Table of contents
https://dmarcian.com/spf-syntax-table/
DNS
types of DNS records
A = address record, defines an IP address to return on DNS lookup
CNAME = redirects DNS lookups to records with the specified name
DKIM = DNS record used to verify that emails are sent with specified signature
DMARC = DNS text record used to enforce email security rules for domain using SPF and/or DKIM
MX = mail exchange record, used to determine where to deliver incoming mail for a domain
SPF = DNS TXT record used to verify that an email is sent from an authorized IP
TXT = free text DNS record used for various purposes
SPF
specify SPF version at start of record
v=spf1
mechanisms for specifying authorised senders
ALL = always matches (used for rejecting all other IP's)
IP4 = specify literal IPv4 ip adress to allow mail from
IP6 = specify literal IPv6 ip adress to allow mail from
MX = use corresponding MX records
A = use corresponding A records
qualifiers
+ PASS corresponding addresses (optional)
- FAIL corresponding addresses
? NEUTRAL, or no policy
~ SOFTFAIL, debugging only
DNS MX record
example.com. 1936 IN MX 10 blackmail.example.com
example.com. 1936 IN MX 10 whitemail.example.com
block all mail from domain
v=spf1 -all
allow mail from host, requires corresponding A records
v=spf1 a -all
allow mail from specific subdomain, requires A record for subdomain
v=spf1 a:sub.example.com -all
allow mail from specified IP addresses only
v=spf1 ip4:192.168.1.0 ip4:192.168.1.1 -all
allow mail from IP range 192.168.0.1 to 192.168.255.255
“v=spf1 ip4:192.168.0.1/16 -all”
multiple mechanisms can be specified in one record
v=spf1 a mx ip4:192.168.0.1/16 -all
generate SPF record
https://mxtoolbox.com/SPFRecordGenerator.aspx
verify SPF
https://www.kitterman.com/spf/validate.html
DMARC
DMARC subdomain of DNS record
_dmarc.example.com
tags
adkim = Alignment mode for DKIM, default: relaxed
aspf = Alignment mode for SPF, default: relaxed
p = policy for main domain (required)
pct = percentage of bad emails to apply policy on, default: 100
rua = URI to send aggregate reports
ruf = URI to send message specific reporting
sp = email subdomain policy
v = version (required)
available policies
none = don't block, just report failing emails
quarantine = quarantine failing emails (spam folder)
reject = reject failing emails (bounce emails)
available alignment modes
r = relaxed, allow partial matches (on domain)
s = strict, require exact match (on domain)
specify DMARC version at start of record
v=DMARC1
minimal DMARC record
v=DMARC1; p=none
enabling reporting only
v=DMARC1; p=none; rua=mailto:dmarc@example.com;
reject all mail that doesn't match strict domain checks
v=DMARC1; p=reject; adkim=s; aspf=s;
more involved example
v=DMARC1; p=quarantine; sp=reject; pct=100; rua=mailto:dmarcr@example.com;
generate dmarc record
https://dmarcian.com/dmarc-record-wizard/
https://www.dmarcanalyzer.com/dmarc/dmarc-record-generator/
verify dmarc record
https://www.dmarcanalyzer.com/dmarc/dmarc-record-check/
specification
https://dmarc.org/resources/specification/
documentation
https://seanthegeek.net/459/demystifying-dmarc/