At UserCompute, we understand that email remains a critical communication channel for businesses. However, its widespread use makes it a prime target for cyber threats such as phishing and spoofing. Properly configured DNS records are crucial for protecting your domain and ensuring that your emails reach their intended recipients without being flagged as spam.

KEY DNS RECORDS FOR EMAIL DELIVERABILITY

• MX (Mail Exchange) Records: Direct incoming emails to your mail servers

• SPF (Sender Policy Framework): Specifies which mail servers are permitted to send emails on behalf of your domain.

• DKIM (DomainKeys Identified Mail): Adds a digital signature to emails, allowing recipients to verify that the email was sent by an authorised server and that its content has not been tampered with.

• DMARC (Domain-based Message Authentication, Reporting, and Conformance): Provides instructions to receiving mail servers on how to handle emails that fail SPF or DKIM checks.

CONFIGURING SPF, DKIM, & DMARC

SPF Configuration:

To set up SPF, create a TXT record in your DNS settings with the following format:

For a Single Mail Provider

v=spf1 include:spf.protection.outlook.com -all

For Combining Different Mail Providers

v=spf1 include:spf.protection.outlook.com include:mailchimp.com -all

This record indicates that only Microsoft’s mail servers are authorised to send emails on behalf of your domain. Replace spf.protection.outlook.com with the appropriate domain for your email provider.

DKIM Configuration:

For DKIM, generate a public-private key pair. The public key is published in your DNS settings as a TXT record, while the private key is configured in your email server. The TXT record will look something like:

Ensure Two (2) CNAMEs are registered to your domain

Name: selector1._domainkey.yourdomain.com

Target: selector1-yourdomain-com._domainkey. <initial>. onmicrosoft.com

Name: selector2._domainkey.yourdomain.com

Target: selector2-yourdomain-com._domainkey. <initial>. onmicrosoft.com

DMARC Configuration:

Create a TXT record for DMARC with the following format:

_dmarc.yourdomain.com. IN TXT "v=DMARC1; p=reject; rua=mailto:dmarc-reports@yourdomain.com"

GENERICS

Name: _dmarc.yourdomain.com

Value: v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com; pct=100

MONITORING POLICY - p=none — just monitors

v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com; pct=100

QUARANTINE/ ENFORCING POLICY - p=quarantine — sends to spam

v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com; pct=100

REJECTING POLICY - p=reject — blocks failing messages

v=DMARC1; p=reject; rua=mailto:dmarc-failures@yourdomain.com; pct=100

Check: https://mxtoolbox.com/

This record instructs receiving mail servers to reject emails that fail SPF or DKIM checks and to send aggregate reports to the specified email address.

PREVENTING SPOOFING BEST PRACTICE

Regular Monitoring:

Regularly monitor your DMARC reports to identify unauthorised use of your domain. These reports provide insights into who is sending emails on behalf of your domain and whether they are passing SPF and DKIM checks.

Implement Strict DMARC Policies:

Start with a p=none policy to monitor email traffic without affecting delivery. Once you’re confident in your configuration, move to p=quarantine to place suspicious emails in the spam folder, and eventually to p=reject to block them entirely.

Align SPF and DKIM with DMARC:

Ensure that your SPF and DKIM configurations align with your DMARC policy. Misalignments can cause legitimate emails to be rejected or marked as spam.

Educate Users:

Educate your users about phishing and spoofing threats. Encourage them to be cautious of unsolicited emails and to verify the authenticity of suspicious messages.

By implementing and maintaining proper DNS records, UserCompute helps ensure that your emails are secure, trusted, and delivered to their intended recipients. If you need assistance with configuring or troubleshooting your DNS records, please don't hesitate to contact our support team.