Mail SPF (Sender Policy Framework) & DKIM (Domain Keys Identified Mail) Domain Records

If you are finding your domain emails are being treated as spam or being blocked its most likely due to you sending emails that are not being identified with an authorised domain senders IP address. In effect, it's being treated as suspect SPAM. To overcome this problem, an SPF message must be saved as a TXT (text) record in your domain's DNS Records, authorising the sending domain to send mail on your behalf.

If you wish to read on, you will gain a better understanding of how the internet works and discover the meanings of some internet terms. You should also gain the knowledge to resolve email issues but if you feel it's for someone else to do, that's OK too. Click to request support from the AHBC.

Understanding the role of the "Domain Name System" (DNS)

If you own a domain for your business and it's on the internet with a website and / or email service, it has a service called "Domain Name System" (DNS). The DNS is the internet's road map or phone book that takes a website address or email address request and redirects the request a host server to process.

In other words, when someone enters your domain names via web browser, such as www.adelaidehillsbc.com.au, domains.adelaidehillsbc.com.au or sends an email to you, your domain's DNS is responsible for finding the correct computer using an IP address to process the request. Computer that hold your website or emails are normally referred to as "Hosting Servers" and their role is to store data and process request. The request may result in the return of a web page or to view or send emails.

An "Internet Protocol" (IP address) is a unique identifier for every device that connects to the internet. Just as you would address a letter to send in the mail, computers use the unique identifier to send request and data to specific computers or hosting servers on the internet. There are also two standards for IP addresses: IP Version 4 (IPv4) and more recently IP Version 6 (IPv6).

DNS records look something like this.

  • "www.myDomainName.com.au" is hosted from a server with IP Address that looks like 111.222.1.11 (This IP address in your DNS is known as a "A" Record)

  • Emails to my domain are hosted by a server with IP address that looks like 200.234.1.230 or a DNS "MX" record address that looks like "ALT1.ASPMX.L.GOOGLE.COM".

  • Information about my domain "v=spf1 include:_spf.google.com ~all" is retaining as a "TXT" DNS record.

Sometimes, IP addresses are replaced by a Canonical Name (CNAME) or Mail exchange (MX) addresses that appears like a web address Eg. alt1.aspmx.l.google.com There are a number of reason why IP addresses are not used. For example, visualise the size of the server to process millions of GMAIL / minute at Google. To deal with the demand, Google allocates each email's processing task to one of its hundreds of mail hosting servers, all with unique IP addresses. In effect one IP would not work so Googles uses a web like address to get all emails and then Google assigns an IP address internally.

Other DNS records:

  • MX stand for Mail eXchange address Eg. ALT1.ASPMX.L.GOOGLE.COM These addresses also have a priority number order so a mail hosting server provider may have a couple of backup mail servers with different MX addresses. Google has 5 MX mail server addresses to ensure mail is processed.

  • CNAME (Canonical Name) records point to another domain address rather than an IP address. That other domain address may point to another CNAME address until it reaches an IP address attached to an A or AAAA record.

  • A records - IP Address as shown above and also known as IPv4. The version with 4 bytes of data. The A record are typically a root address of the physical hosting server.

  • AAAA records - The newer version of the IP address also known as IPv6. This version has been introduced to deal with the rapidly expanding number of internet connected devices Eg. 2100:ca02:2049:8::a29f:1503. It like the time for those of us that remember 6-digit phone number and the move to 8 digits + 2 digits for the area code or 04 for mobiles.

  • TXT records are simply text look up information. In many cases a "Software as a service" (SaaS) providers will supply a TXT message to be copy and paste into your domains DNS records to ensure you are authorised to use your domain name. The same goes for an SPF text message to validate emails sent by you are from your domain IP address and not from a spammers IP Address.



How "Sender Policy Framework" (SPF) works

All sent emails contain the sender's Mail Server address and senders domain (Sender ID Framwork) name just like a physical letter with a sender's address on the back of the envelope.

Now-days, most inbound mail servers receiving emails will attempt to validate the incoming sender's domain name back to the sending Mail Server address. If the inbound mail server fails to validate the sender's Mail Server address with the sender's ID Framework, the incoming mail server may be flagged as SPAM or Junk mail for the receiver. This happens when an SPF TXT record has not been established at the senders domain or when a spammer attempts to hijacked (use your domain name) from another sending email server.

To overcome this issue, an SPF message is saved as a TXT record at the senders Domain DNS. The SPF message starts with "v=spf1" followed by the domain and other parameters.

After updating your DNS with your SPF TXT record, it may take upwards of 48 hours to populate globally to all DNS servers.

Once your SPF TXT record is place, if a spammer attempts to hijack your domain name to send unauthorised email, the mail will be blocked and not be passed onto the receiver. Remember, this occurs as the spammer's email server address does not match your SPF identified server address and therefore blocks the incoming email.

Additional Protection with DKIM

There is just one more step to really avoid email issues and that is to create another DNS TXT record for DKIM.

By establishing a DomainKeys Identified Mail (DKIM) TXT record it helps to prevent "spoofing" on outgoing messages sent from your domain.

Email spoofing is when email content is changed to make the message appear from someone or somewhere other than the actual source. Spoofing is a common unauthorised use of email, so some email servers require DKIM to prevent email spoofing.

Basically, DKIM adds an encrypted signature to the header of all outgoing messages. Inbound email servers that get signed messages use your DKIM key to decrypt the message header to verify the message was not changed after it was sent from your email sending server.

DIY or just not sure it for you!

Below are the DIY step by step instruction for our domain and Google G Suite clients. If your domain is not with us or you need assistance, consult your IT specialist, domain registration agent or the AHBC to assist.

AHBC Domain Hosting Configuration

This section only applied to domains registered and hosted with the Adelaide Hills Business Centre.

The SPF and DKIM record can be automatically enabled via your "Hosting Manager" (Part 1below) or entered manually via Account Manager (Part 2 below)

If you are using the Google G Suite, go to Part 2.

Part 1 - Set SPF and DKIM data

  1. Log in to your Hosting Manager.

  2. Under Email, click "Authentication".

  3. If you use the Email Hosting, WordPress Hosting or Web Hosting (Linux) services:- (Your naming services are ns1.syrahost.com and ns2.syrahost.com)

    1. Scroll down to the SPF section and click Enable. This will automatically add your SPF record.

    2. Scroll down to the DKIM section and click Enable. This will automatically add your DKIM record.

    3. That's all. End here.

  4. If you use the Premium DNS service under your Account Manager: -(Your naming servers are ns1.dnspackage.com and ns2.dnspackage.com)

    1. Scroll down to the SPF section and copy the data under "Your current raw SPF record". It may look like this "v=spf1 +a +mx include:_spf.syrahost.com ~all"

    2. Scroll down to the DKIM and copy the data under "Your current raw DKIM record".

    3. Follow Part 2

Part 2 - Manually Updating DNS Records at the Domain Level DNS

  1. Log in to your Account Manager.

  2. Click on "Domains" from the menu bar at the top of the screen.

  3. Click on the domain name you wish to update. If you have only one domain, you will be taken straight to the domain management page.

  4. Scroll down to the DNS Settings – Premium section, click the menu icon on the right and select Add Record from the drop-down menu. "You must have the paid Premium DNS service in place to complete this process"

  5. Select TXT Record from the drop-down menu (3 bars) and click "Add".

  6. Enter the raw SPF record in the Text Record field. Leave the subdomain field blank.

  7. Click "+Add TXT Record"

  8. Enter the raw DKIM record in the Text Record field. Leave the subdomain field blank.

  9. Click "Update".

Additional Protection Option

You may also want to consider "Email Protection" at a hosting level at the AHBC domain console.

Provides the following:

  • Defends Anti-Spam

  • Defends Anti-Virus

  • Defends Anti-spoofing

  • Defends Anti-phishing

  • Increased Security

  • Ease of Use

  • Anti-spyware (Attachments)

  • Dual Layer Virus Blocking

  • Decompression of Archives

  • Blocking

Google G Suite

  1. Log in to your Account Manager.

  2. Click on "Domains" from the menu bar at the top of the screen.

  3. Click on the domain name you wish to update. If you have only one domain, you will be taken straight to the domain management page.

  4. Scroll down to the DNS Settings – Premium section, click the menu icon on the right and select Add Record from the drop-down menu. "You must have the paid Premium DNS service in place to complete this process"

  5. Select TXT Record from the drop-down menu (3 bars) and click "Add".

  6. Enter the raw SPF record as "v=spf1 include:_spf.google.com ~all" without quote marks in the Text Record field. Leave the subdomain field blank.

  7. Click "Update".

  8. Visit the Google support page on DKIM signing. This page will prompt you to access your Google G Suite admin console and GMAIL App settings to obtain the DKIM message for your domain mail hosting service. Follow the instructions and copy the DKIM message.

  9. Return to your Domain console page

  10. Once again select TXT Record from the DNS drop-down menu (3 bars) and click "Add".

  11. Enter the raw DKIM record in the Text Record field. Leave the subdomain field blank.

  12. Click "Update".