al4629740

Developer & Coffee Roaster

Scott Fell

<div>
These are very helpful explanations. &nbsp;So in the scenario of Office 365, would I need to just specify one TXT record that indicates the primary server from Office 365 as being authorized?<br />
<br />
Should I be implementing both SPF and DKIM all the time in any email tenant?<br />
<br />
Also, when an email domain is setup in the first place, why don't they automatically tell you to setup the SPF and DKIM records in the DNS? &nbsp;It seems like that would be a good thing to do, wouldn't it?
</div>


<div>
Configure the SPF is free, but has never been an obligation. It depends only on the DNS zone access and modification.<br>It also depends on the configuration of ~ or -. <br><br>DKIM is free with Office 365, but not all in other situations.<br>But even with Office 365, domains are not automatically configured.
</div>


<div>
Guys, thank you for nailing this. &nbsp;<br />
<br />
So...in SPF, if I am suppose to specify which IPs can send, and I have Office 365, and I have no On-Premise email server since its all online, then according to the MS instructions my SPF record would be:<br />
<br />
v=spf1 include:spf.protection.out<wbr />look.com -all<br />
<br />
Am I on the right track here?<br />
<br />
Resource: <a href="https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/set-up-spf-in-office-365-to-help-prevent-spoofing?view=o365-worldwide" rel="ugc">Here</a>
</div>


<div>
Yes, that is correct.<br><br>But you could also have "scan to mail", or Application servers that generate and send messages.<br>In that case, it can be necessary to add some (public) IP addresses used by these servers.
</div>


<div>
Where ever mail sends initiate for your domain, then you must setup your SPF record to include all sender's SPF include blocks.<br />
<br />
Something like this... for both GSuite + O365...<br />
<br />

<pre><code class="code-1 nolinks" id="code-20-43309430-1"><span>@              IN  TXT     &quot;v=spf1 include:_spf.google.com include:spf.protection.outlook.com ~all&quot;</span>
</code></pre>
<br />
For each service where email sends initiate, you'll include the related SPF include block.
</div>


<div>
@Scott... Thanks... I must have been reading 2x questions, as I was certain there was a mention of GSuite above... and now... searching... I find no GSuite mention.<br />
<br />
I'll leave the comment as it's correct - All sending mail systems must appear in SPF records.<br />
<br />
@al4629740, in your case, you'll only require the O365 SPF record.
</div>


<div>
Ah... I see... I had conflated/merged in @al4629740's previous question...<br />
<br />
<u><a href="https://www.experts-exchange.com/questions/29219412/Email-returned-errors.html" rel="ugc">https://www.experts-exchange.com/questions/29219412/Email-returned-errors.html</a></u> which included GSuite.
</div>


<div>
Scott is correct.<br />
<br />
Dave, the previous question you posted was a separate situation. &nbsp;Sorry for the confusion.<br />
<br />
That being said, thanks to everyone for giving me a clear explanation on this subject.
</div>


<div>
You're welcome!<br />
<br />
Just be sure to include SPF blocks for all systems initiating mail sends + you're SPF tests will pass.<br />
<br />
When in doubt, run a Port25 test to check your sending infrastructure + DNS records.
</div>


<div>
Will do. &nbsp;Thank you as always.
</div>


<div>
You're welcome!<br />
<br />
Good luck!
</div>


<div>
<div class="content wysiwyg-content fr-view">
I am trying to figure out exactly what SPF and DKIM records are used for and in what situations they need to be implemented. &nbsp;I am familiar with the fact that SPF records help prevent SPAM but how does that exactly work? &nbsp;Also what are some issues with using these records? &nbsp;What are the exact differences? &nbsp;
</div>
</div>



I am trying to figure out exactly what SPF and DKIM records are used for and in what situations they need to be implemented.  I am familiar with the fact that SPF records help prevent SPAM but how does that exactly work?  Also what are some issues with using these records?  What are the exact differences?  

Explanation of SPF and DKIM records

Within Internet message handling services (MHS), a message transfer agent or mail transfer agent (MTA) or mail relay is software that transfers electronic mail messages from one computer to another using a client–server application architecture. A MTA implements both the client (sending) and server (receiving) portions of the Simple Mail Transfer Protocol (SMTP). The terms mail server, mail exchanger, and MX host may also refer to a computer performing the MTA function. The Domain Name System (DNS) associates a mail server to a domain with mail exchanger (MX) resource records containing the domain name of a host providing MTA services.

Email Servers

Various techniques are used to prevent email spam (unsolicited bulk email). No technique is a complete solution to the spam problem, and each has trade-offs between incorrectly rejecting legitimate email (false positives) vs. not rejecting all spam (false negatives) - and the associated costs in time and effort. Anti-spam techniques can be broken into four broad categories: those that require actions by individuals, those that can be automated by email administrators, those that can be automated by email senders and those employed by researchers and law enforcement officials.

AntiSpam

The Domain Name System (DNS) is a hierarchical, globally distributed system responsible for associating the name of a computer, service or other resource into an IP address for connecting to the Internet or a private network. Most prominently, it translates domain names to the numerical IP addresses needed for the purpose of computer services and devices worldwide.

Security is the protection of information systems from theft or damage to the hardware, the software, and the information on them, as well as from disruption or misdirection of the services they provide. The main goal of security is protecting assets, and an asset is anything of value and worthy of protection.  Information Security is a discipline of protecting information assets from threats through safeguards to achieve the objectives of confidentiality, integrity, and availability or CIA for short. On the other hand, disclosure, alteration, and disruption (DAD) compromise the security objectives.