SPF and DKIM set up

Overview

Русская версия статьи

Sender Policy Framework (SPF) and DKIM (DomainKeys Identified Mail) are an important authentication mechanism to help protect both email receivers and email senders from forged and phishing email.

SPF and DKIM records are a TXT record that is part of a domain's DNS zone file. The TXT record specifies a list of authorized host names/IP addresses that mail can originate from for a given domain name.
How it works:

1. Recipient mail server receives a letter from some email address (for example, info@company.com ) with the sender server - mta.mindbox.ru

2. Recipient's server makes a request to the DNS of company.com trying to find the SPF and DKIM records

   • It does not exist. Letter status becomes «neutral». It means that some extra spam tests required for this letter.

   • It does exist. Does mta.mindbox.ru allow to send a letter for info@company.com :

     • Yes - letter status becomes «pass». Generally it means that no special spam tests required for this letter.
     • No - letter status becomes «neutral». See 2a for more details.

The following is an example of DNS record:

Important! The second-level domain for DKIM is automatically inserted!
For example, if the key is added for the company.com domain, then the entry must be of the form mindbox._domainkey, and if for the domain mail.company.com, the entry must be mindbox._domainkey.mail

SPF set up

An SPF record is a TXT record that is part of a domain's DNS zone file. The TXT record specifies a list of authorized host names/IP addresses that mail can originate from for a given domain name. Once this entry is placed within the DNS zone, no further configuration is necessary to take advantage of servers that incorporate SPF checking into their anti-spam systems. This SPF record is added the same way as a regular A, MX, or CNAME record.

Example of SPF record list:

It means that the main domain servers can send emails (a mx), as well as all servers from mindbox.ru domain (include:spf.mindbox.ru).

?all means that you can send email from other servers but the letter status will be «neutral».
If you already have entries, you just need to add there include: spf.mindbox.ru
If you use the Sender ID, you also need to add the include: spf.mindbox.ru

SPF record check

Updating DNS records usually takes from 30 minutes to 4 hours.

By using this service you can check a status of SPF record update:

If all is done correctly, you will see something like this

If nothing appears you should wait a little bit more or check all the settings again.
The next step is to send an email from the trusted server (for example, mindbox server) and check an original of the letter.

Status «Received-SPF: pass» means everything set up well. Status failed or neutral means something went wrong and you need to check all the setting again.

DKIM set up

Ask your manager to generate the couple of DKIM keys and send you required info (public key and instructions).After you will need to create two TXT records to your DNS server with the obtained information.

IMPORTANT : The key must be only one string! Delete all line breaks if key contains them.

DKIM check

Validate your settings using this service .
If all set up correctlyyou should see something like this:

It means that everything right on your side.

The next step is to checkMindbox’s server settings. Send an email from Mindbox platform to GMail and check the headings of the letter:

Look for DKIM headers

Status “dkim=pass” means everything is ok.

If “dkim=neutral” or “dkim=fail” – please ask your manager for help.