Secured email hosting by SPF, DKIM, DMRAC record


If you manage your own DNS & Mail Server , you need to arrange a shield to fight against spamming , phishing and sender address forgeries. We can configure few TXT records in DNS zone that helps upto a great level to maintain a secured email hosting. 

SPF (Sender Framework Policy)

A TXT record which advertise the sources allowed to send email for your domain.  It doesn’t stop Spam but helps in sender address forgeries.  an example of such TXT record can be

v=spf1 +a +mx +ip4: +ip4: ~all

The SPF TXT starts with  v=spf1 and the above record declares the hosts & other IP responsible to send email for said domain. If the email sources don’t match with SPF, the receiver server can take those sources as one of below

1. not authorized to send email for your domain = -a
2. marked as a soft fail, which allows the email to be scrutinized further = ~a
3. Allow any server to send email from your domain = +a  and this option must not be used obviously

DKIM (DomainKeys Identified Mail)

Public-private key pair is a proved authentication technique. The same idea has been implemented with DKIM, where the Public key is published through TXT record and email server cryptographically signs outgoing emails with private key. Matched Public-private key ensures the authenticity of the sender. Four steps are involved in DKIM implementation

1. Create a selector which is nothing but a text string.
2. Generate a public-private key pair. There are many online wizard for the same.
3. Create a TXT record in DNS zone to declare the selector and public key.
4. DKIM signer should sign all outgoing email by private key.

A selector string must followed by ._domainkey looks like which is the DKIM TXT host name. For the DKIM TXT hostname is

DKIM record needs to follow the below format

v=DKIM1; k=rsa; p=PublicKey



DMRAC ( Domain-based Message Authentication, Reporting, and Conformance )

Once SPF and DKIM are in place, sender mail server can declare that their outgoing emails are protected by SPF and/or DKIM and instructs what the receiver should do when  SPF/DKIM authentication fails. DMRAC is again a TXT record with dedicated host name _dmrac.domainname

A minimal DMRAc record needs only two tags v and p. v tag identifies the record as DMRAC and p a.k.a policy informs the receiver how to treat the unauthenticated email. Policy can be one of the three
1. p=none – no action on sender mail which fails SPF/DKIM authentication
2. p=quarantine – domain owner like receiver to mark unauthenticated email as spam/Junk and further scrutinize
3. p=reject – The most strict policy. domain owner simply wants receiver to reject unauthenticated email at SMTP level.

So a basic DMRAC record is


There are many DMRAC tags are available. An example is



where the tags are as below

v (required tag)  – first supplied tag with explicit value DMRAC1
p (required tag) – defines the policy the sending MTA advises the receiving MTA to follow
sp – Policy for sub domain if policy for domain is different
rua – email where sender domain wants to receive aggregate report
ruf – email where sender domain wants to receive forensic DMRAC report
rf – reporting format the sending MTA requests from the receiving MTA
pct – This parameter allows mail senders to experiment with a small percentage of mail being subject to DMARC action. Problems can be progressively eliminated from the system before turning DMARC on for all mail.  If omitted defaults to pct=100 (100%)
ri – time in seconds between reports requested from the receiving MTA

Want to setup your own  records ?  Just check below

online wizard for creating SPF, DKIM and DMRAC (SPF, DKIM, DMRAC) (SPF, DKIM, DMRAC) (SPF) (DKIM)

Online Checker (SPF, DKIM, DMRAC and lots more) (SPF, DKIM, DMRAC) (SPF, DKIM, DMRAC) (SPF, DKIM, DMRAC) (SPF, DMRAC)

email based validation ( send email and receive instant report on sender authentication ) (SPF, DKIM, DMRAC) (SPF, DKIM, DMRAC) (SPF, DKIM, DMRAC)

Online blacklist check

Overall DNS & MX health checkup


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s