Back to Learn

DNS Email Security Records: SPF, DKIM & DMARC | NOC.org

Email Security in DNS

Email was designed without built-in authentication. Anyone can send an email claiming to be from any domain — there's nothing in the original SMTP protocol to verify the sender's identity. This fundamental weakness enables email spoofing, phishing attacks, and business email compromise (BEC).

Three DNS-based technologies fix this: SPF, DKIM, and DMARC. Together, they let domain owners declare which servers are authorized to send email on their behalf, cryptographically sign messages, and define policies for handling unauthorized mail. All three are implemented as TXT records in your domain's zone file.

SPF (Sender Policy Framework)

SPF lets you publish a list of servers authorized to send email for your domain. When a receiving mail server gets a message claiming to be from your domain, it checks your SPF record to verify the sending server is on the approved list.

SPF Record Syntax

example.com.  3600  IN  TXT  "v=spf1 include:_spf.google.com ip4:93.184.216.34 -all"

Key mechanisms:

MechanismMeaning
ip4:x.x.x.xAuthorize a specific IPv4 address or range
ip6:xxxx::xxxxAuthorize a specific IPv6 address or range
include:domainInclude another domain's SPF record (used for third-party services)
aAuthorize the domain's own A record IP
mxAuthorize the domain's MX record servers
-allReject all senders not listed (hard fail)
~allMark unlisted senders as suspicious (soft fail)

SPF Best Practices

  • Use -all (hard fail) once you've confirmed all legitimate senders are listed
  • Keep the number of DNS lookups under 10 (SPF has a lookup limit)
  • Include all third-party services that send email on your behalf (marketing platforms, CRM, helpdesk)
  • If your domain doesn't send email, publish "v=spf1 -all" to block all spoofed mail

DKIM (DomainKeys Identified Mail)

DKIM adds a cryptographic signature to outgoing emails. The sending server signs each message with a private key, and the receiving server verifies the signature using a public key published in DNS.

DKIM Record Syntax

selector._domainkey.example.com. 3600 IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGS..."

Components:

  • Selector — An identifier for the key pair (e.g., google, s1, default). Allows multiple DKIM keys for different sending services.
  • v=DKIM1 — Version identifier
  • k=rsa — Key type (RSA is standard)
  • p=... — The public key (base64-encoded)

How DKIM Verification Works

  1. Your mail server signs outgoing messages with the private key
  2. The signature is added as a DKIM-Signature header in the email
  3. The receiving server extracts the selector and domain from the signature
  4. It queries DNS for the public key: selector._domainkey.yourdomain.com
  5. It verifies the signature using the public key
  6. If the signature is valid, the email passes DKIM; if not, it fails

DMARC (Domain-based Message Authentication, Reporting & Conformance)

DMARC ties SPF and DKIM together with a policy layer. It tells receiving servers what to do when an email fails authentication, and provides a reporting mechanism so you can monitor unauthorized use of your domain.

DMARC Record Syntax

_dmarc.example.com. 3600 IN TXT "v=DMARC1; p=reject; rua=mailto:dmarc@example.com; pct=100"

Key tags:

TagMeaning
p=noneMonitor only — no action on failures (start here)
p=quarantineSend failing messages to spam/junk
p=rejectBlock failing messages entirely (strongest protection)
rua=mailto:...Where to send aggregate reports
ruf=mailto:...Where to send forensic (failure) reports
pct=100Percentage of messages to apply the policy to
adkim=sStrict DKIM alignment (domain must match exactly)
aspf=sStrict SPF alignment

DMARC Deployment Path

  1. Start with p=none — Monitor reports to see who is sending email as your domain
  2. Fix legitimate senders — Ensure all authorized services pass SPF and/or DKIM
  3. Move to p=quarantine — Send failing messages to spam
  4. End at p=reject — Block all unauthenticated email

Putting It All Together

A fully protected domain has all three records working together:

; SPF — authorize senders
example.com. 3600 IN TXT "v=spf1 include:_spf.google.com -all"

; DKIM — sign messages (key published by your email provider)
google._domainkey.example.com. 3600 IN TXT "v=DKIM1; k=rsa; p=MIGf..."

; DMARC — enforce policy and get reports
_dmarc.example.com. 3600 IN TXT "v=DMARC1; p=reject; rua=mailto:dmarc@example.com"

With this configuration:

  • Only servers listed in SPF can send email as your domain
  • All messages are cryptographically signed with DKIM
  • Any email that fails both SPF and DKIM is rejected by the receiving server
  • You receive reports about who is trying to send email as your domain

Related Topics