner.

In comes DKIM!

The email is signed by the server that is sending the email using a private key.

The public key is attached to the DNS.

The receiving server can check the signature of the headers or entire email using the public key.

Only a email signed by the correct server will pass the check, no matter where it comes from.

Syntax:

<selector._domainkey.domain.com>. TXT “v=DKIM1; p=<public key>”


Its a good idea to set expiry on your DKIM signature so that spoofers that get access to your mail, cannot reuse a signature.

BIMI