Index

Table of contents

https://dmarcian.com/spf-syntax-table/

DNS

types of DNS records

A     = address record, defines an IP address to return on DNS lookup
CNAME = redirects DNS lookups to records with the specified name
DKIM  = DNS record used to verify that emails are sent with specified signature
DMARC = DNS text record used to enforce email security rules for domain using SPF and/or DKIM
MX    = mail exchange record, used to determine where to deliver incoming mail for a domain
SPF   = DNS TXT record used to verify that an email is sent from an authorized IP
TXT   = free text DNS record used for various purposes

SPF

specify SPF version at start of record
v=spf1
mechanisms for specifying authorised senders
ALL = always matches (used for rejecting all other IP's)
IP4 = specify literal IPv4 ip adress to allow mail from
IP6 = specify literal IPv6 ip adress to allow mail from
MX = use corresponding MX records
A = use corresponding A records
qualifiers
+ PASS corresponding addresses (optional)
- FAIL corresponding addresses
? NEUTRAL, or no policy
~ SOFTFAIL, debugging only
DNS MX record
example.com.		1936	IN	MX	10         blackmail.example.com
example.com.		1936	IN	MX	10         whitemail.example.com
block all mail from domain
v=spf1 -all
allow mail from host, requires corresponding A records
v=spf1 a -all
allow mail from specific subdomain, requires A record for subdomain
v=spf1 a:sub.example.com -all
allow mail from specified IP addresses only
v=spf1 ip4:192.168.1.0 ip4:192.168.1.1 -all
allow mail from IP range 192.168.0.1 to 192.168.255.255
“v=spf1 ip4:192.168.0.1/16 -all”
multiple mechanisms can be specified in one record
v=spf1 a mx ip4:192.168.0.1/16 -all
generate SPF record
https://mxtoolbox.com/SPFRecordGenerator.aspx
verify SPF
https://www.kitterman.com/spf/validate.html

DMARC

DMARC subdomain of DNS record
_dmarc.example.com
tags
adkim = Alignment mode for DKIM, default: relaxed
aspf  = Alignment mode for SPF, default: relaxed
p     = policy for main domain (required)
pct   = percentage of bad emails to apply policy on, default: 100
rua   = URI to send aggregate reports
ruf   = URI to send message specific reporting
sp    = email subdomain policy
v     = version (required)
available policies
none       = don't block, just report failing emails
quarantine = quarantine failing emails (spam folder)
reject     = reject failing emails (bounce emails)
available alignment modes
r = relaxed, allow partial matches (on domain)
s = strict, require exact match (on domain)
specify DMARC version at start of record
v=DMARC1
minimal DMARC record
v=DMARC1; p=none
enabling reporting only
v=DMARC1; p=none; rua=mailto:dmarc@example.com;
reject all mail that doesn't match strict domain checks
v=DMARC1; p=reject; adkim=s; aspf=s;
more involved example
v=DMARC1; p=quarantine; sp=reject; pct=100; rua=mailto:dmarcr@example.com;
generate dmarc record
https://dmarcian.com/dmarc-record-wizard/
https://www.dmarcanalyzer.com/dmarc/dmarc-record-generator/
verify dmarc record
https://www.dmarcanalyzer.com/dmarc/dmarc-record-check/
specification
https://dmarc.org/resources/specification/
documentation
https://seanthegeek.net/459/demystifying-dmarc/