Difference between revisions of "SPF+DKIM+DMARC"

From The Hive
(create article)
 
m (→‎Conclusion: category)
 
(12 intermediate revisions by the same user not shown)
Line 1: Line 1:
 
Correct mail configuration is especially important if you own a "biz" domain, to avoid having your email misinterpreted or misclassified as spam.
 
Correct mail configuration is especially important if you own a "biz" domain, to avoid having your email misinterpreted or misclassified as spam.
  
== Sender Policy Framework ==
+
== Main technologies ==
  
SPF is described in [https://tools.ietf.org/html/rfc7208 RFC 7208] and implemented as a DNS TXT record.
+
=== Sender Policy Framework ===
  
<syntaxhighlight>
+
'''SPF''' is described in [https://tools.ietf.org/html/rfc7208 RFC 7208] and implemented as a DNS TXT record.
example.biz.            86400  IN      TXT    "v=spf1 ..."
+
 
 +
<syntaxhighlight lang="bash">
 +
example.biz.            86400  IN      TXT    "v=spf1 a mx ~all"
 
</syntaxhighlight>
 
</syntaxhighlight>
  
The version was never updated from 1.
+
Too short a time-to-live (here 86400 seconds) is often taken as an indicator of spammishness. The "biz" tld itself uses 900 seconds, but that can be used to quickly revoke a spammer's domain.
 +
 
 +
The version was never updated from 1, but other tools were developed to be used in conjunction with SPF.
 +
 
 +
=== DomainKeys Identified Mail ===
 +
 
 +
'''DKIM''' is described in  [https://tools.ietf.org/html/rfc6376 RFC 6376] and implemented by a public key in another DNS TXT record. Here is the general gist of very simple possible example.
 +
 
 +
<syntaxhighlight lang="bash">
 +
default._domainkey.example.biz. 86400 IN TXT    "v=DKIM1; k=rsa; p=base64encodedpublickey"
 +
</syntaxhighlight>
 +
 
 +
If you are going to use DKIM on your domain, then you need a "milter" or similar software for your server to sign outgoing email headers with a private key corresponding to the public key in the DNS record, and, if you wish, to verify DKIM signatures on incoming mail. See [http://opendkim.org/ OpenDKIM].
 +
 
 +
=== Domain-based Message Authentication, Reporting, and Conformance ===
 +
 
 +
Described in [https://tools.ietf.org/html/rfc7489 RFC 7489]. See also [https://sourceforge.net/projects/opendmarc/ OpenDMARC] at [http://www.trusteddomain.org/ The Trusted Domain Project].
 +
 
 +
<syntaxhighlight lang="bash">
 +
_dmarc.example.biz.     86400  IN      TXT    "v=DMARC1; p=quarantine"
 +
</syntaxhighlight>
  
== DomainKeys Identified Mail ==
+
'''DMARC''' is widely deployed. There is a [https://kitterman.com/dmarc/assistant.html DMARC Record Assistant] and other tools to help you create your own DMARC record online, as well as commercial services such as [https://dmarcian.com/ Dmarcian], employed by banks and financial services among others.
  
https://tools.ietf.org/html/rfc6376
+
== Conclusion ==
  
== Domain-based Message Authentication, Reporting, and Conformance ==
+
All of the foregoing technologies are implemented with DNS records. To further secure the authenticity of your email, you might consider using [[X.509+DNSSEC+DANE+CAA]] on your domain.
  
https://tools.ietf.org/html/rfc7489
+
[[Category:Email]]

Latest revision as of 20:12, 17 February 2020

Correct mail configuration is especially important if you own a "biz" domain, to avoid having your email misinterpreted or misclassified as spam.

Main technologies

Sender Policy Framework

SPF is described in RFC 7208 and implemented as a DNS TXT record.

example.biz.            86400   IN      TXT     "v=spf1 a mx ~all"

Too short a time-to-live (here 86400 seconds) is often taken as an indicator of spammishness. The "biz" tld itself uses 900 seconds, but that can be used to quickly revoke a spammer's domain.

The version was never updated from 1, but other tools were developed to be used in conjunction with SPF.

DomainKeys Identified Mail

DKIM is described in RFC 6376 and implemented by a public key in another DNS TXT record. Here is the general gist of very simple possible example.

default._domainkey.example.biz. 86400 IN TXT    "v=DKIM1; k=rsa; p=base64encodedpublickey"

If you are going to use DKIM on your domain, then you need a "milter" or similar software for your server to sign outgoing email headers with a private key corresponding to the public key in the DNS record, and, if you wish, to verify DKIM signatures on incoming mail. See OpenDKIM.

Domain-based Message Authentication, Reporting, and Conformance

Described in RFC 7489. See also OpenDMARC at The Trusted Domain Project.

_dmarc.example.biz.     86400   IN      TXT     "v=DMARC1; p=quarantine"

DMARC is widely deployed. There is a DMARC Record Assistant and other tools to help you create your own DMARC record online, as well as commercial services such as Dmarcian, employed by banks and financial services among others.

Conclusion

All of the foregoing technologies are implemented with DNS records. To further secure the authenticity of your email, you might consider using X.509+DNSSEC+DANE+CAA on your domain.