Ensuring Email Delivery (Security): SPF, DKIM, and DMARC Implementation

As part of our ongoing commitment to enhancing the security and reliability of our email communications, we support our clients in implementing industry-standard email authentication protocols, including SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting, and Conformance).

To assist with preventing email sent from Meshed Student Management System from being considered as spam or bouncing back, Meshed IT Team suggest adding or modifying an SPF record in your DNS server along with setting the DKIM KEY and DMARC Policy to allow mail relay which will assist in flagging Meshed Student Management System email as not being spam.

These authentication protocols are essential for protecting against email spoofing, phishing attacks, and unauthorized use of your domain name. By implementing SPF, DKIM, and DMARC, you can strengthen the security of your email infrastructure and safeguard your communication channels against potential threats.

DomainKeys Identified Mail (DKIM)

DKIM adds a digital signature to outgoing emails, allowing recipients to verify the authenticity of the sender's domain and detect any modifications made to the email content during transit. By signing your outgoing emails with DKIM signatures, you can provide recipients with assurance that the emails originated from your domain and have not been tampered with.

Meshed servers are capable of signing outgoing emails with DKIM signatures however it is the client’s responsibility to add the DNS records with their DNS hosting provider. Please reach out to support@meshedgroup.com.au to get the DKIM Key for your respective domain.

DKIM Details: 

Type: TXT 

Name: selector(s)._domainkey.domain(d) 

Value: v=version; k=keytype; p=pubic key 

Explanation: 

Selector (s) = indicates the selector record name used with the domain to locate the public key in DNS. This name or number is created by the sender. This is included in the DKIM signature.  

Domain (d) = indicates the domain used with the selector to locate the public key. This is the domain of you college.  

Version (v) = indicated the version of the DKIM record. The value must be “DKIM”.  

Key Type (k) = indicates the key type. The default value is “rsa” which must be supported by both signers and verifiers.  

Public Key (p) = indicates the public key used by Meshed provider to match to the DKIM signature.  

Example:

Sample DKIM for example.edu.au domain: 

Type: TXT 

Name: s1024._domainkey.example.edu.au 

Value: v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DABCDEFGH4GNADCBiQKBgQDnaWcEXORHLN/2Lb2ucszgvAUnD2iCPsulMPc2cZa7wOQ+3xbsDSPEd2NkTEtcEJyZUzh8eo1rvyE3U1Trf9Pkk7Xv66HK86k+aoKswzW4ix88HLZStdj1c1tohbun1KgiWVJ76uNAKhbwmXfvnxumFrYPijpt/gsTOn5p21ojFABCDEFG 

Domain-based Message Authentication, Reporting, and Conformance (DMARC)

DMARC is another email authentication protocol that detects and lowers email phishing attacks ensuring the email deliverability. For the message to pass through the DMARC authentication, it must pass the SPF Authentication/alignment and/or DKIM Authentication/alignment making it secure for the users. The DMARC policy can specify on how to handle email that fails the SPF or DKIM checks and allow control over the email delivery.

DMARC builds upon SPF and DKIM by providing domain owners with greater visibility and control over email authentication practices. With DMARC policies in place, we can specify how recipient email servers should handle emails that fail SPF or DKIM checks, such as quarantining or rejecting suspicious emails. Additionally, DMARC enables you to receive reports on email authentication results, allowing you to monitor and improve your email security posture over time.

Creating a DMARC (Domain-based Message Authentication, Reporting, and Conformance) policy involves adding a DNS TXT record to your domain's DNS settings. A DMARC policy instructs receiving email servers on how to handle emails that fail SPF and DKIM authentication checks.

Here's a step-by-step guide to creating a DMARC policy:

Understand Your Email Infrastructure: Before creating a DMARC policy, it's important to understand your organization's email infrastructure, including the mail servers and services that send emails on behalf of your domain.

Define Your DMARC Policy: Determine your DMARC policy by specifying how receiving email servers should handle emails that fail SPF and DKIM checks. A DMARC policy can be set to three different modes:

• none: Monitor mode. No action is taken on failing emails, but you receive DMARC reports.
• quarantine: Emails that fail DMARC checks are quarantined or sent to the recipient's spam/junk folder.
• reject: Emails that fail DMARC checks are rejected outright and not delivered to the recipient's inbox.

Create the DMARC Record: Once you've defined your DMARC policy, you can create the DMARC record as a DNS TXT record. Here's the general format of a DMARC record:

v=DMARC1; p=<policy>; rua=<mailto:aggregate_reports@example.edu.au>; ruf=<mailto:forensic_reports@example.edu.au>

• v=DMARC1: Indicates the DMARC version.
• p=<policy>: Specifies the DMARC policy (none, quarantine, or reject).
• rua=<mailto:aggregate_reports@example.edu.au>: Specifies the email address(es) where aggregate DMARC reports should be sent. These reports provide information on email authentication results for your domain.
• ruf=<mailto:forensic_reports@example.edu.au>: Specifies the email address(es) where forensic DMARC reports should be sent. These reports provide detailed information on individual email failures.

Example DMARC record:

v=DMARC1; p=reject; rua=mailto:dmarc@example.edu.au; ruf=mailto:dmarc-forensic@example.edu.au

Publish the DMARC Record:

Log in to your domain registrar or DNS hosting provider's website and navigate to the DNS management section. Add a new TXT record with the following details:

Record Type: TXT

Name/Host/Alias: _dmarc (or your domain name)

Value/Answer/Destination: Enter your DMARC record (e.g., v=DMARC1; p=reject; rua=mailto:dmarc@example.edu.au; ruf=mailto:dmarc-forensic@example.edu.au)

Verify the DMARC Record: After publishing the DMARC record, you can verify its correctness using DMARC validation tools or online DMARC record checkers. Ensure that the DMARC record accurately reflects your intended DMARC policy and that it is syntactically correct.

Test and Monitor: Once the DMARC record is published, it's important to test and monitor its effectiveness. Send test emails from your domain and verify how they are handled by receiving email servers. Monitor DMARC-related logs and reports to identify any issues or misconfigurations.

Update DMARC Record as Needed: Regularly review and update your DMARC record as your email infrastructure evolves or as you receive feedback from DMARC reports. Adjust the DMARC policy, reporting addresses, or other parameters as needed to improve email authentication and deliverability.