Chuck's Notes

• SPF – allowed sender domains and IP addresses
• DKIM – sender’s public key
• DMARC- what to do with a SPF/DKIM failure

You can have multiple DKIM records for different senders, but the DMARC applies to the entire domain. SPF should probably be one combined as well.

SPF

•  -all tells the server that addresses not listed in the SPF record are not authorized to send emails and should be rejected.
  • Alternative options here include ~all, which states that unlisted emails will be marked as insecure or spam but still accepted, and, less commonly, +all, which signifies that any server can send emails on behalf of your domain.

DMARC

• v=DMARC1 indicates that this TXT record contains a DMARC policy and should be interpreted as such by email servers.
• p=quarantine indicates that email servers should “quarantine” emails that fail DKIM and SPF — considering them to be potentially spam. Other possible settings for this include p=none, which allows emails that fail to still go through, and p=reject, which instructs email servers to block emails that fail.
• adkim=s means that DKIM checks are “strict.” This can also be set to “relaxed” by changing the s to an r, like adkim=r.
• aspf=s is the same as adkim=s, but for SPF.
• Note that aspf and adkim are optional settings. The p= attribute is what indicates what email servers should do with emails that fail SPF and DKIM.

Reading reports:

The “policy_evaluated” section of the DMARC report provides an evaluation of the DMARC policy for the message. It includes the “disposition” (i.e. what action the receiver took based on the DMARC policy), as well as the results of the DKIM and SPF authentication checks.

The “auth_results” section provides details about the results of the individual authentication checks performed by the receiver. In this case, it includes the results of the DKIM and SPF checks, along with the domains and selectors used in the DKIM checks.

When the “policy_evaluated” section indicates that SPF failed, but the “auth_results” section indicates that SPF passed, it means that the message failed the DMARC check because the domain specified in the “From” header failed the SPF check, but another domain in the message’s authentication chain passed the SPF check.

This can happen when a message is forwarded or relayed through multiple servers or domains, each of which performs its own SPF check. If one of these checks fails, but a later check passes, the message will still fail the DMARC check based on the result of the first SPF check. This is because DMARC requires that all domains in the message’s authentication chain pass both SPF and DKIM checks in order to pass the DMARC check.

Helpful links

• https://www.cloudflare.com/learning/dns/dns-records/dns-dmarc-record/
• https://www.cloudflare.com/learning/dns/dns-records/dns-spf-record/
• https://www.cloudflare.com/learning/dns/dns-records/dns-dkim-record/