• Ways to ensure the security of emails

DNS Records


  • Sender Policy Framework
  • A TXT Record that specifies the list of emails server you authorise to send emails with your Domain Name. Receiver can use it to decide if he/she should accept or deny the email
  • Only one SPF TXT record associated with your domain

Authorise Google & Cloudflare email servers

TXT DNS Record: v=spf1 include:_spf.google.com include:_spf.mx.cloudflare.net ~all. ~all means soft deny, so unverified emails will still be accepted and placed in spam


  • DomainKeys Identified Mail
  • DKIM works by attaching a Digital Signature to the header of your outgoing emails. The receiving mail server has access to a public key (stored in a CNAME Record or TXT Record) that can be used to decode and verify the signature. If the signature matches, the recipient can be more confident the email hasn’t been altered in transit
  • This ensures the email truly originated from your domain and the content of the email hasn’t been changed since it was sent

The DKIM DNS Record

The general TXT DNS Record format: [selector]._domainkey.yourdomain.com IN TXT v=DKIM1; k=rsa; p=[your public key data]

We can have multiple DKIM records for subdomains or for using different service providers


  • Domain-based Message Authentication, Reporting & Conformance
  • A Policy Framework that builds on top of SPF and DKIM. It allows us to create a specific policy within your TXT Record telling receiving mail servers how to handle emails that fail SPF or DKIM checks
  • For setup guide refer to ‎Setting Up DMARC