How to set up SPF, DKIM, and DMARC for your business?

Setting up SPF, DKIM, and DMARC is important for a number of reasons, but particularly to avoid your business’ reputation being tarnished by successful phishing attacks attempted in your name. A recent survey found that 91% of phishing and spam emails are sent via Gmail accounts. If your domain is aligned well with SPF, DKIM, DMARC, recipients’ mailboxes will filter fraudulent emails and won’t let them land in the inbox. In this blog, we dig into more detail about the process.

What are SPF, DKIM, and DMARC?

SPF, DKIM, and DMARC are email authentication protocols that require sending and receiving servers to cooperate and coordinate. They verify if the sender is actually who they are claiming to be to prevent impersonation attacks. Cybercriminals impersonate bosses, employees, third-party vendors, etc. and request that the recipient shares sensitive information such as financial details, contact details, social security numbers, medical reports, etc. This information is then exploited to make purchases, transfer money, steal or intercept business strategies, win over professional rivalry – the list goes on. 

What is SPF in Email?

SPF stands for Sender Policy Framework, and is a way for a domain to enlist all the IP addresses allowed to send emails. 

Sender Policy Framework is also referred by mail clients to determine whether to show messages with unknown senders or not. To prevent phishing attacks, an SPF record is required which defines mail servers permitted to send emails on behalf of your domain.

An SPF lookup tool diagnoses your record to highlight errors that might be hindering your email’s performance. 

What is DKIM?

DKIM stands for DomainKeys Identified Mail and is based on the concept of cryptography. DKIM signed emails are emails that have been signed with a digital signature, and this digital signature is used by receiving systems to verify the authenticity and integrity of the email. 

DKIM consists of a public and a private key pair. The private key is used by a given email service – for example Salesforce – to DKIM-sign your emails, and the public key is published in the DNS, in the form of a TXT or CNAME record. The public key is used by recipients to validate the email. If you’re wondering where you would find the required DKIM records to publish in the DNS, it would be on the actual system that will send emails on your behalf, in this case Salesforce. 

You can use an online DKIM tool to perform a lookup against your domain name and DKIM selector for an error-free and properly published DKIM record.

What is a DKIM Selector?

DKIM selector is part of a DKIM record that lets you publish more than one DKIM key for your domain. The selector is what distinguishes the email sending services that you use to send emails from your domain from one another. It is also used when doing a DKIM record lookup.  

No two DKIM records can use the same selector. For example, if you use Office 365 to send emails, your DKIM selectors will be ‘selector1’ and ‘selector2’, and if you introduce another system to send emails on your behalf, you will need to give it different selector names. 

How to Check SPF, DKIM, and DMARC?

It’s important to have visibility of what your SPF, DKIM, and DMARC setup looks like and how it can be improved. To do this, use our free investigate tool below. 

Does DMARC Require Both SPF and DKIM?

DMARC doesn’t require both SPF and DKIM, it can be configured with just either of the protocols. However, implementation of all three protocols, i.e., SPF, DKIM, DMARC, is encouraged because a multilayered security approach strongly combats phishing and spamming.

If you deploy DMARC without DKIM and have only SPF in place, then DKIM checks will always fail and DMARC verification results are up to SPF check and SPF identifier alignment. In such conditions, genuine emails sent from your domain will fail DMARC when forwarded. This happens as the intermediate server addresses aren’t listed in the SPF record, which causes SPF to fail and therefore DMARC.

On the other hand, when you implement only DKIM, the Sender Policy Framework checks will always fail and the results will be based on DKIM identifier alignment.

How to Set Up SPF, DKIM, and DMARC?

Now that you know what SPF, DKIM, and DMARC are, let’s focus on understanding how to set them up.

General SPF Setup

  1. Create your SPF record.
  2. Login to your DNS and go to the management console for your domain host.
  3. Find the option to update the DNS TXT record for your domain. Enter Type, Host, Value, and TTL values.

You’re done. The settings will be updated in 72 hours.

General DKIM Setup

Start by logging into the email sending service that you would like to use. There should typically be an Authentication section where you can go and generate the required DKIM records to publish in your DNS. 

General DMARC Setup

Create a DMARC record by choosing the appropriate policy, typically a policy of p=none to begin with. Copy the TXT record to the clipboard and paste it on your DNS.

All this becomes even easier by using OnDMARC, our award-winning cloud-based application. It lets you automate business email protection by configuring SPF, DKIM, DMARC in just a few weeks.

Configure SPF, DKIM, and DMARC with OnDMARC 

SPF, DKIM, and DMARC are essential email security protocols which protect your domain from exact domain impersonation. It’s vital to ensure these records are error-free otherwise the protocols won’t function properly. Our investigate tool helps you with this. All you need to do is send an email and we’ll reveal complete insights into your email security.

But if you want to go a step further and ensure full protection against domain spoofing, you can also easily configure your SPF, DKIM, and DMARC records with Red Sift’s OnDMARC.

PUBLISHED BY

Faisal Misle

26 Apr. 2023

SHARE ARTICLE:

Categories

Recent Posts

VIEW ALL
Security

How to drive cybersecurity as a top business priority

Jack Lilley

Everyone has a role to play in protecting the enterprise. Whether you’re shaping strategy or implementing solutions, aligning efforts to mitigate critical risks ensures a stronger, more resilient enterprise. If you missed Red Sift’s recent webinar on “From Data to Buy-In: Driving Cybersecurity as a Top Business Priority” we’ve got you covered. The session…

Read more
DMARC

BreakSPF: How to mitigate the attack

Red Sift

BreakSPF is a newly identified attack framework that exploits misconfigurations in the Sender Policy Framework (SPF) a widely used email authentication protocol. A common misconfiguration involves overly permissive IP ranges, where SPF records allow large blocks of IP addresses to send emails on behalf of a domain. These ranges often include shared infrastructures like…

Read more
Certificates

Never miss an expiring certificate again with Red Sift Certificates Lite

Francesca Rünger-Field

SSL/TLS certificates are the backbone of secure, uninterrupted digital experiences—but managing them effectively to prevent downtime remains a persistent challenge. With browser and certificate authorities looking to reduce certificate durations to as little as 90 or even 47 days, keeping track of renewals has never been more critical. That’s why we’re excited to introduce…

Read more
DMARC

Navigating G-Cloud 14 for DMARC solutions: A guide for former NCSC Mail…

Francesca Rünger-Field

Navigating G-Cloud 14 for DMARC solutions: A guide for former NCSC Mail Check users With the NCSC discontinuing key features of its Mail Check service, including DMARC aggregate and TLS reporting, after March 2025, UK public sector organisations must prepare for this change by transitioning to alternative email security solutions. To support this shift,…

Read more