Best Practices for Configuring SPF, DKIM, and DMARC for Your Domain

September 7, 2024

I wrote this article after learning that it’s possible to spoof emails from subdomains if proper measures aren’t in place. I hadn’t realized this before and found it difficult to find clear guidance on how to fully “lock down” my domains. I hope this information helps others as well.

The problem

When responsible for an organization’s email system, it’s crucial to take appropriate steps to prevent outside users from impersonating your users. The correct way to do this is by configuring SPF , DKIM , and DMARC for your sending domains which helps prevent unauthorized parties from sending emails that appear to come from your domain. While many people configure these protocols for their root domain, it’s equally important to secure subdomains, including those that are not in use. Many mail servers allow spoofing from unused subdomains if SPF and DMARC records are not explicitly set for them.

Now, let’s dive into securing your domain.

Standard Setup

When configuring your domain for sending mail your mail service provider will provide you with valid settings for SPF and DKIM. Here is an example using fastmail’s settings.

SPF

site.com. TXT "v=spf1 include:spf.messagingengine.com -all"

DKIM

fm1._domainkey.site.com. TXT "v=DKIM1; k=rsa; p=???"

DMARC

_dmarc.site.com. TXT "v=DMARC1; p=reject; sp=reject;"

With this configuration, the majority of mail servers should reject emails that claim to be from site.com unless they are sent by your authorized mail server provider. However, some mail servers may still accept emails from subdomains like anythingelse.site.com because no SPF record exists for that subdomain.

Further Locking Down Your Domain

To prevent this, you should add a wildcard DNS TXT record that ensures SPF checks always fail for subdomains. Additionally, while not strictly necessary, adding a wildcard DKIM record can provide further protection. Wildcard SPF and DKIM Records

*.site.com. TXT "v=spf1 -all"
*._domainkey.site.com TXT "v=spf1 -all"

Make sure that your DMARC policy includes sp=reject so that email servers are instructed to validate subdomains as well.

SPF/DKIM for Parked Domains or Domains without mail

Always ensure that you are specifying SPF, DKIM and DMARC for domains, even if you’re not using them or planning to use them.

site.com. TXT "v=spf1 -all"
*.site.com. TXT "v=spf1 -all"
*._domainkey.site.com TXT "v=spf1 -all"
_dmarc.site.com. TXT "v=DMARC1; p=reject; sp=reject;"

Resources

Anti-spoofing for custom domains by ProtonMail
DMARC Record Generator