Setting up SPF and DKIM

I'm trying to setup DKIM and SPF for a vendor to be able to send email on behalf of one of our domains. We do use a 3rd party (Mcafee, formely mxlogic) to scann all our incoming and outgoing email. i do have a ticket in to them but im trying to understand the process a little better:

SPF lists authorized domains/IPs that can send emails on behalf of a domain
DKIM adds a signature key to each email that is verified by the receiving server

My questions are:
When i ask my DNS provider to add these and they are all setup, does my vendor need to send emails that are on our behalf through Mcafee or are they connecting to each receipts servers?

For DKIM how does the receipt server know to check for a signature key in the email?

I do have the DKIM key and value that our vendor gave me. I'm guessing I just add this to our DNS?

Creating an SPF record i am getting a little confused. i have been to several websites and im thinking it goes something like this:

v=spf1 mx ip4:[corpIP] ~all

I'm confused on two things with SPF:

1. ip4:[corpip], im not sure if this is the sending Ip or something else. If its the sending IP and im using a 3rd party, they may have multiple IP's going out. if so im not sure how to add more ips.
2. for each domain i want to add to be able to send emails, am i just adding another entry?
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Dave BaldwinFixer of ProblemsCommented:
msidnamAuthor Commented:
I was trying to use that earlier but when i hit next after putting in the info it wouldn't go to the next screen. i tried with a couple different browsers.
Dave BaldwinFixer of ProblemsCommented:
Where did it stop?  Did it show an error message?
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

msidnamAuthor Commented:
after checking the boxes in the second screen and adding an additional domain i hit next and nothing happens.

i just tried it with chrome and it works. however it gave me a totally different answer than what ive seen on other sites. it shows a lot of mx: and mx instead of A and include:
Dave BaldwinFixer of ProblemsCommented:
That may be because you have 'mx's that are not on your domain.  When I added one of my domains on another host, it showed a 'ptr' record.  Note that the last category, Outsourced Domains, refers to other domains that Have SPF records.

I use DNSDataView to see what I have set up already.
msidnamAuthor Commented:
We do have MX that are not ion our domain. We use Mcafee to scan all incoming and outgoing emails. When you lookup our MX record it will show something like:

so far i've seen a few ways to add the SPF and im not sure which one to use:

v=spf1 ptr ~all

v=spf1 a ptr mx ip4: –all (the ip4: is an IP that was in the example)

v=spf1 mx ~all

I'm lost as to which one to use and also what to do for DKIM
Dave BaldwinFixer of ProblemsCommented:
I suggest you click on "Request Attention" above, you've used up all that I know.
Daniel McAllisterPresident, IT4SOHO, LLCCommented:
OK, let's get two things straight:
 1) Allowing other hosts to send for your domain is EASY with SPF -- it's just some DNS entries and voila! I'll point out how below...
 2) Allowing other hosts to send for your domain isn't hard with DKIM, it's nigh-on IMPOSSIBLE! For one, you'd have to teach the sending domain how to sign the messages... with YOUR key -- which means sending them (the other mail server) your private key... but they'll have to have the ability to send ONLY YOUR domain with that key!

So, to begin with, let's just DROP the idea of using DKIM for now...

As for SPF, let's understand that it is nothing more than a DNS listing of WHAT HOSTS are permitted to send mail from your domain. If you're using a smart-host mail filter (like McAfee), then they'll provide you with the necessary entries. (in the case of McAfee that string will be:

Now, you said you use MXLogic (McAfee) to scan both inbound AND outbound mail... that makes things EASY -- you shouldn't be allowing anyone BUT MXLogic to send mail from your domain!

If that is the case, your SPF record is simple:
"v=spf1 ~all"

Now that is just a TEST string -- you'll change the ~all to a -all when you've finished testing and want the SPF checks to be enforced.

You DO NOT want to include A records, or even MX records in your SPF string, because you're letting MXLogic handle everything.... but that also means that you cannot send mail DIRECTLY from your mail server either... which may or may not be what you want.
(If not, be more clear about how you want LEGITIMATE mail flow to come from your domain, and I'll be happy to write the SPF string for you).


Now, let's go back to DKIM -- because you're letting MXLogic send (as well as receive) mail for you... and because MXLogic is (for now, I'm assuming) the ONLY place you'll send mail from, then it IS POSSIBLE to implement DKIM -- but you'll actually be implementing MXLogic's DKIM encryption key.

So, it is possible that they gave you their DKIM decryption key -- which is also just published in your DNS -- and again, with a TXT record.

Let's assume they sent you a DKIM entry that looks like:
"k=rsa; t=s:y p=MII....."

All you have to do is add that whole entry to your DNS -- the ENCRYPTING of your mail HAS to be done at their end (they're the only ones with that part of the key).

So, I hope I've helped explain some things...

btanExec ConsultantCommented:
Mxlogic is processing inbound mail such that your SPF and Dkim settings have no impact/consequences with it.  Your use of mxlogic prevents your server from being able to use SPF to reject messages given all messages you receive will be coming from mcaffee/mxlogic which is likely not an authorized source for many of the domains.

Dkim as IT4soho covered, requires that you share your private key/public which is not a wise.  An alternative would be to provide the vendor with an account they can use to generate emails that are submitted to your server which will sign them.

An alternative is to setup the vendor with your vendor specific DKIM.
Have to think it through, Within the dkim information mailings by your vendor instead of, they will have a different Effectively each will have their own, but since you control your domain's DNS you can invalidate the DKIM of the vendor.
msidnamAuthor Commented:
SPF looked simple enough until asked MAcfee and then went on the SPF wizard and they gave me two totally different options to put in my DNS.  Thank you for the clear explanation.

For the record the reason for my question is our marketing department bought some software and services from a company called Marketo and Marketo requested we add " " if we had an SPF record and if we didn't we should add "v=spf1 mx ip4:[corpIP] ~all" the "mx" and "ip4:[corpip] also threw me off.  They say this will help to make sure emails get to people when they do an email campaign for us.

If i create the SPF should it look like this:
 "v=spf1 ~all" ?

as for the DKIM, Marketo told us to put:
p="long encryption key"

DKIM I've never even seen until they requested it and because i use mcafee (which also has an option for me to create a DKIM key in my web admin console by the way) i wasn't sure what to do.

I am against adding anything to an SPF or DKIM except mcafee since i am using them as a smart host. Unfortunately our marketing dept seems to have more pull than IT these days.
Daniel McAllisterPresident, IT4SOHO, LLCCommented:

Ok, so let's look at these again.
 1) You use MXLogic.Net (McAfee) for all current inbound & outbound email
 2) While this was true, your SPF and even DKIM was easy

Now, however, you want to add and that'll gum up the works a bit (unless they get authorized to ALSO send through MXLogic, or unless both vendors agree to use DKIM with a selector).

Again in review:
 - SPF provides a list of IP addresses from which legitimate senders of your domain's email must (or should) be coming from.
 - DKIM digitally signs outbound mail for your domain and provides a public-key decryption in your DNS so that recipients can determine that your host(s) sent the message.

So here's why adding mktomail gums up the works:
 - You can easily add's SPF values to your own -- they even provided you with the include statement to add.
 - Its not so easy to add DKIM (but it IS possible) because to have multiple servers be valid sources of email, either they need to share DKIM encryption (secret) keys, or they need to implement a DKIM selector -- essentially to tell the recipient which key to use to decrypt.
 - The problem with selectors is that once one DKIM-enabled server starts using a descriptor, they all need to.

So, there are 2 options as far as I can see:
 1) Do the SPF alone & drop DKIM dreams. Your SPF record (again, assuming you are sending all regular mail thru MXLogic & the only other source of mail is mktomail) would be:
      TXT    "v=spf1 ~all"
(NOTE: This is exactly the string you sent in your own message)
One last thing: eventually, but still in the near-term, you want to change that ~all to a -all

  2) Do the above in SPF, but then contact MXLogic and determine whether they are already using DKIM selectors (they should be, but it can be disastrous to make assumptions!); and verify from mktomail that they are (it appears so from the example shown because of the M1 prefix they added to the DKIM public key provided).

For the record: It has been my experience that SPF helps a LOT in SPAM control, but only to a point. While it may control 20-50% of SPAM, it isn't a complete solution by any means... but it us nevertheless very useful and SHOULD be implemented.

DKIM is glitchy -- different server platforms sometimes have difficulty interacting with DKIM. So, while I recommend getting SPF in "enforcing" mode (the -all), I don't recommend the same for DKIM. That being said, even if you don't enforce it, passing a DKIM test will often prevent your messages from going into the SPAM folders in Gmail & Ymail.

Good Luck!


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.