Tag: SPF

DNS DNS records

What is the purpose of the DMARC record?

If you don’t feel like reading the 70+ pages of RFC 7489, but still you want to know more about DMARC, you came to the right place! I will simplify it for you and explain to you DMARC and the DMARC record in less than a few minutes!

What is DMARC?

Domain-based Message Authentication, Reporting, and Conformance (DMARC) is a mechanism that an organization can use to define domain-level policies and preferences regarding email handling. For example, message validation, disposition, receiving, and reporting.

The companies require a method of authentication of the domain names of the messages (emails) that they are receiving. They need to have rules and procedures based on the values that the emails and domain names can provide. Thanks to that, the receivers can check the messages and provide valuable feedback to the domain’s owner about the way its domain is used. The owner can see if there was any abuse of its domain.

DMARC uses two factors to set policies:

SPF (Sender Policy Framework) record. It is another email validation mechanism that offers to report. Using it, you can define who can send emails on the domain name’s behalf.

DKIM (DomainKeys Identified Mail) record. DKIM is a method of email encryption and authentication of the sender of the email, using the domain name. The receiver could use it and validate that an email comes from the right domain name.

The purpose of DMARC is to reduce phishing attacks, reduce spoofing attacks, and provide better security for email communication. In general, having DMARC will ensure the delivery of your emails and stop other people from abusively use your domain name for attacks.

What is the DMARC record?

The DMARC record is a DNS TXT record that sets the policies about the domain name based on the SPF record, DKIM record, and other parameters. It sets behaviors that the receivers of the emails, sent by a particular domain, should have.

The purpose of the DMARC record is to allow you, as the domain administrator, to set up the policies regarding the handling of the emails coming from your domain name.

The tags that the DMARC record uses are:

Adkim – behavior based on the DKIM record.

Aspf – behavior based on the DKIM record.

Fo – Fail option. Defines what a server should do in case of failure.

P – Policy. Indicates the policies that the receiver should apply.

Pct – Percentage. To what amount of emails should the policy be applied.

Rf – Report format. Defines the type.

Ri – Report interval. Demands reports after the specified time.

Rua – Return feedback (aggregate). Indicates where the report should be sent.

Ruf – Return feedback (mail specific). Indicates where the report should be sent.

Sp – Subdomain policies. If you want to indicate different policies for the subdomains than those for the domain name, you need to use this one.

V – just a simple version indicator. Currently, it should be DMARC1 because there is still no DMARC2 or more.

Conclusion.

So, knowing what DMARC record is, it is now time to implement it. Each additional layer of security keeps you safer—fewer problems and easier to manage. Ensure a secure exchange of emails, outgoing and incoming, with the power of DMARC!

DNS DNS records

​TXT record – What is it and why do you need it?

If you are searching for the TXT record, you are probably interested in email security and all the methods of authentication and validation of a domain. So, Let’s not waste any more time and see what the TXT record type is all about!

​What is the TXT record?

The TXT record is a type of DNS resource record and serves to associate data with the domain. The data could be a human-readable text, or it could be different information about servers and networks that could be read by machines only.

Usually, DNS administrators create various TXT records to ensure the proper functionality of the email servers. That way, the emails that are sent could be verified, and their origin could be authenticated.

The TXT records can be hosted as most of the other DNS records inside a Forward DNS zone. You can host multiple TXT records for different purposes, which won’t create problems between them.

You can see the TXT record first mentioned and read more about it in the RFC 1035 by the creator of the DNS – P Mockapetris.

​Why do you need a TXT record?

The current uses of TXT records are the following:

  • Ownership verification. It is one of the easiest ways to prove that you are the owner of a particular domain. Many services ask you to add a TXT record to the domain name. If you are the administrator, you could be able to do it. If you are not, this will be impossible.
  • Sender Policy Framework (SPF). This is a mechanism for verification of the sender and reporting. It could lower the SPAM.
  • DomainKeys Identified Mail (DKIM). This is an encryption method that prevents email spoofing. It uses public and private keys and keeps the keys inside TXT records.
  • Domain-based Message Authentication, Reporting, and Conformance (DMARC). It uses a combination of the previous two, the SPF and DKIM, and creates behavior policies. It boosts security.
  • Zero-configuration networking DNS-based service discovery. It is used for fast network configuration.

​How to check your TXT records?

You can see all the TXT records for a hostname/domain name by performing a DNS lookup.

​On Linux

Open the Terminal and use the dig command to perform a TXT DNS lookup:

dig hostname/domain name TXTs

You need to change “hostname/domain name” with the one you want to see.

​On Windows

Open the Command Prompt and type the following command:

nslookup -type=txt hostname/domain name

​On macOS

Open the Terminal, and use the nslookup command to see the TXT record:

nslookup -type=txt hostname/domain name

​Inside any browser

You can also use any browser, including your mobile phone’s one, and use an online utility for TXT lookup.

You can try Mxtoolbox.

Open it, write the hostname/domain name, and press TXT Lookup.

​Conclusion.

Now you know that the TXT records could hold different information about the domain name. It is mostly a tool for domain authentication, but also it can be used to show that somebody has access to a domain and the right to modify its DNS records. It is often the case that big cloud providers require you to put a TXT record for your domain so that you can use their services with that domain name.

DNS DNS records

How To Use SPF To Protect Your Domain reputation.

The reputation of your business (domain) is an essential asset you must protect at all costs. It means a lot for your clients: trustability and reliability. These are strong triggers for them to pick you or to choose your competitors.

Crime techniques used on the Internet to cheat users get multiplied, and we must be very aware. In some cases, they use your positive domain reputation to defraud your own clients. 

​What is SPF?

The sender policy framework or SPF is a system for validating the legitimacy of an e-mail server. It’s a helpful and efficient system to avoid spoofing and to enhance e-mail servers’ reliability.

Having SPF, you can authorize the only e-mail servers that can send messages on behalf of your domain. 

​What is an SPF record?

To enable SPF, you have to add an SPF record for your domain name. An SPF record is a DNS record from the TXT DNS type. It holds the necessary information that allows verifying which e-mail servers are truly authorized to send messages from the name of your domain name.

Once the SPF record provides that information, the e-mail server can be verified, validated, or not.

Using the SPF record, specifically its qualifiers and mechanisms, you or your administrator can establish rules, as strict as you decide, to verify. 

DNS SPF mechanisms:

  • “include” allows adding more domains (like example.com to example.net) for sending e-mails from the mail servers of the domain where the SPF record is hosted.
  • “all”, all mechanisms after it are to be ignored.
  • “a”, if you pick A, it means the A or AAAA records have to match with the return path for e-mails to be allowed.
  • “ptr”, picking this means the PTR query has to be performed and to match the return path. Only if there’s a match, there’s allowance.
  • “mx”, picking this means an MX query has to be performed and to match the return path. Only if there’s a match, there’s allowance.
  • “exists”, used for complex queries.
  • “ip4”, checks A records exclusively to verify whether addresses correspond to the domain or not.
  • “ip6”, checks AAAA records exclusively to verify whether addresses correspond to the domain or not.

DNS SPF qualifiers:

  • “+” means PASS. Therefore, messages from the domain should be accepted. 
  • “-” means FAIL. Messages from the domain must be rejected.
  • “~” means SOFT TAIL. Messages from the domain should get a failed tag, but they can be allowed.
  • “?” means NEUTRAL. No policies are involved.

​How to use it to protect your domain reputation?

By enabling SPF, you will stop bad actors from sending e-mails from your domain. 

Your clients won’t receive malicious messages from your domain name, and you will avoid complaints and anger from them.

To prevent dangerous phishing is not minor. To be pointed as malicious, risky, or to be accused of stealing sensitive clients’ data can totally sink your domain’s reputation. 

Ensure that your legit messages successfully reach your clients and providers. 

You can plan the best promotions or punctually order new supplies. But if your messages can’t reach your clients or providers, results won’t be positive. This can happen because your e-mails go directly to the SPAM folder. If there’s no way to verify that your messages are legit, they can be discarded for security. 

Conclusion.

SPF is a great alley to protect your domain reputation. Avoid the risk of losing trustability, clients, or getting banned. Enable SPF!