The aim of this guide is to explain how to set up DMARC for email security, which is now required in order to comply with the new policies being enforced by Google and Yahoo.
It should be noted that this guide’s aim is to be as simple as possible, as such certain elements which could be done in “better” ways will be shown in ways that are more consistent for simplicity.
This only applies when you use a custom domain for your emails, for example: fred@ecomcommunity.online, if you use a generic domain such as fred@outlook.com then you have no control over the domain’s security settings and this guide does not apply to you.
This guide assumes that you do not have any complex DNS settings already in place, if you do then you will likely need to contact whoever set that up in order to update them.
You will need 3 things:
- The login details for your domain host (DNS host if you host that elsewhere)
- A list of domains/IPs that send emails on your behalf, if you do not have the full list you can always add to this later.
More info
This is any website or service that sends emails from your domain name, examples include Outlook, Gmail, Shopify, Mailchimp, Klaviyo, Zendesk, Xsellco, etc.
In the event you host your own emails or send emails from your personal server then you will need to include the IP address it sends mail from, this also applies to other services such as warehouse management systems, eCommerce websites that send automated order confirmations and many others.
It should be noted that some websites/services will send email to your own email provider (i.e. outlook) before sending it out to the wider internet, these do not need to be included as the actual outgoing email is sent from your provider, you may need to do some research into each service to figure out how they send mail.
- (Optional) An Email address to receive failure reports (which indicate someone was successfully blocked from sending email as though it was from you.
- An email address to receive aggregate reports, these are mainly used for testing and mostly indicate when emails were allowed through as a result of your settings.
Note that these email addresses will be publicly visible, they are likely to receive a lot of emails from many different sources, so it’s advisable to set up a new inbox or folder dedicated to this.
Once you have all of the above:
- Create the SPF record
Note: The “Advanced” tab is designed for users that fully understand how DNS works, if you do not fully understand it, just read the content of the “Details” tab.
Details
You should build this text string in notepad or a similar text editor before copying it over to your DNS provider.
The SPF record consists of 3 parts and is easy to build if you have the list of services that send emails on your behalf.
the SPF record always starts with the SPF version number, this is so that in future if there are any major changes to the SPF system anything reading your SPF record will know whether your version includes or excludes the newer sections.
At the time of writing the SPF version number is 1, so the SPF starts with:
v=spf1
followed by a single space
Next you add the IP addresses of any servers that send emails using your domain name, you can use both IPv4 and IPv6 addresses here, the order they’re listed is not important. for an IPv4 address add the following immediately after the space:
IP4:x.x.x.x
where x.x.x.x is the IP to allow, again add a single space after this.
for IPv6 it’s:
IP6:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx
Again where the x’s denote the actual IP address you want to allow for sending mail. As before add a single space after this.
If you want to add multiple IP addresses you can simply add another after the space.
for example:
v=spf1 IP4:xx.xx.xx.xx IP4: yy.yy.yy.yy IP6: xxxx:xxxx:xxxx:xxxx:xxxx::xxxx
(that is all on a single line with each section separated by a single space, but screen width might force it to display over multiple lines)
Following the IP address you add any domains that have permission to send emails for you, this is what most services will use as they actually have very long lists of IP addresses that change frequently, so they instead manage this list dynamically and your SPF just references their list.
You can technically mix these in with the IP addresses but for consistency and readability I recommend adding them after the last IP
To add a domain spf record add the following:
include:abc.defgh.com
Where abc.defgh.com is the actual URL provided by your service provider.
As usual add a single space after this.
The URL for outlook as an example is usually: spf.protection.outlook.com
You should always check and only use the details provided directly by your service provider as these can be different for each user/account, sometimes they will have different ones based on location/type/security/etc.
You will find some service providers will provide SPF records which use other key words besides “include:”, usually “A:”, “MX:” or “PTR:”, it’s perfectly fine to use these instead of include, they’re actually faster and more secure in many situations but require additional configuration (and upkeep) for the provider, so they’re not often used.
As with the IP addresses you can add multiple different include statements if needed, just separate each one with a space.
Up to this point the SPF record might look something like:
v=spf1 IP4:198.176.154.132 IP4: 123.145.167.189 IP6: 1234:2345:3456:4567:5678::6789 include:spf.domain12345.random.com include:secure.mycsemails.csprovider.net
Or it might be much shorter, like:
‘v=spf1 include:spf.protection.outlook.com’
The final part to add to this is the the bit that determines what happens with emails where the sender isn’t on the list. There are 4 options:
The final spf record will look something like:
v=spf1 ip4:159.223.244.219 include:spf.protection.outlook.com -all
(that is the actual spf record for this forum’s email)
It should be noted that spf records are publicly accessible, so if you use an internal server to send email, but do not want to reveal the IP address then you will need to route it through a seperate system first.
Note:
While getting SPF records from your service providers, you may find that some of them do not provide any, but instead use a different method where they will ask you to add “CNAME” records to your DNS, in layman’s terms this gives them permission to use their own SPF records when sending emails, while this does open several security concerns these services will usually be trustworthy enough to allow this, do not do this for any suspicious sites or services which you do not expect to be sending emails.
Advanced
If you want to test changes to the SPF record to make sure it is working correctly, do not set the TTL to 1 day, instead set it to a very short time limit (i.e. 1 minute) as this will help to speed up the propagation of any changes you make. (this will not take effect if changed after the fact until the previous TTL has expired, i.e. after 1 day.).
Make sure you set it to 1 day after you have finished testing.
If you send mail from the same IP address as your A record or MX records point to, you can simply add “a” or “mx” into the spf instead (v=spf1 a mx include:spf.protection.outlook.com -all as an example), it should be noted that it will include ALL A or MX records for that domain, some of which you might not wish to grant permission to send emails (for example if you have an MX record pointing to a server which can receive but not send email)
However in many cases this is a convenient way to add those specific records.
Which this is technically a simple thing to add, the reason this method is not included in the basic details is to prevent issues where users do not know whether or not their A record or MX records point to the servers that send their mail, and do not know how to check this.
It should be noted that this is regarded as the “correct” way to include these addresses. Though it doesn’t offer any particular benefits besides benefiting towards the character limits, organisation aspects and ease of updates.
The SPF record has a limit of 10 entries and 255 characters, however you can get around this by creating “fake” subdomains.
As an example, add an SPF record with the host name “mail1” and another with the name “mail2”, each of these can have 10 entries, then in your @ spf record add 2 “include” sections which include your new subdomains, for example:
mail1: v=spf1 IP4:198.176.154.132 IP4: 123.145.167.189 IP6: 1234:2345:3456:4567:5678::6789 include:spf.domain12345.random.com include:secure.mycsemails.csprovider.net -all
mail2: v=spf1 ip4:159.223.244.219 include:spf.protection.outlook.com -all
@: v-spf1 include:mail1.ecomcommunity.online include:mail2.ecomcommunity.online -all
Note that there is a limit to the number of lookups each mail server will perform and each “level” of include is an additional lookup, it is impossible to predict how any included domains outside of your control will operate, for example when including outlook’s spf domain server it’s possible that their lookups already hit the limits, so adding just 1 extra layer can cause errors. As such this method is not recommended except when it is absolutely necessary to add more than 10 addresses to a single domain/sub-domain.
Instead you should have different services use different sub-domains to better organise them, such as using contact.yournamehere for customer service, mail.yournamehere for bulk mail, etc.
- Log into your domain host.
Details
You will usually be the website where your domain name was purchased, such as 123Reg.co.uk, namecheap.com, etc.
If your chosen domain host has user permission settings, your account will need permission to create and edit DNS records of the “TXT” type as a minimum and the CNAME type for certain services (Klaviyo for example uses this).
- Add the SPF record
note: you should NOT add a new SPF record if one already exists, make sure it contains all the required data and then move on to the next step, see step 1 details for what data is needed.
Details
Once you have logged into your domain host, you will need to look for the domain name which you send emails from and navigate to its “DNS” or “advanced DNS” setup page.
You will see a variety of record types, some hosts split these into separate menus, others show them all in one big list.
Firstly, you will need to ascertain whether or not you already have an SPF record, as only one can exist at once.
It should always be a TXT type record and will always start with v=spf1
If you locate an spf record, check the contents of it and make sure you have included everything in your new one, if you see an IP or domain which you do not recognise then double-check whether or not it should be included in your new SPF record, it might be a service you forgot about, if it’s something you no longer need, feel free to remove it.
Assuming this existing SPF record is correct and contains everything, feel free to move on to the next step.
You will need to navigate to the section which allows you to add a new TXT record and go ahead and add a new one.
The TXT record consists of several parts, some of which might use different names and/or might be missing due to DNS hosts using default values instead.
The main parts you need are the “host name”, sometimes just “host”, “name” or more rarely “Key”.
And the “value”, sometimes referred to as “data”.
If there is no default value for TTL (time to live) then set this to 1 hour (3600 seconds)
The name/hostname should be @
In the event you use sub-domains for email, such as “mail.yournamehere.com” you may need to get advice on what to add here, as a quick-fix you could add your SPF record with the @ hostname and then add the exact same SPF record with the sub-domain’s name, for example for “forum.ecomcommunity.online” the host name would be “forum”.
The value/data should be the SPF record that you created earlier, make sure there is no space before v=spf1
- Test sending emails from each of your servers and/or apps, if you have access to a mail server which has port 25 unblocked (most ISPs block it by default) you should try sending mail from your domain to an email on the same domain and then check the mail flow logs to ensure it behaved as expected (either being blocked, flagged or allowed depending on the SPF settings you have chosen)
WIP