Overview
Emails make up a large part of running any business. Unfortunately, spam makes up a large part of emails. As spam filtering services become more robust, new methods are needed to verify that an email is not spam. This is where SPF, DKIM, and DMARC records come in.
SPF Records
What is an SPF record?
An SPF record (Sender Policy Framework) is a DNS TXT record used to verify which domains or IP addresses are authorized to send emails on behalf of a particular domain. SPF is an effective tool for combating email spoofing and other phishing attacks, as well as protecting your domain’s reputation.
While SPF has been around for a long time, most mail servers have only recently begun actively checking for SPF records. Many mail providers will flag email as spam if the sending server does not have an SPF record, including Gmail.
How does SPF work?
Most email hosting services (including cPanel) will generate an SPF record by default. An SPF record is formatted in a way that any mail server will be able to interpret. It contains information on what domains and IPs are permitted to send email for that domain. It also instructs the receiving server on how to handle emails that fail this check.
This is what an SPF record looks like.
v=spf1 +a +mx +ip4:66.84.45.120 +ip4:66.84.45.169 ~all
When someone sends an email to a mail server that checks for SPF records (most mail servers do at this point), it will verify the sending domain's DNS records to see if an SPF record is included.
If the domain does not have an SPF record, it will treat the result as neutral. It may only flag the mail that it could not find an SPF record for, or it may reject it outright, depending on the receiving server.
If it finds an SPF record, it will verify whether the email originated from a server authorized to send emails for that domain. It also checks for a flag that indicates how to handle emails that fail this check.
Let’s look at the earlier example to see what we can find out more about this SPF record.
v=spf1 +a +mx a:mailfilter.com -all ^ ^ ^ flag mechanisms qualifier
This can be broken into three parts:
- v=spf1: This flag tells mail servers that this is an SPF record
- +a +mx a:mailfilter.com: This mechanism shows what servers are allowed to send mail for this domain:
- +a refers to the IP address of the blank (or @) A record for the domain
- +mx refers to the IP address of the MX records for the domain
- a:mailfilter.com refers to the A record of mailfilter.com
- -all: This Qualifier tells the receiving server what to do with emails that fail the check. In this case, it is set to hard fail
- -all is a hard fail – most servers will reject this email
- ~all is a soft fail – most servers will flag the email, but still receive it
- ?all is neutral – most servers will receive the email
Most hosting services will create an SPF record as part of their default zone file. If your zone file currently does not have an SPF record, you can add one to start getting the benefits that an SPF record can provide. You can find several SPF record generators on the internet (https://www.spfwizard.net/ is a popular one), or you can contact our support team, and we can add one for you.
DKIM Records
What is a DKIM record?
DKIM, or DomainKeys Identified Mail, is a method used by mail servers to verify the authenticity of email headers. This is also a great way to reduce spam and phishing emails, as well as protect your domain’s reputation.
How does DKIM work?
How DKIM does this is more complex than how SPF records work. To simplify it, the sending server creates an encrypted hash of the email headers. The headers are a part of the email that is not typically displayed in mail clients, but they contain information about the email, such as where it originated.
Once the email is received, the receiving server will decrypt the hash using the public key found in the DKIM TXT record and verify that the headers have not been altered. If the headers were altered, the email is rejected.
While not all hosting plans automatically generate a DKIM record, there are online tools that can assist you in creating one.
If you have a cPanel shared hosting, you can manage your DKIM records from the Email Delivery app in the Emails section of cPanel.
DMARC Records
What is a DMARC record?
DMARC, or Domain-based Message Authentication, Reporting & Conformance, is a system for verifying emails that uses both SPF and DKIM. It also adds reporting capabilities to email verification. This is a great tool for heavy email users, and you can find more information on DMARC here.