Configure Email protection
Properly Setup DNS record
Introduction
Sending emails is widely used today, but do you know how to configure your mail system properly to avoid spamming and spoofing ? Protecting your mail is quite easy and will ensure your recipients that your email is legitimate and secure.
The basic setup is built around three methods:
The Sender Policy Framework (SPF) : a technique that help prevent malicious persons to use your domain to send unauthorized emails (aka spoofing). It's a quite standard method, and it is also used in the DMARC specification
The Domain Keys Identified Mail (DKIM) : a digital, encrypted, signature added to the email header that allows the recipient to ensure the email he receives has been sent and authorized by the domain.
The Domain-based Message Authentication, Reporting and Conformance (DMARC) : a technique that combines both SPF and DKIM to further secure the mails sent by the domain by enabling the sender to receive the results of the authentication for any recipient that also enables DMARC
Create an SPF record
An SPF record is a TXT record created at DNS level. Basically, the SPF record lists all IP addresses and/or hostnames that are allowed to send emails on behalf of the domain. The first step is thus to retrieve the list of all servers you use to send emails (a well-known, widely used server is of course the one of Microsoft 365 : spf.protection.outlook.com)
Once done, go to your DNS manager and add a new TXT record for your root domain. It should be structured as follows:
Start by stating the text record is a SPF record by mentionning the SPF version. Luckily there is only one version, so your record should start with v=spf1
Continue by listing all IP's you use, and separate them with a space. You can add IPv4 or IPv6 addresses, like this ip4:37.240.28.10 ip4:152.148.10.37 ip6:2001:0db8:0000:85a3:0000:0000:ac1f:8001
Then include external senders you allow to send emails on your behalf by stating include:otherdomain.tld
Finish your statement by -all (to reject any mail that is not send by an authorized server - this is the most secure config) or by ~all (to mark any mail that is not sent by an authorized server - less secure). If you read over the Internet, you'll note that you can also use +all. We strongly recommend you NOT to do that, as this would allow any server to send emails on behalf of your domain.
In the end, your SPF record should look like this
v=spf1 ip4:37.240.28.10 ip4:152.148.10.37 ip6:2001:0db8:0000:85a3:0000:0000:ac1f:8001 include:spf.protection.outlook.com include:otherdomain.tld -all
Setup DKIM
Digital signing is done by the outgoing mail server. It is based on a public/private key pair. The procedure strongly varies from one provider to another so please refer to the documentation given by your provider. Please note some free offers (like OVH basic plans) do not provide the ability to sign outgoing email.
If you use Office365 you may refer to the following page to setup DKIM signing : Click here. Another common mail sender is Mandrill (the smtp service of MailChimp) and the documentation to setup the mail signing is here.
If you are building your own email server, you'll need to provide a certificate to your system first. You can generate such a certificate on this page. Once generated, upload the Private Key to your signing server. Again, please refer to the documentation of your mail provider to do so.
Once done, you will need to publish a TXT record in your DNS manager that will contain your Public Key.
As an example, for Mandrill the DNS record should be named mandrill._domainkey.yourdomain.tld and the record itself will be
v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrLHiExVd55zd/IQ/J/mRwSRMAocV/hMB3jXwaHH36d9NaVynQFYV8NaWi69c1veUtRzGt7yAioXqLj7Z4TeEUoOLgrKsn8YnckGs9i3
B3tVFB+Ch/4mPhXWiNfNdynHWBcPcbJ8kjEQ2U8y78dHZj1YeRXXVvWob2OaKynO8/lQIDAQAB;
Setup DMARC
DMARC configuration should be done in your DNS settings. You will need to create a new DNS entry in the form _dmarc.yourdomain.tld and setup your values (tags) according to your intentions. There are only two mandatory tags (v and p), and all tags must be separated by a semicolon.
v indicates the protocol version to use. It must be the first parameter, and it must be DMARC1. In other words, the record must start with v=DMARC1
p is the procedure to follow if the email is not passing the DKIM test. Values can be
none: the mail is always delivered regardless the test result
quarantine: the mail is delivered if DKIM test fails but its spam score is risen or it's flagged as dangerous meaning it will probably be delivered to the SPAM folder of the recipient
reject: the mail is not delivered if the DKIM test fails
Other tags can be used, and most commons are:
pct : the percentage of messages to test. If not specified, default is 100% (all messages)
rua : serves to mention a recipient for aggregated reports containing the results of failed messages.
More tags can be used, and you can refer to the Wikipedia page to get a more complete list. In the end a "classic" DMARC record will look like this
v=DMARC1; p=quarantine; pct=80; rua=admin@yourdomain.tld
Note: it is useless to setup DMARC if DKIM is not properly implemented, as any mail redirection will break SPF compliance.