I need to add and configure SPF, DKIM and DMARC records for my domain on the atmail cloud.
- atmail cloud EU
- atmail cloud US
- atmail cloud US-EAST
Requirement for SPF/ DKIM / DMARC implementation.
SPF records are used to denote IP addresses or Hosts that a domain should/can be sent from.
The syntax for adding atmailcloud to your Domains DNS as a TXT record is as follows:
v=spf1 include:_spf.atmailcloud.com -all
The above SPF query will include the contents of the SPF as found in _spf.atmailcloud.com which atmail control and can update when server IPs change. The above record is a blanket record that includes SPF records for both our Europe and USA cloud environments.
The following can also be used dependent on your clouds location. This is the preferred method of implementing SPF as DNS lookups for SPF checks are limited to 10 as per RFC 7208 section 4.6.4.
v=spf1 include:eu-spf.atmailcloud.com -all
v=spf1 include:us-spf.atmailcloud.com -all
v=spf1 include:spf.us-east.atmailcloud.com -all
Please note that you have to option of defining a soft or hardfail:
~ = softfail: Mail shouldn't be sent from here, but still accept it
- = hardfail: Mail shouldn't be sent from here, drop it
In regards to the example SPF record advised, a hardfail is used which will tell receiving MTA's to drop the mail unless it is sent from the atmailcloud. Implementation of these entries will be dependent on how you manage your DNS records.
Implementation of DKIM records works as follows:
- Contact firstname.lastname@example.org and advise which domain/s you wish to have DKIM enabled for.
- atmail will then create relevant keys for each domain.
- You will then need to publish these keys in your domains DNS records. Implementation of this will be dependent on how you manage your DNS records. Once this is done, please advise support accordingly.
- atmail will then confirm that these records and begin signing outgoing mail.
DMARC is a policy that defines how receiving MTA's should handle mail based on the results of SPF and DKIM records for a domain. Reports from receiving MTA's are generated based on the domains policy and are sent to an email addressed defined with the DMARC TXT entry.
In general, DMARC can be implemented as TXT record however this may differ depending on how you manage your DNS.
_dmarc IN TXT "dmarc specific text"
The policy used by DMARC should be defined by the domain administrator. For your convenience, please find the below example, explanation and supporting documentation to assist you in your own policy definitions.
_dmarc IN TXT "v=DMARC1; p=quarantine; adkim=s, aspf=s, fo=1; rua=mailto:email@example.com;ruf=mailto:firstname.lastname@example.org"
v=DMARC1: version of DMARC.
p=quarantine: defined policy for receiving MTA on how to handle failed SPF and DKIM. The example above uses
quarantinewhich is defined as:
Advises the receiving MTA to treat any email that fails any DKIM and/or SPF checks as suspicious and perform additional checks or mark the mail as suspected SPAM or whatever local policy is in operation.
adkim=s: Treats DKIM failures as strict as apposed to
adkim=rwhich is relaxed.
aspf=s: Treats SPF failures as strict as apposed to
adkim=rwhich is relaxed.
fo=1: Generate report to the sending MTA if any underlying check failed. Thus, if only DKIM is used to secure mail and the DKIM check fails a report will be sent, if only SPF is used to secure mail and the SPF check fails a report will be sent. However, if both DKIM and SPF are used and, say, the SPF check fails but the DKIM check passes a report WILL be sent.
rua=mailto:email@example.com: A comma delimited list of URI(s) to which aggregate mail reports should be sent
ruf=mailto:firstname.lastname@example.org: A comma delimited list of URI(s) to which detailed failure reports should be sent