SPF, DKIM, and DMARC Records
These three types of DNS records are fundamental for the proper functioning of your mail systems. DNS acts as a public announcement of your system’s parameters, making it difficult or impossible for unauthorized third parties to impersonate your identity or send emails on your behalf.
AVAS – SPF, DKIM, and DMARC Records
To enable AvasCloud protection for your outbound email, it is necessary to add the SPF, DKIM, and DMARC records proposed in this document to the DNS of all domains to be protected.
SPF Protocol
The SPF (Sender Policy Framework) protocol, which is based on the DNS of your domain name, can certify that the sending IP has the right to send email messages using your domain.
In other words, this record declares the IP address infrastructures of the providers through which you will send emails using your domain.
For this, if you are going to use the AVAS Outbound service from Planisys, you must include the Planisys IP address blocks in your SPF record.
This protocol is used to prevent fraudulent use of your domain name and to prevent third parties from impersonating you. This protocol is particularly effective against phishing attacks. It is used in combination with DKIM and DMARC.
Adding an SPF Record
Case 1: The domain does not have an SPF record
If the domain does not have an SPF record and will only send emails through the Planisys service, the following record should be created in the DNS:
dominio.com. IN TXT "v=spf1 include:spf.planisys.net -all"
If instead there is no SPF record and emails will be sent through both the Planisys service and other services, the record should have the following format:
dominio.com. IN TXT "v=spf1 include:spf.planisys.net ?all"
Case 2: The domain already has an SPF record
If the domain already has an SPF record, it should be modified by adding include:spf.planisys.net. If a domain has a record like the following, for example:
dominio.com. IN TXT "v=spf1 a include:emailmarketing.net ip4:10.0.0.1 -all"
it should be modified to look like the following:
dominio.com. IN TXT "v=spf1 a include:emailmarketing.net ip4:10.0.0.1 include:spf.planisys.net -all"
In PDNS, the record should be created as follows:
DKIM Protocol
The DKIM (DomainKeys Identified Mail) protocol is a cryptographic protocol based on the use of public keys that are published in your DNS.
This protocol allows you to sign your emails with your domain name, just as you would sign a letter with your name. This way, the recipient of your email can be assured that the email they received was signed by your domain’s Outbound infrastructure and has not been altered during transmission.
This protocol is particularly effective against Man in the Middle attacks, as it prevents the email content from being altered once it has been signed.
You can have multiple selectors in your domain for different systems that sign your outgoing emails. In the case of AVAS Planisys, we have generated a pair of keys (private and public), and we ask domains that use our Outbound service to configure their DNSs with the public key provided by Planisys using the selector “selector1“.
Adding a DKIM Record
The following record should be created in the DNS of the domain to be protected:
"selector1._domainkey.dominio.com. IN TXT k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDJKwIQcgY5KrBFK80/YDosF3drO+0y1XsOFjK7H/FZPugsdkHtbe/axRu9aEjlJvdQr/QQqUM7jWSp/eSzb2G8UBG06xfRLQPPy7xKzK5jCzlbFy15Eq8zcdmMAIyCfAsF4fLoVbBvDctahFLEQqS03MiG+OgOUNbuJ4HG8oDEPwIDAQAB"
In this way, all emails sent through the AVAS Planisys Outbound service will be signed regardless of whether this record has been registered, so the record is mandatory.
If you are not sure of all the possible channels through which your email is sent, it is advisable to add ;t=y at the end of the record to indicate that it is in testing mode.
In PDNS, the record should be created as follows:
DMARC Protocol
The DMARC (Domain-based Message Authentication, Reporting and Conformance) protocol allows the publication in the DNS of the policy suggested by the domain owner to mail operators of other domains regarding emails with a sender or origin in this domain.
In particular, the suggested policy is what mail operators should do if emails with a sender in your domain fail SPF and/or DKIM.
Adding a DMARC Record
The record suggested by Planisys is as follows, for the case that your domain is correctly configured with SPF and DKIM (copy and paste):
_dmarc.dominio.com. IN TXT "v=DMARC1; p=reject; rua=mailto:Dmarcplanisys@rebotes.planisys.net; fo=0:s; aspf=r; adkim=r; pct=100; rf=afrf; ri=86400; sp=reject"
In this way, if emails appear from incorrect IP addresses or that are not signed with DKIM or are incorrectly signed, the suggested policy is “REJECT”. This means rejecting any email with a sender in your domain that does not meet SPF and DKIM requirements.
The DMARC record is a way to protect your brand and reputation on the Internet, committing to sending emails with your sender only through secure channels like AVAS or DMDS Planisys, and not risking sending emails from unauthenticated servers or email marketing on shared platforms.
In PDNS, the record should be created as follows:
Última actualización en |fecha|