Abstract
- Ways to ensure the security of emails
DNS Records
SPF
- Sender Policy Framework
- A TXT Record that specifies the list of emails server you authorise to send emails with your Domain Name. Receiver can use it to decide if he/she should accept or deny the email
- Only one SPF TXT record associated with your domain
Authorise Google & Cloudflare email servers
TXT DNS Record:
v=spf1 include:_spf.google.com include:_spf.mx.cloudflare.net ~all.~allmeans soft deny, so unverified emails will still be accepted and placed in spam
DKIM
- DomainKeys Identified Mail
- DKIM works by attaching a Digital Signature to the header of your outgoing emails. The receiving mail server has access to a public key (stored in a CNAME Record or TXT Record) that can be used to decode and verify the signature. If the signature matches, the recipient can be more confident the email hasn’t been altered in transit
- This ensures the email truly originated from your domain and the content of the email hasn’t been changed since it was sent
The DKIM DNS Record
The general TXT DNS Record format:
[selector]._domainkey.yourdomain.com IN TXT v=DKIM1; k=rsa; p=[your public key data]We can have multiple DKIM records for subdomains or for using different service providers
DMARC
- Domain-based Message Authentication, Reporting & Conformance
- A Policy Framework that builds on top of SPF and DKIM. It allows us to create a specific policy within your TXT Record telling receiving mail servers how to handle emails that fail SPF or DKIM checks
- For setup guide refer to Setting Up DMARC