Full DKIM, DMARC and SPF syntax
Not so long ago I registered DKIM, DMARC and SPF records for my domain. This turned out to be more difficult than I thought, because I could not find the complete syntax of all these records anywhere. Then, together with Yana Lynova, we collected material. In fact, this article complements several articles from Habr (below you will find links).
In order to prescribe the necessary records, we need access to the DNS. DNS stands for Domain Name System. Usually, system administrators or, as a last resort, programmers have access to DNS in a company. For them, you must write a TOR, according to which they will be able to add entries to the DNS.
DKIM (Domain Keys Identified Mail) is a digital signature that confirms the authenticity of the sender and guarantees the integrity of the delivered letter. The signature is added to the service headers of the letter and invisible to the user. DKIM stores 2 encryption keys - open and closed. Using the private key, headers are generated for all outgoing mail, and the public key is just added to the DNS records as a TXT file.
')
The DKIM check is performed automatically on the recipient side. If the domain in the letter is not authorized to send messages, the letter may be marked suspicious or placed in spam, depending on the recipient's policy.
There can be several DKIM entries — for example, if you use the Mandrill service at the same time and send emails via Gmail, you will have 2 DKIM entries with different selectors:
Required items:
“V” is the DKIM version, always takes the value v = DKIM1;
"K" is the key type, always k = rsa;
“P” is the base64-encoded public key.
Optional items:
"T = y" - test mode. Only needed to track results;
“T = s” means that the record will be used only for the domain to which it belongs; not recommended if subdomains are used;
“H” is the preferred hash algorithm, it can take the values h = sha1 and h = sha256 ;
"S" is a type of service using DKIM. Accepts “s = email” (email) and “s = *” (all services). The default is "*" ;
";" - separator.
In addition, you can create an optional entry that tells you what to do with unsigned letters:
where "all" - sending unsigned messages is prohibited; “Discardable” - all unsigned messages must be blocked on the recipient side; “Unknown” - sending unsigned messages is allowed (default value).
UPD: adsp in 2013 declared obsolete .
Please note that some hosting companies do not support domain records longer than 255 or even 200 characters. In this case, you need to break the string with the translation. But it doesn’t work with some hosting sites, contact your hosting support to find out in advance.
Some hosting providers put quotes for all records on their own; you can also ask about this support or add them by analogy to other TXT records of the domain, if they are present.
Check out DKIM here .
SPF (Sender Policy Framework) is a signature containing information about servers that can send mail from your domain. The presence of SPF reduces the likelihood of your letter in spam.
It is important to remember that there can be only one SPF record for one domain. Within one SPF there can be several entries (for example, if letters are sent from several ESPs - it is unlikely, but still, there will be an example later). For subdomains you need your own records.
Example SPF Record:
“V = spf1” - SPF version, required parameter, always spf1, no other versions work;
“+” - accept letters (by default);
“-” - reject;
“~” - “soft” rejection (the letter will be accepted, but will be marked as spam);
“?” Is a neutral attitude;
“Mx” - includes all server addresses specified in MX domain records;
“Ip4” - allows you to specify a specific IP address or network of addresses;
“A” is the IP address in the A-record;
“ Include ” - includes hosts allowed by the SPF record of the specified domain;
“All” - all other servers not listed in the SPF record;
“Ptr” - checks the PTR record of the sender’s IP address (allowed to send all IP addresses whose PTR record is directed to the specified domain) (not recommended for use according to RFC 7208 );
“Exists” - the domain name is being tested;
“Redirect” - indicates to the recipient that you need to check the SPF record of the specified domain, instead of the current domain.
Since the record should be only one, through include it is necessary to register all possible servers through which you send letters.
An example of an SPF record, if you use the Mandrill service at the same time and send emails via Gmail (several entries within one SPF, as I mentioned earlier):
Check SPF here .
DMARC (Domain-based Message Authentication, Reporting and Conformance) is a signature that allows the receiving server to decide what to do with the letter. DMARC uses DKIM and SPF. If the sent message did not pass DKIM and SPF, then it will not pass DMARC. If the message has successfully passed at least one check (DKIM or SPF), then the DMARC check will be successful. DMARC is added only after SPF and DKIM records are configured.
An example of a DMARC entry (it doesn't matter which services you use to distribute):
“V” is the version, always takes the value “v = DMARC1” (mandatory parameter);
“P” is a rule for a domain (required). It can take the values "none" , "quarantine" and "reject ", where "p = none" does nothing but prepare reports; "P = quarantine" adds the letter to spam; "P = reject" rejects the letter.
The “sp” tag is responsible for subdomains and can take on the same values ​​as “p” .
“Aspf” and “adkim” allow you to check compliance with records and can take the values “r” and “s” , where “r” is “relaxed” (a softer check) and “s” is “strict” (strict correspondence).
“Pct” is responsible for the number of letters to be filtered, indicated as a percentage, for example, “pct = 20” will filter 20% of letters.
“Rua” - allows you to send daily reports to email, for example: “rua = mailto: postmaster@your.tld” , you can also specify several emails separated by a space ( “rua = mailto: postmaster@your.tld mailto: dmarc@your.tld " ).
"Ruf" - reports for letters that did not pass the DMARC check.
The “fo” tag is used to generate reports if one of the mechanisms breaks. “Fo = 0” (used by default) - send a report if no authentication stage has been passed; “Fo = 1” - send a report if at least one authentication stage is not completed; “Fo = d” - send report if DKIM authentication is not passed; “Fo = s” - send a report if SPF authentication is not passed.
A DMARC entry can be one for a domain and subdomains, since in it you can explicitly specify actions for the sp tag. If you need a specific entry for subdomains, you can create a separate entry with the name "_dmarc.your_subdomain.your_domain." .
Check out the DMARC here .
I hope that this article has helped you to understand the syntax of the records, and now you can easily write the TOR for the system administrator or programmer to make these records in the DNS.
Materials used and publications:
"SPF-record - check the validity of the sender"
DKIM is easy
DomainKeys Identified Mail
Setting up DKIM / SPF / DMARC records or defending against spoofing
DKIM, SPF And PTR: how to set up mail to avoid spam
Configuring SPF, DKIM, DMARC, FBL
In order to prescribe the necessary records, we need access to the DNS. DNS stands for Domain Name System. Usually, system administrators or, as a last resort, programmers have access to DNS in a company. For them, you must write a TOR, according to which they will be able to add entries to the DNS.
So what is DKIM?
DKIM (Domain Keys Identified Mail) is a digital signature that confirms the authenticity of the sender and guarantees the integrity of the delivered letter. The signature is added to the service headers of the letter and invisible to the user. DKIM stores 2 encryption keys - open and closed. Using the private key, headers are generated for all outgoing mail, and the public key is just added to the DNS records as a TXT file.
')
The DKIM check is performed automatically on the recipient side. If the domain in the letter is not authorized to send messages, the letter may be marked suspicious or placed in spam, depending on the recipient's policy.
There can be several DKIM entries — for example, if you use the Mandrill service at the same time and send emails via Gmail, you will have 2 DKIM entries with different selectors:
| Record Name | Format | Content |
| for Mandrill (selector - mandrill): mandrill._domainkey.your_domain. (in some control panels you can specify without your domain, depends solely on your hosting) | Txt | v = DKIM1; k = rsa; p = (generated public key) |
| for Gmail (google selector): google._domainkey.your_domain. | Txt | v = DKIM1; k = rsa; p = (generated public key) |
DKIM syntax
Required items:
“V” is the DKIM version, always takes the value v = DKIM1;
"K" is the key type, always k = rsa;
“P” is the base64-encoded public key.
Optional items:
"T = y" - test mode. Only needed to track results;
“T = s” means that the record will be used only for the domain to which it belongs; not recommended if subdomains are used;
“H” is the preferred hash algorithm, it can take the values h = sha1 and h = sha256 ;
"S" is a type of service using DKIM. Accepts “s = email” (email) and “s = *” (all services). The default is "*" ;
";" - separator.
| Record Name | Format | Content |
| _adsp._domainkey.your_domain. | Txt | dkim = all |
where "all" - sending unsigned messages is prohibited; “Discardable” - all unsigned messages must be blocked on the recipient side; “Unknown” - sending unsigned messages is allowed (default value).
UPD: adsp in 2013 declared obsolete .
Please note that some hosting companies do not support domain records longer than 255 or even 200 characters. In this case, you need to break the string with the translation. But it doesn’t work with some hosting sites, contact your hosting support to find out in advance.
Some hosting providers put quotes for all records on their own; you can also ask about this support or add them by analogy to other TXT records of the domain, if they are present.
Check out DKIM here .
SPF
SPF (Sender Policy Framework) is a signature containing information about servers that can send mail from your domain. The presence of SPF reduces the likelihood of your letter in spam.
It is important to remember that there can be only one SPF record for one domain. Within one SPF there can be several entries (for example, if letters are sent from several ESPs - it is unlikely, but still, there will be an example later). For subdomains you need your own records.
Example SPF Record:
| Record Name | Format | Content |
| your_domain (for some hosting sites, the @ or remain empty field. When writing the name "your_domain." It will be replaced automatically) | Txt | v = spf1 + a + mx -all |
SPF syntax
“V = spf1” - SPF version, required parameter, always spf1, no other versions work;
“+” - accept letters (by default);
“-” - reject;
“~” - “soft” rejection (the letter will be accepted, but will be marked as spam);
“?” Is a neutral attitude;
“Mx” - includes all server addresses specified in MX domain records;
“Ip4” - allows you to specify a specific IP address or network of addresses;
“A” is the IP address in the A-record;
“ Include ” - includes hosts allowed by the SPF record of the specified domain;
“All” - all other servers not listed in the SPF record;
“Ptr” - checks the PTR record of the sender’s IP address (allowed to send all IP addresses whose PTR record is directed to the specified domain) (not recommended for use according to RFC 7208 );
“Exists” - the domain name is being tested;
“Redirect” - indicates to the recipient that you need to check the SPF record of the specified domain, instead of the current domain.
Since the record should be only one, through include it is necessary to register all possible servers through which you send letters.
An example of an SPF record, if you use the Mandrill service at the same time and send emails via Gmail (several entries within one SPF, as I mentioned earlier):
| Record Name | Format | Content |
| your_domain | Txt | v = spf1 include: _spf.google.com include: spf.mandrillapp.com -all |
Check SPF here .
DMARC
DMARC (Domain-based Message Authentication, Reporting and Conformance) is a signature that allows the receiving server to decide what to do with the letter. DMARC uses DKIM and SPF. If the sent message did not pass DKIM and SPF, then it will not pass DMARC. If the message has successfully passed at least one check (DKIM or SPF), then the DMARC check will be successful. DMARC is added only after SPF and DKIM records are configured.
An example of a DMARC entry (it doesn't matter which services you use to distribute):
| Record Name | Format | Content |
| _dmarc.your_domain. | Txt | v = DMARC1; p = reject; sp = reject; ruf = mailto: postmaster@your.tld; fo = 1 |
DMARC syntax
“V” is the version, always takes the value “v = DMARC1” (mandatory parameter);
“P” is a rule for a domain (required). It can take the values "none" , "quarantine" and "reject ", where "p = none" does nothing but prepare reports; "P = quarantine" adds the letter to spam; "P = reject" rejects the letter.
The “sp” tag is responsible for subdomains and can take on the same values ​​as “p” .
“Aspf” and “adkim” allow you to check compliance with records and can take the values “r” and “s” , where “r” is “relaxed” (a softer check) and “s” is “strict” (strict correspondence).
“Pct” is responsible for the number of letters to be filtered, indicated as a percentage, for example, “pct = 20” will filter 20% of letters.
“Rua” - allows you to send daily reports to email, for example: “rua = mailto: postmaster@your.tld” , you can also specify several emails separated by a space ( “rua = mailto: postmaster@your.tld mailto: dmarc@your.tld " ).
"Ruf" - reports for letters that did not pass the DMARC check.
The “fo” tag is used to generate reports if one of the mechanisms breaks. “Fo = 0” (used by default) - send a report if no authentication stage has been passed; “Fo = 1” - send a report if at least one authentication stage is not completed; “Fo = d” - send report if DKIM authentication is not passed; “Fo = s” - send a report if SPF authentication is not passed.
A DMARC entry can be one for a domain and subdomains, since in it you can explicitly specify actions for the sp tag. If you need a specific entry for subdomains, you can create a separate entry with the name "_dmarc.your_subdomain.your_domain." .
Check out the DMARC here .
I hope that this article has helped you to understand the syntax of the records, and now you can easily write the TOR for the system administrator or programmer to make these records in the DNS.
Materials used and publications:
"SPF-record - check the validity of the sender"
DKIM is easy
DomainKeys Identified Mail
Setting up DKIM / SPF / DMARC records or defending against spoofing
DKIM, SPF And PTR: how to set up mail to avoid spam
Configuring SPF, DKIM, DMARC, FBL
Source: https://habr.com/ru/post/343128/
All Articles