Setup Email Authentication (SPF, DKIM, and DMARC)

Email Authentication

To have fully authenticated emails 3 things are needed: SPF records, DKIM records, and DMARC records.  Once everything is fully set you would expect to see something like this (in gmail, view original):

mceclip0.png

Or if you use our email testing button, it would show as fully authenticated:

mceclip1.png

Setup SPF

Setting the SPF record is fairly straightforward.  You create a TXT record on your domain (no sub domain part) and set the value to:

v=spf1 mx a include:_spf.activedemand.com ?all

It would look something like this:

mceclip2.png

 

Testing the Setup

You can test that this is fully setup using mxtoolbox (https://mxtoolbox.com/SuperTool.aspx).  Select “SPF Record Lookup” in the dropdown.  In the input, enter yourdomain.com:

mceclip3.png

DKIM

Why use DKIM

DKIM is an email security standard that uses encrypted keys to verify you are allowed to send emails through that domain.  This helps to protect your domain against spoofing.

 

Setup DKIM

Your DKIM setup should be taken care of automatically when you set these CNAME records:

mceclip4.png

The records when set should look like this:

mceclip5.png

Testing the setup

You can test that this is fully setup using mxtoolbox (https://mxtoolbox.com/SuperTool.aspx).  Select “DKIM Lookup” in the dropdown.  In the input, enter yourdomain.com:ad:

mceclip6.png

DMARC

Why use DMARC?

DMARC is used with SPF and DKIM records to authenticate mail senders.  The DMARC record shows the receiving mail server what to do with messages from your domain that don’t pass SPF or DKIM.

 

Setup DMARC

The DMARC record will be a TXT record on your domain with a record name of _dmarc.  The value may change slightly, but it will have 3 main semicolon separated parts.  

  • Tag value pair v=DMARC1 … this is the only valid value for this
  • Tag value pair for “p”.  The value can be none, quarantine, or reject.  It's a good idea to set it to none or quarantine until you can confirm it's behaving the way you want.
  • Tag value pairs for where failures should be sent.  The format is a comma separated list of emails (i.e. rua=mailto:engineering@fakeaccount.ca,mailto:security@fakeaccount.ca):
    • rua: Aggregate reports will be sent here
    • ruf: Detailed reports will be sent here

The completed record will look something like this:

Record type: TXT
Host: _dmarc
Value: v=DMARC1; p=quarantine; rua=mailto:engineering@fakeaccount.ca

mceclip7.png

Testing the setup

You can test that this is fully setup using mxtoolbox (https://mxtoolbox.com/SuperTool.aspx).  Select “DMARC Lookup” in the dropdown.  In the input, enter yourdomain.com:

mceclip8.png

Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.