Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM) and Domain-based Message Authentication, Reporting and Conformance (DMARC) are email authentication methods to prevent email spoofing. One or more methods are also increasingly required by major mail hosts to prevent spoofing. And lacking the proper authentication requirements can result in mail rejections.
Please note that we are currently rolling out updates to SmarterMail which updates the interface. The first set of DKIM instructions are for the legacy interface. For the updated interface, scroll down passed the (Legacy) instructions to the (New) instructions.
Sender Policy Framework
An SPF is defined by adding a TXT record to the domain's DNS. The SPF for sending mail through Winhost is:
v=spf1 include:internetmailserver.net -all
If hosting DNS through Winhost, the SPF record would be added through the DNS Manager: Winhost Control Panel > Domains > Manage (DNS) > Manage TXT Record > Add
Domain Name: Field is left blank
Data: v=spf1 include:internetmailserver.net -all
TTL: 3600
Like with other DNS record updates, it will take some time for propagation to complete. To monitor DNS propagation
https://www.whatsmydns.net/ may be used.
To test the SPF record, see the Testing SPF and DKIM section below.
DKIM
DKIM is a combination of a SmarterMail setting and TXT record.
First log into the SmarterMail web interface as the domain administrator (default is postmaster). If the web interface address or password isn't known, log in automatically at: Winhost Control Panel > Sites > the applicable domain name > Email > SmarterMail Manager
(Legacy) Once logged into the webmail interface, click Domain Settings (gear icon with globe), General, and then the Enable button in the Email Signing pane.
(New) Once logged into the webmail interface, click the More1 drop-down and then Domain Settings2.
(New continued) Then select General1 and then the Enable2 button.
After clicking Enable, a pop-up with a TXT record will be displayed. Add the TXT record to the domain's DNS, allow time for DNS propagation, then click the Enable button once more.
If hosting DNS through Winhost, in a separate window navigate to the DNS Manager: Winhost Control Panel > Domains > Manage (DNS) > Manage TXT Record > Add
Domain Name: The "Text Record Name"
Data: The "Text Record Value"
TTL: 3600
DNS propagation can be reviewed at
https://www.whatsmydns.net/. If checking propagation of the TXT record for DKIM, make sure to enter the entire
Text Record Name (textBlock._domainKey.domain.com in the example above) into the domain field on whatsmydns. Then select
TXT from the drop-down and
Search.
After the DNS record has propagated, clicking the
Enable button for
Email Signing will update the pane with a message that DKIM is running on the domain. If after an hour the
Enable button still shows the pop up with the TXT record value, double check that the complete TXT record has been added to the domain's DNS. Or
open a ticket with the Support Department for assistance in reviewing the DKIM.
DMARC
Partly because it involves reporting, please note there are too many permutations to completely cover DMARC in this article. Though there are many resources available online with detailed information in cases where a specific setup is preferred or required. When both SPF and DKIM have already been added to a domain, a very basic DMARC record would be
Domain Name: _dmarc
Data: v=DMARC1; p=reject;
TTL: 3600
It is important to be aware that the "p" in the record is the policy and is set to reject messages that don't pass SPF and DKIM requirements. Making it imperative that the record be added after SPF and DKIM and not be used on a pointer domain where DKIM may not be set.
For reporting, three additional values can be added to the record
rua: DMARC Aggregate Feedback Reports
ruf: DMARC Failure Reports (where supported)
fo: Failure Reporting Options (1 = generate DMARC failure report for SPF or DKIM failures)
Example data
v=DMARC1; p=reject; rua=mailto:[email protected]; ruf=mailto:[email protected]; fo=1
Because the report addresses are public and discoverable, it would be advisable to create a new separate email address to receive the reports.
Testing SPF, DKIM and DMARC
A simple test of SPF, DKIM and DMARC can be performed by sending an email to a Gmail recipient and checking the email header. After the email is received, view it, click the three vertical dots for more options then Show Original.
If set up properly, there should now be three PASS notifications on the Original Message page.