types of DNS records

A     = address record, defines an IP address to return on DNS lookup
CNAME = redirects DNS lookups to records with the specified name
DKIM  = DNS record used to verify that emails are sent with specified signature
DMARC = DNS text record used to enforce email security rules for domain using SPF and/or DKIM
MX    = mail exchange record, used to determine where to deliver incoming mail for a domain
SPF   = DNS TXT record used to verify that an email is sent from an authorized IP
TXT   = free text DNS record used for various purposes


specify SPF version at start of record
mechanisms for specifying authorised senders
ALL = always matches (used for rejecting all other IP's)
IP4 = specify literal IPv4 ip adress to allow mail from
IP6 = specify literal IPv6 ip adress to allow mail from
MX = use corresponding MX records
A = use corresponding A records
+ PASS corresponding addresses (optional)
- FAIL corresponding addresses
? NEUTRAL, or no policy
~ SOFTFAIL, debugging only / 3hj92j8a
ewlievaart / yxqk28wc!h!
DNS MX record		1936	IN	MX	10		1936	IN	MX	10
block all mail from domain
v=spf1 -all
allow mail from host, requires corresponding A records
v=spf1 a -all
allow mail from specific subdomain, requires A record for subdomain
v=spf1 -all
allow mail from specified IP addresses only
v=spf1 ip4: ip4: -all
allow mail from IP range to
“v=spf1 ip4: -all”
multiple mechanisms can be specified in one record
v=spf1 a mx ip4: -all
generate SPF record
verify SPF


DMARC subdomain of DNS record
adkim = Alignment mode for DKIM, default: relaxed
aspf  = Alignment mode for SPF, default: relaxed
p     = policy for main domain (required)
pct   = percentage of bad emails to apply policy on, default: 100
rua   = URI to send aggregate reports
ruf   = URI to send message specific reporting
sp    = email subdomain policy
v     = version (required)
available policies
none       = don't block, just report failing emails
quarantine = quarantine failing emails (spam folder)
reject     = reject failing emails (bounce emails)
available alignment modes
r = relaxed, allow partial matches (on domain)
s = strict, require exact match (on domain)
specify DMARC version at start of record
minimal DMARC record
v=DMARC1; p=none
enabling reporting only
v=DMARC1; p=none;;
reject all mail that doesn't match strict domain checks
v=DMARC1; p=reject; adkim=s; aspf=s;
more involved example
v=DMARC1; p=quarantine; sp=reject; pct=100;;
generate dmarc record
verify dmarc record