Spoofing defense for Custom domains: SPF, DKIM, DMARC


Due to the open and decentralized nature of SMTP, email spoofing is a common issue. Every server connected to the internet can send an email using your email address and can thereby spoof your identity. When using custom domain with Mailfence, we recommend you to deploy following email spoofing defenses.

Sender Policy Framework (SPF)

The Sender Policy Framework (SPF) record tells the recipient what hosts or IP addresses can send email for your domain. You’ll need to add DNS records of type ‘TXT’ with the name ‘@’ (if the field is present) via your hosting provider, domain registrar, or DNS provider. We recommend referring to your provider’s help documentation for specific information on adding TXT records.

In your SPF record, you can “include” the following domain _spf.mailfence.com having following values:
If emails will be sent only using mailfence.com servers (webmail, authenticated SMTP, forwarding):
 v=spf1 include:_spf.mailfence.com -all
 If emails will be sent from other servers as well, use:
v=spf1 include:_spf.mailfence.com ~all
It will help protect your domain from attackers/spammers who send emails with spoofed headers, and will add more legitimacy to your sent emails.

Domain Keys Identified Mail (DKIM)

Domain Keys Identified Mail (DKIM) is a method of email authentication that cryptographically verifies if an email is sent by authorized servers and has not been modified during transit. In case you want us to activate the DKIM signature (recommended) for emails sent via our servers with a sender address containing your domain, please notify us via email.

Please include your domain and the login name of your account in this notification, so we can let you know once we enable it for your domain.

Note: Presently, each of your email will get signed by Mailfence domain DKIM key, so you won’t need to setup anything in your DNS zone. This takes away the burden of DKIM key generation, managing, rotation and safe disposal of compromised or obsolete or deprecated DKIM private keys from user’s shoulder.

Domain-based Message Authentication, Reporting and Conformance (DMARC)

Now after going through SPF and DKIM, the question is what should a receiving server do if it gets an email which failed these checks. This is where Domain-based Message Authentication, Reporting and Conformance (DMARC) comes in by allowing the domain owner to specify what should happen with failed checks as well as get feedback/reports.

Through your hosting provider, domain registrar, or DNS provider, you’ll need to add DNS record of type ‘TXT’  with the name ‘_dmarc’ (which will form a TXT record such as _dmarc.yourdomain.com; depending on your hosting/domain/DNS provider acceptance). We recommend referring to your provider’s help documentation for specific information on adding TXT records.

Note: If you already see a DNS TXT record with name ‘_dmarc’ for your domain, then edit this record instead of creating a new one. This is important as you can’t have multiple DMARC records for a given domain.

v=DMARC1; p=none; rua=mailto:reports@yourdomain.com;

The “p=” specifies the action to take for emails that fail DMARC and here, “none” basically means don’t do anything, and follow the receiving end policy. The other options are quarantine and reject, however above entry corresponds to report-only mode (recommended) and will have no effect on email delivery. If you plan to use quarantine or reject, then make sure you understand the risks involved on your email delivery.

The ‘reports@yourdomain.com’ example address is where you will receive DMARC reports from other service providers. Please replace this address with an actual address that you own.

Side note regarding SPF, DKIM and DMARC:

  • When you modify an existing DNS records, the changes may not propagate completely before some time (from a few hours to a few days, depending on the TTL value for preceding records).
  • There are several external tools that you can use to further test the SPF (e.g., http://www.kitterman.com/spf/validate.html), DKIM (e.g., http://dkimvalidator.com) or both (e.g., https://www.mail-tester.com).

The ultimate defense against spoofing: Digital signatures

Aside from all of the spoofing and tampering defenses via SPF, DKIM, DMARC, Mailfence provides you the ability to digitally sign your emails with OpenPGP signatures. In our opinion, this is the ultimate defense against spoofing and tampering. You can choose an OpenPGP keypair of your choice and have full control on the keypair. You can also decide at all times what emails you want to sign or not – or can sign all your outgoing emails by default.

Do you have any questions? Feel free to contact our support.

Get your secure email!

Follow us on twitter/reddit and keep yourself posted at all times.

– Mailfence Team

Spread the word!

Mailfence Team

End-to-end encrypted e-mail service that values and respects your privacy without compromising the ease-of-use. @mailfence @mailfence_fr

You may also like...