none

DKIM, SPF, DMARC Generator

Best Practices for DKIM, SPF, and DMARC Records

To improve the deliverability of your emails and reduce the chance of them being marked as spam, it’s important to configure DKIM, SPF, and DMARC records properly.

DKIM (DomainKeys Identified Mail)

  • Purpose: Authenticates the email sender using cryptographic keys to prevent email spoofing.
  • What to Enter:
    • Selector: A unique identifier for the DKIM key. Usually a simple string like selector1.
    • Domain: The domain name the emails are being sent from, like example.com.
  • Adding to DNS:
    • Host/Name: The selector followed by ._domainkey., and then the domain (e.g., selector1._domainkey.example.com).
    • Value: The public key formatted as v=DKIM1; k=rsa; p=[public_key].

SPF (Sender Policy Framework)

  • Purpose: Authorizes specific IP addresses or hosts to send emails on behalf of your domain.
  • What to Enter:
    • SPF Mechanism: IP addresses, domains, or includes that identify authorized email senders (e.g., ip4:203.0.113.0/24 or include:anotherdomain.com).
  • Adding to DNS:
    • Host/Name: Usually @ to apply to the entire domain.
    • Value: The SPF record formatted as:
      v=spf1 ip4:192.0.2.24 include:mailchimp.com include:_spf.google.com -all.

DMARC (Domain-based Message Authentication, Reporting, and Conformance)

  • Purpose: Sets a policy for how emails that fail DKIM/SPF should be treated.

  • What to Enter:

    • Policy (p): Specifies the action for emails that fail authentication, such as none, quarantine, or reject.
    • Alignment Modes:
      • DKIM Alignment (adkim): s for strict or r for relaxed alignment of DKIM signatures.
      • SPF Alignment (aspf): s for strict or r for relaxed alignment of SPF checks.
    • Reporting Address (rua): An email address to receive aggregate DMARC reports. The email should be prefixed with mailto: and typically uses a reports@ address for the domain.
  • Adding to DNS:

    • Host/Name: _dmarc. followed by the domain (e.g., _dmarc.example.com).
    • Value: The DMARC record formatted as:
      v=DMARC1; p=[policy]; adkim=[adkim]; aspf=[aspf]; rua=mailto:[reports@example.com]

Additional Information

  • Policy Settings:

    • p=none only monitors failing emails without taking any action.
    • p=quarantine marks failing emails as suspicious.
    • p=reject prevents failing emails from reaching the recipient’s inbox.
  • Alignment Modes:

    • adkim=s: Strict alignment for DKIM requires the signing domain to match the From domain.
    • aspf=s: Strict alignment for SPF requires the Return-Path domain to match the From domain.
  • Reporting Address (rua):

    • Use a dedicated email address for receiving reports to avoid flooding your main inbox.

Guidelines for Implementation

  1. DKIM Key Management: Keep private keys secure, and rotate keys periodically.
  2. SPF Inclusiveness: Include all authorized email sources. Use -all for strict enforcement or ~all for soft enforcement.
  3. DMARC Policy Testing: Start with p=none to monitor the impact, and then adjust to quarantine or reject as needed.

Add these records to your DNS provider’s control panel under the appropriate TXT record type for each specification.