Skip to main content
All CollectionsEmail Services
SPF and DMARC: Purpose, Function, and Implementation
SPF and DMARC: Purpose, Function, and Implementation

This article describes what SPF and DMARC are, the problem they are each designed to resolve and how to put each into place.

Garrett Saundry avatar
Written by Garrett Saundry
Updated over a month ago

Introduction

Email security is a critical aspect of modern communication. Two key protocols that help ensure the authenticity and integrity of emails are the Sender Policy Framework (SPF) and Domain-based Message Authentication, Reporting, and Conformance (DMARC).


About

SPF

SPF is designed to authenticate the sending server and prevent email spoofing. It allows a domain to specify which servers are authorized to send emails on its behalf. SPF works by listing all the IP addresses of servers authorized to send emails from a domain. When an email is received, the receiving server checks it against the SPF record before passing it on to the recipient’s inbox.

DMARC

DMARC builds upon SPF and DKIM (DomainKeys Identified Mail) to provide a consistent set of policies for email authentication. It helps prevent phishing and email spam by verifying where emails come from and reporting back instances of phishing and spam to the legitimate domain/email owner.

DMARC tells a receiving email server what to do if an email fails SPF checks. It can instruct mail servers to quarantine or reject such emails, or to deliver them. DMARC reports give administrators the information they need to adjust their DMARC policies.


Implementation

Implementing SPF and DMARC involves several steps:

SPF

  1. Identify all the servers that send email on behalf of your domain.

  2. Create an SPF record listing all these servers’ IP addresses.

  3. Publish the SPF record in your domain’s DNS records.

Example:

DNS Record Type: TXT
Host/Name: yourdomain.ca
Value: "v=spf1 a:mail.yourmailprovider.ca -all"

For more information regarding the different variables and parameters that can be optionally included in your SPF record to fine-tune its performance, please see: https://mxtoolbox.com/dmarc/spf/setup/how-to-setup-or-modify-spf

DMARC

  1. First, set up SPF for your domain.

  2. Create a DMARC policy specifying how to handle emails that fail SPF checks.

  3. Publish the DMARC record in your domain’s DNS records.

Example:

DNS Record Type: TXT
Host/Name: _DMARC.yourdomain.ca
Value: "v=DMARC1; p=none; rua=mailto:[email protected]; ruf=mailto:[email protected]"

*Replace [email protected] with an address of your choosing which you have access to.

Begin by creating a DMARC record with enforcement set to none (p=none;). This will allow you to start receiving reports without risking messages from your domain being rejected or marked as spam by receiving servers. We suggest using this record for a minimum of one week, as this is usually sufficient time for the daily reports to contain data that is representative of all your mail streams. After monitoring DMARC reports for at least a week with no adverse results, update your policy to quarantine (p=quarantine;), or the more strict policy of reject (p=reject;) .


Updating your domain's DNS records

Updating your domain's DNS records first starts by determining who hosts these records in the first place. If you are unsure who hosts your DNS records, perform a WHOIS search of your domain via the button below.

Scroll through the results until you reach the list of three name servers assigned to your domain. These servers are where your DNS records reside. Contact the service provider associated with these name servers for assistance.

If Webnames.ca is your DNS provider, and you have DNS Hosting services with us, your DNS record interface is located in one of two places:


For domains with Webnames Website Hosting:

Visit your list of domains that have Website Hosting:

Click on the Manage button beneath the Web Hosting heading of the applicable domain name.

On the subsequent page, scroll down to the Hosting Logins section and click the Login button in Hosting Control Panel.

In the Hosting Control Panel, locate and click on DNS Settings in the main center panel.

Add or update your SPF and DMARC TXT Records:

If Webnames.ca's mail service is the only source of legitimate mail for your domain, the value v=spf1 a:spf10.webnames.ca -all is the correct value for your SPF record.

If you have additional sources, use a tool such as the one found at https://mxtoolbox.com/SPFRecordGenerator.aspx to create a record that is right for you.

The email address(es) you specify in your DMARC record are entirely up to you. You can use an email address you own, or an email address provided to you by another vendor.

For more information regarding the different variables and parameters that can be optionally included in your DMARC record to fine-tune its performance, please see: https://mxtoolbox.com/dmarc/details/what-is-a-dmarc-record

Click OK, and wait up to six hours for this change to propagate across the internet.


For domains without Webnames Website Hosting:

Click on the Manage button beneath the DNS heading of the applicable domain name.

On the DNS Hosting tab, scroll down to the TXT records section of the page.

Add or update your DNS TXT Records:

If Webnames.ca's mail service is the only source of legitimate mail for your domain, the value v=spf1 a:spf10.webnames.ca -all is the correct value for your SPF record.

If you have additional sources, use a tool such as the one found at https://mxtoolbox.com/SPFRecordGenerator.aspx to create a record that is right for you.

The email address(es) you specify in your DMARC record are entirely up to you. You can use an email address you own, or an email address provided to you by another vendor.

For more information regarding the different variables and parameters that can be optionally included in your DMARC record to fine-tune its performance, please see: https://mxtoolbox.com/dmarc/details/what-is-a-dmarc-record

Click Apply at the bottom of the page, and wait up to six hours for this change to propagate across the internet.


Purchasing DNS Hosting

If your domain has neither DNS nor Website Hosting already, more information about purchasing our DNS Hosting can be found here:


Next steps

  1. Over time you will begin to receive DMARC reports from other mail providers (via the email address you specified in place of [email protected] in the example above) containing instances where they have processed illegitimate email from your domain (i.e. email that failed an SPF check) Analyze DMARC reports to understand which emails are passing and failing checks.

  2. Adjust your DMARC policies based on these reports to capture and discard as much illegitimate email as possible.

By implementing SPF and DMARC, you can significantly enhance the security of your email communications, protect your domain’s reputation, and ensure your emails reach their intended recipients.

Did this answer your question?