Email Security

We all know spam is a problem… especially when spammers use your email address to fake the “from” address in their spam emails. There are several tools to combat this problem.

  • Send Policy Framework (SPF) – A setting you can make in your DNS records to specify which servers are authorized to send mail on your behalf.
  • Domain Keys Identified Mail (DKIM) – A mail host-dependent feature which adds a signature to your outgoing mail, and goes along with a setting in your DNS records so that receivers can verify that an email is legitimate and that it has not been modified in transit.
  • Domain Message Authentication Reporting & Conformance (DMARC) – Tells receivers what to do with unauthorized emails, as well as provides reports on email failures.


Sample SPF records:

v=spf1 -all

spf2.0/pra a mx ptr -all

The all setting is an important aspect of the record and has the following basic markers:

  • -all – Any server not previously listed is not authorized to send email, no questions asked.
  • ~all – If mail is received from a server that is not previously listed, it is marked as a soft fail, which allows the email to be scrutinized further.
  • +all – Allow any server to send email from your domain. Naturally, you should never use this option.

SPF Checker




Good article: Demystifying the DMARC Record

Another good one: Quick Start Guide

Check DMARC record: Proofpoint DMARC Check

Sample DMARC record: v=DMARC1; p=none;