Email Authentication

DNS Email Security

SPF, DKIM, and DMARC are DNS-based email authentication standards that prevent spoofing, phishing, and unauthorized use of your domain in email.

The Three Pillars

Email Authentication Standards

Each standard addresses a different aspect of email identity verification

SPF

Sender Policy Framework

How SPF Works

When a receiving mail server gets a message, it looks up the SPF record for the domain in the email's envelope from(Return-Path) address. It then checks whether the sending server's IP is authorized in that record.

Email arrives
Return-Path: user@thedns.guru
Server queries
DNS TXT thedns.guru
IP check
Is 203.0.113.42 in SPF record?
Result
PASS / FAIL / SOFTFAIL / NEUTRAL

SPF Mechanisms

ip4/ip6Authorize specific IP addresses or CIDR ranges
include:Include another domain's SPF policy (e.g., Google Workspace)
aAuthorize the domain's A record IP
mxAuthorize the domain's MX record IPs
redirect=Use another domain's SPF record entirely
; SPF Record Examples ; Basic: authorize your mail server IP thedns.guru. TXT "v=spf1 ip4:203.0.113.42 ~all" ; Include third-party senders (GSuite, Mailchimp) thedns.guru. TXT "v=spf1 include:_spf.google.com include:servers.mcsv.net ~all" ; Strict — only listed IPs, hard fail everything else thedns.guru. TXT "v=spf1 ip4:203.0.113.0/24 -all" ; SPF Qualifiers: ; +all = PASS (default, rarely used) ; ~all = SOFTFAIL (deliver but mark) ; -all = FAIL (reject) ; ?all = NEUTRAL
DKIM

DomainKeys Identified Mail

; DKIM Public Key record (selector: mail) ; Name: mail._domainkey.thedns.guru mail._domainkey.thedns.guru. TXT ( "v=DKIM1; k=rsa; p=" "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQ" "KBgQC3W3xKoHSLz1EXAMPLE+KEY+DATA==" "IDAQAB" ) ; Multiple selectors for key rotation ; selector1._domainkey.thedns.guru (active) ; selector2._domainkey.thedns.guru (standby)

How DKIM Works

Your mail server signs outbound messages with a private key. The corresponding public key is published as a DNS TXT record. Receiving servers retrieve the public key and verify the signature.

🔑
Key Generation

Generate RSA 2048-bit (minimum) or Ed25519 key pair.

📤
Sign Outbound

Mail server adds DKIM-Signature header to every message.

📡
Publish Public Key

Public key published as TXT at selector._domainkey.yourdomain.

Recipient Verifies

Receiving server retrieves key, verifies signature mathematically.

DMARC

Domain-based Message Authentication, Reporting & Conformance

DMARC Tag Reference

v=Required

Version. Must be DMARC1

p=Required

Policy: none | quarantine | reject

sp=

Subdomain policy (inherits p if omitted)

pct=

Percentage of messages to apply policy to (1-100)

rua=

Aggregate report recipients (mailto: URIs)

ruf=

Forensic/failure report recipients

adkim=

DKIM alignment: r (relaxed) | s (strict)

aspf=

SPF alignment: r (relaxed) | s (strict)

fo=

Failure reporting options: 0 | 1 | d | s

ri=

Reporting interval in seconds (default: 86400)

; DMARC Record ; Name: _dmarc.thedns.guru ; Start with monitoring (p=none) _dmarc.thedns.guru. TXT "v=DMARC1; p=none; rua=mailto:dmarc-reports@thedns.guru; ruf=mailto:dmarc-failures@thedns.guru; fo=1" ; Quarantine — failed mail goes to spam _dmarc.thedns.guru. TXT "v=DMARC1; p=quarantine; pct=50; rua=mailto:dmarc@thedns.guru" ; Enforcement — reject unauthenticated mail _dmarc.thedns.guru. TXT "v=DMARC1; p=reject; rua=mailto:dmarc@thedns.guru; adkim=s; aspf=s"
Transport Security

MTA-STS & TLS Reporting

MTA-STS (RFC 8461) forces TLS for email transport to your mail servers, preventing downgrade attacks and opportunistic interception.

SMTP TLS Reporting (RFC 8460) provides visibility into TLS negotiation failures, helping you detect misconfigurations and attacks.

Together they form the final layer of email security — after ensuring your messages are authenticated (SPF/DKIM/DMARC), MTA-STS ensures they're delivered securely.

; MTA-STS Policy Record _mta-sts.thedns.guru. TXT "v=STSv1; id=20240412001" ; Policy file hosted at: ; https://mta-sts.thedns.guru/.well-known/mta-sts.txt ; Content: version: STSv1 mode: enforce mx: mail.thedns.guru max_age: 604800 ; TLS Reporting _smtp._tls.thedns.guru. TXT "v=TLSRPTv1; rua=mailto:tlsreport@thedns.guru"
Implementation Guide

Deployment Roadmap

A phased approach to full email authentication — from zero to p=reject

Phase 1

Inventory & SPF

  • Identify all mail-sending systems (ESP, CRM, app servers)
  • Create SPF record with ~all (softfail) initially
  • Publish SPF TXT record at your apex domain
  • Test with: dig thedns.guru TXT
Phase 2

DKIM Setup

  • Generate RSA 2048-bit key pair per sending domain/service
  • Publish public key as TXT record at selector._domainkey
  • Configure mail server/ESP to sign outbound messages
  • Verify signing with: dig mail._domainkey.thedns.guru TXT
Phase 3

DMARC Monitoring

  • Publish DMARC record with p=none to begin
  • Set rua to collect aggregate XML reports
  • Analyze reports for 2-4 weeks to identify all senders
  • Ensure SPF and DKIM pass for all legitimate mail
Phase 4

DMARC Enforcement

  • Move to p=quarantine with pct=10, increase gradually
  • Once confident, move to p=reject
  • Consider BIMI for brand logo in email clients
  • Add MTA-STS and TLS-RPT for transport security
BIMI

Brand Indicators for Message Identification

Once you reach DMARC p=reject, you can implement BIMI — a DNS record that displays your brand logo in supporting email clients (Gmail, Yahoo, Apple Mail).

Requires a Verified Mark Certificate (VMC) from a CA like Entrust or DigiCert, and your logo in SVG Tiny 1.2 format.

default._bimi.thedns.guru. TXT "v=BIMI1; l=https://thedns.guru/logo.svg; a=https://thedns.guru/vmc.pem"