DKIM and SPF are two DNS based mail security solutions. In this article, we won’t dive too deep into what each means in great detail. We will, however, give enough info for you to enable and use DKIM and SPF on your own mails domains. We’ve included a screen recording above if you prefer to watch videos, otherwise, read on.
Sender Policy Framework (SPF) is a standard implemented in DNS to prevent spammers from spoofing your address. Its entirely possible for a spammer to send mail that looks like it came from you. SPF tries to address this problem.
By using SPF you set a DNS record which states explicitly states which servers are allowed to send mail from your domain name. A receiving server can query this DNS record before accepting mail and can bounce the message if it comes from a different server than what you’ve allowed.
Creating an SPF record:
You need to create a txt record in your domain’s DNS which looks something like this:
v=spf1 a mx ip4:10.0.0.1 -all
The a means that any IP addresses associated with this domain name are allowed to send email (that is, all the A records in this domain’s DNS zone).
Similarly, mx means that the domain’s MX can send emails.
The ip4 gives this particular IP address permission to send mail for this domain. Similarly you could use ip6 adddresses.
The -all means that no other IPs or servers may send mail for this domain, only what you’ve explicitly allowed. You could use ~a instead which would indicate to receiving mail servers that they should only soft fail the mail, not hard fail and bounce it straight away.
You may include multiple IP addresses. For instance, we could modify our SPF record to this:
v=spf1 a mx ip4:10.0.0.1 ip4:10.2.3.4 -all
You can also specify domains which are permitted to send on your behalf. This would be useful if you send mail through your google account as an example. In Google’s case this would be:
v=spf1 a mx ip4:10.0.0.1 ip4:10.2.3.4 include:_spf.google.com -all
DKIM (DomainKeys Identified Mail) is a way of digitally signing your outgoing emails that the receiver can verify that the mail definitely came from you.
The way this works is that the server generates a private and a public key. To enable DKIM for a domain, click on Emails->Enable DKIM and then select Enable DKIM from the drop down.
When DKIM is enabled the mail server will add an encrypted signature to the mail headers. This signature is encrypted using the PRIVATE KEY. When a receiving server receives an email it does a DNS lookup to get the public key and then decrypts and verifies the signature.
To add a DKIM record to your DNS you have to go to the “Enable DKIM” link under Emails in WebCP and enable DKIM for the domain. On that screen you’ll be give the public key for the server.
You’ll add a txt record to your DNS with host of x._domainkey.example.com and a value of whatever is on that screen, eg:
v=DKIM1; k=rsa; p=MIGfMB0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDvGX0A7Y+2IuDHBpNimrQlDsPe 2u2kVgoCth+vrdD12Wx1UDhAfU3CPT1B+VLsUmVMosuUO6k6rLezZlrqafPrTjAr 23XNqiNjSDCudWwaxZqRK7PWbb7RQkREyLjgn5SP2CHTpF1TjshCRrigkKMG2CaS 5slAruD7KY/RgT7VXwIDAQAB
DKIM and SPF
As you can see, setting up your DKIM and SPF records is really easy with WebCP.io. If you have any questions or need a little extra help, please visit our forums and reach out, we’re always happy to help.
Its really important that you set up your DKIM and SPF too, many mail servers will reject your email without it. In the case of sending to gmail, you’ll often end up in their spam folders without DKIM and SPF.