More results...

Generic selectors
Exact matches only
Search in title
Search in content
Post Type Selectors
docs
betterdocs_faq

DNS Authentication: Configuration and Best Practices

  • May 22, 2024
Updated on May 22, 2024
Table of contents

Spam and Phishing Concerns

Recently, you may have noticed an increase in spam emails flooding your inbox.

One major cause of this spam surge is inadequate email authentication practices. Spammers exploit gaps in email security to invade inboxes with phishing schemes.

To combat this, Google and Yahoo have stepped up their game by introducing new requirements.

 

Who Does It Apply To?

These rules impact all email senders, regardless of the volume of emails they send.

Whether you are an individual or a business, these standards matter.

 

What’s Required?

Authentication Protocols (SPF, DKIM, DMARC):

Authenticate your emails using security protocols:

  • SPF (Sender Policy Framework): Specifies authorized IP addresses or domains allowed to send emails on behalf of your domain.
  • DKIM (DomainKeys Identified Mail): Adds a digital signature to outgoing emails, ensuring their authenticity.
  • DMARC (Domain-based Message Authentication, Reporting, and Conformance): Sets policies for handling emails that fail authentication checks.

 

Spam Rate Control:

    • Keep your spam rate below 3%.
    • Send relevant and valuable emails to recipients.

 

User-Friendly Practices:

    • Provide an easy one-click unsubscribe
    • Process unsubscribes within 2 days.

 

 

What is SPF, DKIM and DMARK?

SPF (Sender Policy Framework): SPF is like a publicly available employee directory for a domain. It lists all the IP addresses of servers allowed to send emails from that domain. When a mail server receives an email, it checks it against the SPF record before delivering it to the recipient’s inbox.

 

SPF values are provided by your email provider.

DKIM (DomainKeys Identified Mail): DKIM enables domain owners to automatically “sign” emails from their domain. This digital signature uses cryptography to verify that the email came from the domain. DKIM records store the domain’s public key, which mail servers can check to obtain the public key and verify the sender’s private key.

 

DKIM values are provided by your email provider.

DMARC (Domain-based Message Authentication, Reporting, and Conformance): DMARC empowers SPF and DKIM by stating a clear policy that should be used regarding both tools. It also allows you to set an address for receiving reports about mail message statistics gathered by receivers against a specific domain.

 

Together SPF, DKIM and DMARK help prevent spammers, phishers, and other unauthorized parties from sending emails on behalf of a domain they do not own.

 

 

Scenario 1

Using your main Domain on Classter (example.com)

 

DMARC Configuration

(Applies only if you do not have any DMARC values in your DNS)

 

Initial Stage (p=none):

Set DMARC to “none” for monitoring purposes.

Emails failing DMARC will not be rejected.

Add the following DMARC record to your DNS:

example.com. IN TXT “v=DMARC1; p=none; rua=mailto:your@email.com; ruf=mailto:your@email.com; fo=1

 

Quarantine (p=quarantine):

Gradually move to this stricter policy.

Suspicious emails go to recipients’ spam folders.

Update the DMARC record:

example.com. IN TXT “v=DMARC1; p=quarantine; rua=mailto:your@email.com; ruf=mailto:your@email.com; fo=1

 

Reject (p=reject):

Strictest policy—reject non-compliant emails.

Use with confidence after thorough testing:

example.com. IN TXT “v=DMARC1; p=reject; rua=mailto:your@email.com; ruf=mailto:your@email.com; fo=1

 

You can generate easily your DMARC record, following tutorial below:

https://dmarcian.com/dmarc-record-wizard/

 

Gradual Transition: Implementing DMARC in stages allows for a smooth transition. Starting with a monitoring policy (p=none) ensures that legitimate emails are not accidentally rejected. As you gain confidence in your setup, you can gradually tighten the policy. Duration: 1-2 weeks.

Monitoring and Learning: The initial monitoring phase (p=none) provides valuable insights. You will receive DMARC reports (RUA) that highlight authentication results. Analyzing these reports helps identify sources of failed authentication and potential issues. Duration: 2-4 weeks.

Avoiding Disruption: Moving directly to a strict policy (p=reject) can disrupt email delivery. By starting with monitoring, you avoid unintended consequences. Gradual adjustments minimize the risk of false positives.

 

SPF and DKIM

SPF (Sender Policy Framework):

If you already have an existing SPF record for your main domain (example.com), include Mailgun’s servers in that record:

Explanation:

v=spf1: Indicates SPF version 1.

include:mailgun.org: Specifies that Mailgun’s servers are authorized to send emails on behalf of your domain.

 

DKIM:

Use the DKIM key provided by Mailgun for the main domain.

Make sure that you also have SPF and DKIM settings for your mail email sending provider, otherwise while you implement DMARC you will have deliverability issues.

 

  • You must not add MX records if you are in Scenario 1.

 

 

Scenario 2

Using a subdomain on Classter (only for Classter sending purposes) (classtermail.example.com)

 

DMARC Configuration
(Applies only if you do not have any DMARC values on your DNS)

Follow similar steps as for the main domain(scenario 1) to add a DMARC record for the subdomain (classtermail.example.com).

You can generate easily your DMARC record, following tutorial below: https://dmarcian.com/dmarc-record-wizard/

 

DKIM Configuration

Use the same DKIM key provided by Mailgun for the subdomain.

 

Mailgun SPF Record

Add the Mailgun SPF record to your DNS for the subdomain:

example.com. IN TXT “v=spf1 include:mailgun.org ~all”

 

MX Records

Since this subdomain is used only for sending from Classter, set up MX records pointing to Mailgun’s servers:

example.com. IN MX 10 mxa.mailgun.org.

example.com. IN MX 10 mxb.mailgun.org.

 

Best Practices

  • Regularly monitor DMARC reports.
  • Keep DNS records up to date.
  • Educate users about email authentication.

 

Ensuring Reliable Email Delivery: A Non-Technical Overview

As you navigate the complexities of email authentication, it is essential to consider email deliverability. Here are some key points to keep in mind:

  1. Why Deliverability Matters:
    • Reliable email delivery ensures that your messages reach recipients’ inboxes.
    • Poor deliverability can lead to emails being marked as spam or rejected altogether.
  2. Authentication and Reputation:
    • Implementing DMARC, SPF, and DKIM enhances your email authentication.
    • These protocols verify your identity and protect against spoofing.
    • Maintain a positive sender reputation by adhering to best practices.
  3. Consult with Experts:
    • If you are unsure about your DNS settings or need further clarification, consult your DNS provider or an email consultant.
    • They can guide you through the technical aspects and help you make informed decisions.
  4. Monitor and Adjust:
    • Regularly monitor DMARC reports to understand authentication results.
    • Adjust policies based on insights from these reports.

 

Remember, while technical details matter, seeking professional advice ensures that your email system operates smoothly. Do not hesitate to contact experts for personalized guidance.

 

More information and how to check your configuration

 

More information about DMARC:

 

SPF/DMARC/DKIM records check:

 

Emails header analyzer tool:

 

Was this article helpful?