Email Security with SPF, DKIM, and DMARC

Email spoofing allows attackers to send messages that appear to come from your domain. Without proper authentication, anyone can send an email claiming to be from ceo@yourdomain.com. SPF, DKIM, and DMARC are DNS-based standards that help receiving mail servers verify legitimate emails.

What You'll Learn

• How SPF declares authorized mail servers
• How DKIM cryptographically signs emails
• How DMARC defines policies for failed authentication
• Setting up all three via DNScale dashboard and API
• Testing and validating your configuration

SPF (Sender Policy Framework)

What SPF Does

SPF lets you specify which IP addresses and mail servers can send email for your domain. Receiving servers check your SPF record to verify the sender is authorized.

SPF Record Syntax

An SPF record is a TXT record at your domain apex:

v=spf1 [mechanisms] [qualifier]all

Common SPF Examples

Google Workspace:

v=spf1 include:_spf.google.com ~all

Microsoft 365:

v=spf1 include:spf.protection.outlook.com ~all

Multiple providers:

v=spf1 include:_spf.google.com include:spf.protection.outlook.com ~all

Custom mail server:

v=spf1 ip4:203.0.113.5 mx ~all

SPF Best Practices

1. Start with ~all (soft fail), move to -all after testing
2. Keep under 10 DNS lookups (SPF limit)
3. Include all sending sources: transactional email, marketing platforms, etc.

DKIM (DomainKeys Identified Mail)

What DKIM Does

DKIM adds a digital signature to outgoing emails. Your mail server signs each email with a private key, and you publish the corresponding public key in DNS. Receiving servers use this public key to verify the signature, proving the email wasn't tampered with and came from an authorized sender.

How DKIM Works

1. Your mail server generates a cryptographic signature using a private key
2. The signature is added to the email's headers
3. Receiving servers look up your DKIM public key in DNS
4. They verify the signature matches the email content
5. If valid, the email passes DKIM authentication

DKIM Record Syntax

A DKIM record is a TXT record at selector._domainkey.yourdomain.com:

selector._domainkey.yourdomain.com.  TXT  "v=DKIM1; k=rsa; p=MIGfMA0GCS..."

DKIM Selectors

The selector is a name that identifies which key to use. This allows:

• Key rotation without downtime
• Different keys for different mail services
• Multiple keys active simultaneously

Common selector patterns:

• google for Google Workspace
• selector1, selector2 for Microsoft 365
• k1, k2, k3 for custom setups
• mailjet, sendgrid for third-party services

Getting Your DKIM Keys

DKIM keys are generated by your email provider. Here's where to find them:

Google Workspace:

1. Admin Console → Apps → Google Workspace → Gmail
2. Authenticate email → Generate new record
3. Copy the TXT record value

Microsoft 365:

1. Microsoft 365 Defender → Email & collaboration → Policies
2. DKIM → Select domain → Create DKIM keys
3. Copy both selector1 and selector2 records

Third-party services (SendGrid, Mailjet, etc.):

• Check your provider's dashboard for DNS settings
• They'll provide the selector name and public key

DKIM Record Examples

Google Workspace:

google._domainkey.yourdomain.com.  TXT  "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA..."

Microsoft 365:

selector1._domainkey.yourdomain.com.  TXT  "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNA..."
selector2._domainkey.yourdomain.com.  TXT  "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNA..."

Custom/Third-party:

mail._domainkey.yourdomain.com.  TXT  "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3..."

DKIM Best Practices

1. Use 2048-bit keys - 1024-bit keys are increasingly vulnerable
2. Rotate keys periodically - At least annually for security
3. Keep private keys secure - Never expose them in DNS or logs
4. Use unique selectors - Different selectors for each service
5. Test before enforcing DMARC - Ensure DKIM passes before p=reject

DMARC (Domain-based Message Authentication)

What DMARC Does

DMARC builds on SPF (and DKIM) to provide:

• A policy telling receivers what to do with failed emails
• Reporting so you can monitor authentication results

DMARC Record Syntax

A DMARC record is a TXT record at _dmarc.yourdomain.com:

v=DMARC1; p=policy; [optional tags]

Required Tags:

Optional Tags:

DMARC Policy Options

DMARC Examples

Monitor mode:

v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com

Quarantine mode:

v=DMARC1; p=quarantine; rua=mailto:dmarc-reports@yourdomain.com; pct=100

Reject mode:

v=DMARC1; p=reject; rua=mailto:dmarc-reports@yourdomain.com

Recommended Rollout

1. Week 1-2: p=none to monitor
2. Week 3-4: Review reports, fix issues
3. Week 5-6: p=quarantine with pct=25
4. Week 7-8: Increase to pct=100
5. Week 9+: Move to p=reject

Setup via DNScale Dashboard

Create SPF Record

1. Log in at dnscale.eu
2. Select your domain
3. Click Add Record
4. Configure:
   • Name: Leave empty (apex)
   • Type: TXT
   • Content: v=spf1 include:_spf.google.com ~all
   • TTL: 3600
5. Click Create Record

Create DKIM Record

1. Get your DKIM public key from your email provider (see "Getting Your DKIM Keys" above)
2. Click Add Record
3. Configure:
   • Name: google._domainkey (or your provider's selector)
   • Type: TXT
   • Content: v=DKIM1; k=rsa; p=MIIBIjANBgkq... (your public key)
   • TTL: 3600
4. Click Create Record

Note: For Microsoft 365, you'll need to create two records (selector1 and selector2).

Create DMARC Record

1. Click Add Record
2. Configure:
   • Name: _dmarc
   • Type: TXT
   • Content: v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com
   • TTL: 3600
3. Click Create Record

Setup via DNScale API

Authentication

export DNSCALE_API_KEY="your-api-key"

Get Zone ID

curl -s "https://api.dnscale.eu/v1/zones" \
  -H "Authorization: Bearer $DNSCALE_API_KEY" | jq '.data.zones[] | {id, name}'

Create SPF Record

curl -X POST "https://api.dnscale.eu/v1/zones/{zone_id}/records" \
  -H "Authorization: Bearer $DNSCALE_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "@",
    "type": "TXT",
    "content": "v=spf1 include:_spf.google.com ~all",
    "ttl": 3600
  }'

Create DKIM Record

curl -X POST "https://api.dnscale.eu/v1/zones/{zone_id}/records" \
  -H "Authorization: Bearer $DNSCALE_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "google._domainkey",
    "type": "TXT",
    "content": "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA...",
    "ttl": 3600
  }'

Replace google._domainkey with your selector and the public key with your actual DKIM key.

Create DMARC Record

curl -X POST "https://api.dnscale.eu/v1/zones/{zone_id}/records" \
  -H "Authorization: Bearer $DNSCALE_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "_dmarc",
    "type": "TXT",
    "content": "v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com",
    "ttl": 3600
  }'

Verify Records

curl -s "https://api.dnscale.eu/v1/zones/{zone_id}/records" \
  -H "Authorization: Bearer $DNSCALE_API_KEY" | jq '.data.records[] | select(.type == "TXT")'

Testing and Validation

Online Tools

• MXToolbox SPF Check
• MXToolbox DKIM Check
• MXToolbox DMARC Check
• DMARC Analyzer
• Mail Tester - Send a test email to check all authentication

Command Line

# Check SPF
dig TXT yourdomain.com +short
 
# Check DKIM (replace 'google' with your selector)
dig TXT google._domainkey.yourdomain.com +short
 
# Check DMARC
dig TXT _dmarc.yourdomain.com +short

Send a Test Email

The best way to verify everything works is to send a test email and check the headers:

1. Send an email to a Gmail account
2. Open the email → Click the three dots → "Show original"
3. Look for:
   • spf=pass
   • dkim=pass
   • dmarc=pass

Summary

How They Work Together:

• SPF verifies the sending server is authorized
• DKIM verifies the email content wasn't modified
• DMARC tells receivers what to do when SPF or DKIM fails

Recommended Implementation Order:

1. Set up SPF first (easiest)
2. Configure DKIM with your email provider
3. Add DMARC in monitor mode (p=none)
4. Review reports, fix issues
5. Gradually enforce DMARC (p=quarantine → p=reject)