|
|
DKIM, DMARC and SPF: What they are and how to use them.
Here we'll help you get things started. There is quite a bit more to these than what we've published here. If you want to go beyond the basics, DMARC Analyzer has detailed descriptions and testing tools to build and expand on your SPF and DMARC records.
What is DKIM?
DKIM is a method of 'signing' your email at the domain level in order for a recipient to validate the sender.
How does DKIM work?
You can create a public/private key pair right in our Control Panel, and then publish the public key (you'll never see the private key) at your DNS provider. When your email leaves VFEmail, we'll sign it with the private key, and the recipient will verify it with the published public key. Easy :)
What do I do to use DKIM?
- Click 'Add' in the DKIM Control Panel page. You'll be asked for a 'selector' ID. This can be any text identifier, we suggest using the current date: ddmmyyyy.
- Once it's created, click the 'View DKIM' button to view the public key.
- At your DNS provider, create a new TXT record. It'll be named 'selector'._domainkey. If you used the date, then it'll be ddmmyyyy._domainkey
Yes, there is a period between the selector ID and _domainkey. In the body of the field, paste the public key - without quotes.
- Once you've done that, wait a few minutes for DNS to propogate.
- Then check the checkbox next to your key and click 'Check DNS'.
DNS is checked for DKIM,DMARC and SPF.
- As soon as DKIM is green (the published public key matches VFEmail's public key) select 'Enable', and wait for it to activate.
What is SPF?
SPF is a method of publishing your valid sending servers, so the recipient can verify your domain is not spoofed.
How does SPF work?
You would create a TXT record at your DNS provider. It will contain flags and IP addresses to identify your approved sending servers. While SPF seems to end domain spoofing, forwarding, mailing list relays, and other actions can create false positives.
What do I do to use SPF?
- At your DNS provider, add a simple TXT record for the root of your domain:
"v=spf1 a mx include:vfemail.net ~all"
- The key here is 'include:vfemail.net'. That allows your record to 'follow' VFEmail's as we make normal changes.
If you're sure you only use VFEmail, you can change ~all to -all to tell the recipient to reject any SPF failures.
- Once you've done that, wait a few minutes for DNS to propogate.
- Then check the checkbox next to your key and click 'Check DNS'.
DNS is checked for DKIM,DMARC and SPF.
- As soon as SPF is green, you're all set.
What is DMARC?
DMARC brings together SPF and DKIM results and provides further instructions to a recipient on how to handle failures.
How does DMARC work?
You would create a TXT record at your DNS provider. It will contain a policy (none, quarantine, reject), flags, and possibly reporting addresses. We'll keep things simple here.
What do I do to use DMARC?
- At your DNS provider, add a simple TXT record for the name "_dmarc":
"v=DMARC1; p=quarantine; "
- The key here is the 'p=quarantine'. If you're confident that only VFEmail is your provider, your SPF record is good, and DKIM is working - you can change that to 'p=reject'.
- Once you've done that, wait a few minutes for DNS to propogate.
- Then check the checkbox next to your key and click 'Check DNS'.
DNS is checked for DKIM,DMARC and SPF.
- As soon as DMARC is green, any recipients should be using your DMARC policy.
|
|