Configuring SPF, DKIM and DMARC

Rob Howard Updated by Rob Howard

DailyStory makes use of modern email security features to ensure customer email is delivered on-time and placed in the inbox. This includes setting up a dedicated subdomain to send emails from separate from a customers main domain along with separate IPs associated with the subdomain.

For example, if your main domain is test.com use of DailyStory will require you to add several DNS records so that DailyStory can send your email on a subdomain such as email.test.com.

Basic overview of sending domain relationship

Some email providers do not offer this and send email "on behalf of". This happens when the sending domain and the from domain do not match. For example, sending an email from amy@test.com using a sending domain of email-list.eample.com. These emails may reach the inbox, but will be displayed to the recipient as:

amy@test.com on behalf of email-list.example.com

In this case, the sending domain email-list.example.com and the from domain test.com do not match. Modern mail systems such as Gmail may place the email in the inbox, but that cannot validate that amy@test.com was the actual sender.

This type of mismatch is often used in email phishing attacks to confuse the recipient.

For best email delivery results the sending and from domain should match and that match should be verifiable.

Sending email with matching domains

When setting up DailyStory you will be provided with several records to add to your DNS. This includes 2 MX records, which simply tell email servers how to route email.

Additionally two TXT records are provided. These two TXT records, SPF and DKIM, allow email servers to validate that the sending domain and the from domain match, e.g. amy@test.com is allowed to send email from email.test.com.

Sender Policy Framework (SPF)

The Sender Policy Framework (SPF) is an email authentication method designed to detect forging sender addresses during the delivery of the email.

An example SPF record looks as follows:

v=spf1 include:mailgun.org ~all

Some email systems, such as Gmail, will also require an SPF record. An SPF record can support multiple sending domains:

v=spf1 include:_spf.google.com include:mailgun.org ~all

DKIM (DomainKeys Identified Mail)

DomainKeys Identified Mail is an email authentication method designed to detect forged sender addresses in email (email spoofing), a technique often used in phishing and email spam.

A DKIM record is associated with a subdomain, e.g. mx._domainkey.mg, and looks as follows:

k=rsa; p=MIGfAQtH1N8dyxzunS1WRfe+Qs6jYJ7NIXZM2Y7yPTbwzBXtTmiBJYEz...

It is possible to have multiple DKIM records associated with various subdomains.

Supporting DMARC

An optional step to protect your sending domain is to use DMARC.

Configuring DMARC incorrectly will cause email delivery problems with modern email providers like Gmail. It is important to understand how to configure DMARC prior to enabling it.

DMARC (Domain-based Message Authentication, Reporting and Conformance)

Domain-based Message Authentication, Reporting and Conformance is an email authentication protocol designed to give email domain owners the ability to protect their domain from unauthorized use, commonly known as email spoofing.

An example DMARC policy looks as follows:

v=DMARC1; p=quarantine; pct=100; rua=mailto:security@example.com

Setting up DMARC is outside the scope of this article. However, there are several important considerations.

Set adkim to relaxed alignment

By default the adkim value is not required. If you are instructed to set the adkim parameter, it must be set to relaxed (r) alignment not strict (s) alignment:

v=DMARC1; p=quarantine; rua=security@example.com; pct=100; adkim=r;

Set aspf to relaxed alignment

Similar to the adkim parameter, the aspf value is not required. If you are instructed to set the aspf parameter, it must be set to relaxed (r) alignment not strict (s) alignment:

v=DMARC1; p=quarantine; rua=security@example.com; pct=100; adkim=r; aspf=r;

Setting the adkim and aspf to relaxed (r) alignment allows an email sender address, amy@test.com, and the sending email server subdomain, email.test.com, to validate. In strict (s) alignment the from address and sending email server domain must match exactly.

Because DailyStory does not send email on the main domain (example.com) and instead always uses a subdomain (email.example.com), if the DMARC alignment is set to strict (s) the emails will fail to authenticate and will not be delivered to the inbox.

How did we do?

Email Designer Frequently Asked Questions

Contact