vmich
asked on
Best scan result to set for settings in SPF, DMARC, and DKIM
We are setting up SPF, DKIM, and DMARC for our domains but just wanted to get some clarification on the best options to set for each scan result:
none, neutral, softfail, hardfail, permerror, temperror
So basically wanting to know which is the best option?
From reading it seems that HardFail would be the way to go but just wanted some insight for these settings and what is the best practice for them to set them up?
none, neutral, softfail, hardfail, permerror, temperror
So basically wanting to know which is the best option?
From reading it seems that HardFail would be the way to go but just wanted some insight for these settings and what is the best practice for them to set them up?
While configuring SPF and DMARC for the first time, to reduce the possibility of errors in the SPF and/or DMARC records blocking valid email, it can be advisable to set SPF and DMARC to soft fail and none/neutral.softfail respectively.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
The best for me is this one:
http://www.appmaildev.com/en/dkim
Click next
send an email to the address shown and get the results
I always user Reject and strict
Easy peasy. :)
http://www.appmaildev.com/en/dkim
Click next
send an email to the address shown and get the results
I always user Reject and strict
Easy peasy. :)
For testing i can recommend this:
https://www.mail-tester.com/spf-dkim-check
You can obtain a temporary address there and send it a mail it will evaluate all mail.
and reject and strict after all things are working first, reliable and without hitches on SPF & DKIM.
https://www.mail-tester.com/spf-dkim-check
You can obtain a temporary address there and send it a mail it will evaluate all mail.
and reject and strict after all things are working first, reliable and without hitches on SPF & DKIM.
ASKER
noci,
You said to setup SPF first with neutral and then setup DMARC with none, but shouldn't I be setting up DKIM second before DMARC and if so, what setting do I put on DKIM?
You said to setup SPF first with neutral and then setup DMARC with none, but shouldn't I be setting up DKIM second before DMARC and if so, what setting do I put on DKIM?
SPF is starting point ... (setting allowed senders)
DKIM is signing on all senders..... (can they do that, do you know all senders...)
DMARC is reporting on ... SPF & DKIM results...
SPF you can start to setup, based on what you found you can start setting up DKIM...
And in the mean time you can setup reporting handling for DMARC (also requires some DNS settings).
(You will need tools to handle the XML formatted DMARC reports. (opendmarc f.e.).
You may need a viewer to look into the database: dmarcts-report-viewer.php (https://github.com/beckspaced/Dmarc-Report-Viewer-Extended)
All methods work independent from each other... (DMARC does depend on either SPF or DKIM).
DKIM is signing on all senders..... (can they do that, do you know all senders...)
DMARC is reporting on ... SPF & DKIM results...
SPF you can start to setup, based on what you found you can start setting up DKIM...
And in the mean time you can setup reporting handling for DMARC (also requires some DNS settings).
(You will need tools to handle the XML formatted DMARC reports. (opendmarc f.e.).
You may need a viewer to look into the database: dmarcts-report-viewer.php (https://github.com/beckspaced/Dmarc-Report-Viewer-Extended)
All methods work independent from each other... (DMARC does depend on either SPF or DKIM).
SPF hard fail example:
v=spf1 ip4:192.168.0.1 -all
In the above example the minus “-” in front of “all” means that any senders not listed in this SPF record should be treated as a "hardfail", ie. they are unauthorised and emails from them should be discarded. In this case only the IP address 192.168.0.1 is authorized to send emails.
SPF soft fail example:
v=spf1 include:spf.protection.out look.com ~all
In the above example the tilde “~” in front of “all” means that any servers not listed in this SPF record should be treated as a "softfail", ie. mail can be allowed through but should be tagged as spam or suspicious. In this case the include:spf.protection.out ook.com authorizes Office 365 to send emails. Any emails originating from different servers should be marked as spam by the receivers.
https://postmarkapp.com/blog/explaining-spf
v=spf1 ip4:192.168.0.1 -all
In the above example the minus “-” in front of “all” means that any senders not listed in this SPF record should be treated as a "hardfail", ie. they are unauthorised and emails from them should be discarded. In this case only the IP address 192.168.0.1 is authorized to send emails.
SPF soft fail example:
v=spf1 include:spf.protection.out
In the above example the tilde “~” in front of “all” means that any servers not listed in this SPF record should be treated as a "softfail", ie. mail can be allowed through but should be tagged as spam or suspicious. In this case the include:spf.protection.out
https://postmarkapp.com/blog/explaining-spf
Softfail means SPF will not decide, use other means of checking whether this is HAM/SPAM.
(f.e. DKIM). and mind the SHOULD..., not all mailers implement SPF net.
So you may still receive any backscatter (mail send to a willing listener, then rejecting the mail for non-existent target address and "return" the mail to you...
Also be sure you setup your systems to verify SPF/DKIM on reception.
(f.e. DKIM). and mind the SHOULD..., not all mailers implement SPF net.
So you may still receive any backscatter (mail send to a willing listener, then rejecting the mail for non-existent target address and "return" the mail to you...
Also be sure you setup your systems to verify SPF/DKIM on reception.