Posts

Best Practices for Configuring SPF, DKIM, and DMARC for Your Domain

I wrote this article after learning that it’s possible to spoof emails from subdomains if proper measures aren’t in place. I hadn’t realized this before and found it difficult to find clear guidance on how to fully “lock down” my domains. I hope this information helps others as well.

The problem

When responsible for an organization’s email system, it’s crucial to take appropriate steps to prevent outside users from impersonating your users. The correct way to do this is by configuring SPF , DKIM , and DMARC for your sending domains which helps prevent unauthorized parties from sending emails that appear to come from your domain. While many people configure these protocols for their root domain, it’s equally important to secure subdomains, including those that are not in use. Many mail servers allow spoofing from unused subdomains if SPF and DMARC records are not explicitly set for them.