Mail Domain Settings for DMARC, DKIM and SPF to Prevent Spoofing Attacks

This document explains the DNS records which should be added to mail domains to protect them from spoofing attacks.

DMARC

DMARC is a mechanism to publish a policy to be read by systems receiving mail to request how they should treat messages that fail both DKIM and SPF tests.  The university uses a service provided by The National Cyber Security Centre to process these aggregate delivery reports.

Example DMARC Quarantine Policy DNS Record for mydomain.ed.ac.uk

_dmarc.mydomain.ed.ac.uk.     IN      TXT     "v=DMARC1;p=quarantine;rua=mailto:dmarc-rua@dmarc.service.gov.uk;ruf=mailto:dmarc@ed.ac.uk;fo=1;pct=100;rf=afrf"

DKIM

The university's mail infrastructure DKIM signs most of the mail sent from the university.  The DNS record holds the public key which receiving systems can use to validate these DKIM signatures, and IS ITI Enterprise Services will either maintain these records on your behalf or let you know what you will need to publish.

SPF

IS ITI Enterprise Services maintain the list of IP addresses of the mail relays which send mail from the university to the public internet on the SPF TXT record on _spf.ed.ac.uk and this should be included in the SPF TXT record for each domain sending mail.  Our policy is not to include any third party IP addresses in this record, and you should be aware of the risks of doing this for your mail domains.  Contact IS ITI Enterprise Services for advice on this.

Example SPF DNS Record for mydomain.ed.ac.uk

mydomain.ed.ac.uk.             IN      TXT     "v=spf1 include:_spf.ed.ac.uk -all"

Deprecated Mail Domains

When you no longer wish to support mail being sent from a domain you should set null records in the DNS.

Example DMARC, DKIM and SPF Null Records for mydomain.ed.ac.uk

_dmarc.mydomain.ed.ac.uk.        IN   TXT   "v=DMARC1; p=reject; rua=mailto:dmarc-rua@dmarc.service.gov.uk,mailto:dmarc@ed.ac.uk"

mydomain.ed.ac.uk.               IN   TXT   "v=spf1 -all"

*._domainkey.mydomain.ed.ac.uk.   IN   TXT   "v=DKIM1; p="

 

Getting assistance

The Enterprise Unix Services team within Information Services can give assistance on configuring mail domains to correctly send and receive email.

IS ITI Enterprise Services (Unix) Section

Unidesk: IS ITI Enterprise Unix

Contact details