How to Add SPF, DKIM, DMARC, and More with TXT Records

How to Add SPF, DKIM, DMARC, and More with TXT Records?

In today's world, email communication has become an indispensable part of our personal and business lives. However, email systems are vulnerable to spam, phishing, and other malicious activities. This is where TXT records come into play. TXT records are a type that allows you to add text-based information to your domain's DNS (Domain Name System) records. This information is used to enhance email security, verify your domain, and ensure the proper functioning of various services. In this article, we will examine in detail what TXT records are, their important applications such as SPF, DKIM, and DMARC, and how to add them.

What are TXT Records and Why are They Important?

TXT records are a type of resource record on the DNS (Domain Name System). They are used to store any text information about a domain name. This information can be used for various purposes: verifying domain ownership, configuring spam prevention mechanisms, verifying your website, and more. TXT records provide additional information about your domain, helping various services on the internet (e.g., email servers) to accurately recognize your domain and assess its reliability.

The importance of TXT records is particularly significant in terms of email security. Email authentication protocols such as SPF, DKIM, and DMARC are configured through TXT records. These protocols authorize email sending servers, significantly reducing spam and phishing attacks. TXT records are also used to verify domain ownership. For example, services like Google Search Console may ask you to add a TXT record to verify ownership of your website.

Adding an SPF (Sender Policy Framework) Record

SPF (Sender Policy Framework) is an email authentication protocol that authorizes email sending servers. An SPF record specifies the IP addresses or domain names of the servers authorized to send emails from your domain. This allows recipient servers to verify whether an email was sent from your domain and whether it was sent by an authorized server. SPF helps prevent spam and phishing attacks.

How to Create an SPF Record?

You can follow these steps to create an SPF record:

Identify Authorized Servers: Identify the IP addresses or domain names of all servers authorized to send emails from your domain. This includes your own email servers, third-party email marketing services you use (e.g., Mailchimp, Sendinblue), and other applications (e.g., CRM systems).
Create the SPF Syntax: Create the SPF syntax using the servers you have identified. The SPF syntax starts with "v=spf1" and then includes mechanisms that specify authorized servers (e.g., "ip4", "ip6", "include", "a", "mx") and a qualifier (e.g., "+", "-", "~", "?").
Add the SPF Record to DNS: Add the SPF record you created to your domain's DNS settings as a TXT record. To access your DNS settings, you need to log in to the control panel of your domain registrar or DNS service provider.

SPF Record Example

Below is a simple example of an SPF record:

v=spf1 ip4:192.0.2.0/24 include:_spf.example.com -all

This SPF record means the following:

v=spf1: This is an SPF record (version 1).
ip4:192.0.2.0/24: Servers in the IP address range 192.0.2.0/24 are authorized to send emails.
include:_spf.example.com: Servers specified in the SPF record of the _spf.example.com domain are also authorized to send emails. This is often used for third-party email services.
-all: This indicates that all servers other than the specified servers are not authorized to send emails. Emails will be rejected.

Using ?all allows emails from servers other than the specified servers to be marked as "neutral," leaving it to the discretion of the recipient server. Using ~all allows emails from servers other than the specified servers to be marked as "softfail," which means the email may be accepted but may be marked as suspicious.

SPF Record Tips

Make sure your SPF record does not exceed 255 characters. If it does, you can reference the SPF records of other domains using the "include" mechanism instead of using multiple SPF records.
Update your SPF record regularly. When your servers authorized to send emails change, you also need to update your SPF record.
You can use various online tools to test your SPF record. These tools help you verify that your SPF record is configured correctly and is being interpreted correctly by recipient servers.

Adding a DKIM (DomainKeys Identified Mail) Record

DKIM (DomainKeys Identified Mail) is an email authentication protocol that verifies the integrity and identity of emails. DKIM allows emails to be digitally signed. The email sending server signs the email using a private key, and this signature is verified by the recipient server using a public key. This verifies that the email has not been altered during transmission and that it was sent by an authorized server. DKIM helps prevent spam and phishing attacks and increases email delivery rates.

How to Create a DKIM Record?

You can follow these steps to create a DKIM record:

Create a Key Pair: Create a key pair (private key and public key). The private key is used to sign emails and should be stored securely. The public key is used by recipient servers to verify emails and is added to DNS. Many email servers and DKIM services can help you create a key pair.
Determine the DKIM Selector: The DKIM selector is a name used to identify the DKIM record in DNS. A simple name such as "default" or "mail" is often used.
Add the DKIM Record to DNS: Create a DKIM record using the public key and selector, and add it to your domain's DNS settings as a TXT record. The DKIM record is located in the "_domainkey" subdomain along with the selector name (e.g., "default._domainkey.example.com").

DKIM Record Example

Below is an example of a DKIM record:

default._domainkey.example.com. IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDdlatRjRpwdjjU8WaDp8Z4eRhGnNNutX2K4ybIoW9atN0/vyhL55alWwS6le9tYT0KjXPaU8BNhFeeiAmjuhHQEPNviBSFF+ujW0K/ZRoWjuJie+Vyj4kPhDeNNh7JyDRQbfmdnW5xmP0zQ6alKRt0n6v60dzJOjLwIDAQAB;"

This DKIM record means the following:

default._domainkey.example.com.: The subdomain where the DKIM record is located. Uses the "default" selector name.
IN TXT: This is a TXT record.
"v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDdlatRjRpwdjjU8WaDp8Z4eRhGnNNutX2K4ybIoW9atN0/vyhL55alWwS6le9tYT0KjXPaU8BNhFeeiAmjuhHQEPNviBSFF+ujW0K/ZRoWjuJie+Vyj4kPhDeNNh7JyDRQbfmdnW5xmP0zQ6alKRt0n6v60dzJOjLwIDAQAB;": The content of the DKIM record. Includes parameters such as "v" (version), "k" (key type), and "p" (public key).

DKIM Record Tips

Store your DKIM private key securely. If the private key is compromised, malicious individuals can send emails on your behalf.
You can use various online tools to test your DKIM record. These tools help you verify that your DKIM record is configured correctly and is being interpreted correctly by recipient servers.
Check and keep your DKIM record up to date regularly. Especially if you are doing key rotation, you need to update your DKIM record.

Adding a DMARC (Domain-based Message Authentication, Reporting & Conformance) Record

DMARC (Domain-based Message Authentication, Reporting & Conformance) is an email authentication protocol based on SPF and DKIM protocols. DMARC allows domain owners to determine what to do with emails that fail SPF and DKIM checks (e.g., quarantine or reject them) and to receive reports about these emails. DMARC helps prevent spam and phishing attacks and protects your domain's email reputation.

How to Create a DMARC Record?

You can follow these steps to create a DMARC record:

Determine the DMARC Policy: Determine what to do with emails that fail SPF and DKIM checks. There are three basic DMARC policies: "none" (no action is taken), "quarantine" (quarantined), and "reject" (rejected).
Determine the Reporting Address: Determine an email address to receive reports about emails that fail SPF and DKIM checks. DMARC reports will be sent to this address.
Add the DMARC Record to DNS: Create a DMARC record using the DMARC policy and reporting address, and add it to your domain's DNS settings as a TXT record. The DMARC record is located in the "_dmarc" subdomain ("_dmarc.example.com").

DMARC Record Example

Below is an example of a DMARC record:

_dmarc.example.com. IN TXT "v=DMARC1; p=none; rua=mailto:[email protected]; ruf=mailto:[email protected]; adkim=r; aspf=r; rf=afrf1; pct=100; fo=0:1:d:s"

This DMARC record means the following:

_dmarc.example.com.: The subdomain where the DMARC record is located.
IN TXT: This is a TXT record.
"v=DMARC1; p=none; rua=mailto:[email protected]; ruf=mailto:[email protected]; adkim=r; aspf=r; rf=afrf1; pct=100; fo=0:1:d:s": The content of the DMARC record. Includes parameters such as "v" (version), "p" (policy), "rua" (aggregate reporting address), "ruf" (forensic reporting address), "adkim" (DKIM alignment mode), "aspf" (SPF alignment mode), "rf" (reporting format), "pct" (policy application percentage), and "fo" (failure options).

In this example:

`v=DMARC1`: Specifies the DMARC version (DMARC1 is always used).
`p=none`: Sets the DMARC policy to "none". This means that emails will not be rejected or quarantined. This is often used when implementing DMARC for the first time and during the monitoring phase.
`rua=mailto:[email protected]`: Specifies the aggregate reporting address. DMARC reports are sent to this address by email servers. These reports contain information about the authentication results of emails sent from your domain.
`ruf=mailto:[email protected]`: Specifies the forensic reporting address. More detailed reports about the content of emails are sent to this address. This parameter is generally less used for privacy reasons.
`adkim=r`: Sets the DKIM alignment mode to "relaxed". This means that the domain name in the DKIM signature does not have to match the "From" address in the email header exactly.
`aspf=r`: Sets the SPF alignment mode to "relaxed". This means that the domain name specified in the SPF record does not have to match the domain name in the "From" address in the email header exactly.
`rf=afrf1`: Specifies the reporting format. The value "afrf1" specifies the IETF Automated Feedback Reporting Format.
`pct=100`: Specifies the percentage of emails to which the DMARC policy will be applied. The value "100" means that the policy will be applied to all emails.
`fo=0:1:d:s`: Specifies the failure options. This parameter controls under what conditions forensic reports will be generated. In this example, the values "0", "1", "d", and "s" represent specific failure scenarios.

DMARC Record Tips

When implementing DMARC for the first time, start with the "p=none" policy. This prevents your emails from being accidentally rejected or quarantined. By monitoring reports and correcting your SPF and DKIM configurations, you can move to a stricter policy (e.g., "p=quarantine" or "p=reject").
Monitor DMARC reports regularly. These reports provide information about the authentication results of emails sent from your domain and help you identify potential problems.
Check and keep your DMARC record up to date regularly. Especially if you are making changes to your email infrastructure, you need to update your DMARC record.

Conclusion and Summary

TXT records are text-based information stored in your domain's DNS settings and are used for email security, domain verification, and various other purposes. Email authentication protocols such as SPF, DKIM, and DMARC are configured through TXT records and help prevent spam and phishing attacks. Configuring these protocols correctly increases email delivery rates and protects your domain's email reputation.

In this article, we examined in detail what TXT records are, their important applications such as SPF, DKIM, and DMARC, and how to add them. By using this information, you can enhance your domain's email security and ensure the reliability of your email communication. Remember that email security is an ongoing process, and it is important to check and update your SPF, DKIM, and DMARC records regularly.