Email is the most utilized channel for targeted cyber attacks. It presents the biggest opportunity for hackers to crawl into your network and get a foothold.
Data shows that over 90 percent of cyber attacks start with email messages. Email spoofers send about 3.1 billion phishing emails daily—costing the world more than $29 billion since 2016.
The FBI reported that about 467,000 cyber attacks were successful in 2019, with emails providing a launchpad to 24 percent of them. Email-based cyber attacks often start with simple and seemingly innocent email messages.
But you could protect yourself and your organization against these attacks by configuring SPF, DKIM, DMARC records and using them together. What are they, and how do you configure the records?
Come, let’s find out.
Understanding SPF, DKIM and DMARC Records
SPF, DKIM and DMARC are some of the most common DNS records for email accounts, offering protections against spoofing and email phishing.
They work together to detect forged sender addresses and authenticate sent emails. Let’s quickly understand what these terms mean.
The Sender Policy Framework (SPF) record is a DNS record that helps authenticate emails by specifying to mail exchanges the authorized host to send mail for a domain.
It enables your mail server to confirm that a mail claiming to come from a specific domain is actually from there.
And here is how it works.
Domain owners use SPF records to specify the IP addresses authorized to send mails from their domains, for example, domain.com.
When someone sends an email that claims to come from that domain, the receiving mail server verifies if you authorized the IP address in TXT records to send emails.
If it comes out green, the mail server receives the mail but rejects messages from unauthorized IP addresses.
DKIM, short for Domain Key Identified Mail, is an email security protocol that ensures people don’t tamper with your mail while in transit.
Here’s how it works.
When you send an email, the protocol signs it with a private key using public-key cryptography as it leaves your outgoing (SMTP) server.
Your recipient’s incoming mail server uses the public key published to your domain’s DNS to verify the source of the mail and confirm the content of the messages hasn’t changed during transit. If the recipient’s server verifies the signature as authentic, the message passes DKIM and gets delivered.
Domain-based Mail Authentication, Reporting, and Conformance (DMARC) is an email security protocol that uses SPF and DKIM to authenticate emails.
Email senders use the record to specify how to handle emails that were not SPF or DKIM authenticated.
The three DMARC policies are:
- p=none (it monitors your email traffic but with no action taken).
- p=quarantine (sends authorized emails to spam)
- p=rejects (prevents unauthorized emails from getting delivered)
Configuring SPF, DKIM and DMARC Records
Now, how do you add these records to your domain’s DNS zone?
Let’s find out.
Adding an SPF Record on Spanel
Log into SPanel’s User Interface. By default, the login URL is at https://yourdomain.com/spanel/ (don’t forget to replace yourdomain.com with your actual domain).
Open the DNS editor tool from the DOMAINS section on the homepage.
Select the domain you wish to add the record to from the drop-down menu.
Type your domain name, for example, domain.com, in the Name text box.
Enter a TTL (time to live) value, or use the default value.
The TTL value specifies the amount of time it’ll take your changes to propagate across the internet—a shorter one makes propagation quicker.
Reduce the TTL value before adding the SPF record and keep it between 3600 seconds and 86400 seconds after propagation.
For the next step, select TXT as your DNS Type.
Generate your SPF record if you don’t have the record handy and copy it into the Value text box.
Click the Add Record button to apply the changes.
Use these online tools to auto-generate your domain’s SPF record:
- MxToolBox SPF Record Generator
- DMARC Analyzer SPF Record Generator
- PowerDMARC SPF Record Generator
- MailWizz SPF Record Generator
- ZeroBounce SPF Generator
Adding DKIM Record in Spanel
Adding a DKIM record to your domain zone file via Spanel follows the same steps as outlined above.
To get started, log into the account’s control panel and click the DNS editor tool under the DOMAINS section to open your DNS zone manager.
Select your domain from the pull-down menu.
Enter default._domainkey in the Name text box.
Choose a TTL value, or use the default value.
DKIM record is a TXT record, so select TXT as your DNS Type.
Copy your DKIM record into the Value text box and click the Add Record button to add the record.
If you don’t have your DKIM value, use these free online tools to auto-generate it:
- Socketlabs DKIM Generator
- PowerDMARC DKIM Record Generator
- EasyDMARC DKIM Record Generator
The 2048 bit key length is more secure; consider using it to generate the DKIM record.
Contact support to find out if it’s available for your domain hosting; otherwise, use the 1024 bit key length.
Adding DMARC Records on Spanel
Adding a DMARC record to your domain requires setting up SPF and DMARC records first.
When you sort this out, log in to your SPanel, open the DNS editor and select your domain.
In the editor, enter _dmarc.domain.com in the Name text box, replacing domain.com with your domain name.
- Input your TTL value
- Select TXT as your DNS Type
- Copy your DMARC record into the Value text box
- Click the Add Record button to save the record.
Use these free online tools to auto-generate your DMARC record.
- Dmarcian DMARC Record Generator
- MXToolbox DMARC Generator
- DMARC Analyzer DMARC Record Generator
- Elastic Mail DMARC Record Generator
Wrapping It Up
Using SPF, DKIM, and DMARC records together helps you protect your email accounts, improve email deliverability, prevent spam and phishing.
Each record is an essential piece of the email security puzzle.
Configuring the records could be challenging. If you need assistance adding any of the records to your domain’s DNS zone, reach out to our support, and we’ll be happy to help.