Spoofing defense for Custom domains: SPF, DKIM, DMARC
Due to the open and decentralized nature of SMTP, email spoofing is a common issue. Every mail server connected to the internet can send an email using your email address and can thereby spoof your identity. When using custom domain with Mailfence, we recommend you to deploy following email spoofing defenses.
Sender Policy Framework (SPF)
The Sender Policy Framework (SPF) record tells the recipient what hosts or IP addresses can send email for your domain. You’ll need to add DNS records of type ‘TXT’ with the name ‘@’ (if the field is present) via your hosting provider, domain registrar, or DNS provider. We recommend referring to your provider’s help documentation for specific information on adding TXT records.
In your Mailfence account, go to your account Settings -> Messages -> E-mail domains -> Click on your custom domain listing: SPF
Domain Keys Identified Mail (DKIM)
Domain Keys Identified Mail (DKIM) is a method of email authentication that cryptographically verifies if an email is sent by authorized servers and has not been modified during transit.
In your Mailfence account, go to your account Settings -> Messages -> E-mail domains -> Click on your custom domain listing: DKIM
Follow the mentioned instructions.
Once the the respective DNS record has been successfully included, click on Validate.
Domain-based Message Authentication, Reporting and Conformance (DMARC)
Now after going through SPF and DKIM, the question is what should a receiving server do if it gets an email which failed these checks. This is where Domain-based Message Authentication, Reporting and Conformance (DMARC) comes in by allowing the domain owner to specify what should happen with failed checks as well as get feedback/reports.
Through your hosting provider, domain registrar, or DNS provider, you’ll need to add DNS record of type ‘TXT’ with the name ‘_dmarc’ (which will form a TXT record such as _dmarc.yourdomain.com; depending on your hosting/domain/DNS provider acceptance). We recommend referring to your provider’s help documentation for specific information on adding TXT records.
In your Mailfence account, go to your account Settings -> Messages -> E-mail domains -> Click on your custom domain listing: DMARC
Follow the mentioned instructions.
The email address that you need to specify in ‘rua=mailto:’ is where you will receive DMARC reports from other service providers. Please replace this address with an actual address that you own. It can be any email address where you would like to recieive DMARC reports for your custom domain e.g.,
v=DMARC1; p=none; rua=mailto:email@example.com;
Note: If you already see a DNS TXT record with name ‘_dmarc’ for your domain, then edit this record instead of creating a new one. This is important as you can’t have multiple DMARC records for a given domain.
The ‘p=’ specifies the action to take for emails that fail DMARC and here, “none” basically means don’t do anything, and follow the receiving end policy. The other options are quarantine and reject, however above entry corresponds to report-only mode (recommended) and will have no effect on email delivery. If you plan to use quarantine or reject, then make sure you understand the risks involved on your email delivery.
Once the the resective DNS record has been succesfully included, click on Validate.
Afterwards, if you would like to stop receiving DMARC reports for your custom domain, simply delete the DMARC entry from your DNS records.
Side note regarding SPF, DKIM and DMARC:
- When you modify an existing DNS records, the changes may not propagate completely before some time (from a few hours to a few days, depending on the TTL value for preceding records).
- There are several external tools that you can use to further test the SPF (e.g., http://www.kitterman.com/spf/validate.html), DKIM (e.g., http://dkimvalidator.com) or both (e.g., https://www.mail-tester.com).
The ultimate defense against spoofing: Digital signatures
Aside from all of the spoofing and tampering defenses via SPF, DKIM, DMARC, Mailfence provides you the ability to digitally sign your emails with OpenPGP signatures. In our opinion, this is the ultimate defense against spoofing and tampering. You can choose an OpenPGP keypair of your choice and have full control on the keypair. You can also decide at all times what emails you want to sign or not – or can sign all your outgoing emails by default.
Do you have any questions? Feel free to contact our support.
– Mailfence Team