Explanation of SPF and DKIM records
I am trying to figure out exactly what SPF and DKIM records are used for and in what situations they need to be implemented. I am familiar with the fact that SPF records help prevent SPAM but how does that exactly work? Also what are some issues with using these records? What are the exact differences?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Configure the SPF is free, but has never been an obligation. It depends only on the DNS zone access and modification.
It also depends on the configuration of ~ or -.
DKIM is free with Office 365, but not all in other situations.
But even with Office 365, domains are not automatically configured.
It also depends on the configuration of ~ or -.
DKIM is free with Office 365, but not all in other situations.
But even with Office 365, domains are not automatically configured.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Guys, thank you for nailing this.
So...in SPF, if I am suppose to specify which IPs can send, and I have Office 365, and I have no On-Premise email server since its all online, then according to the MS instructions my SPF record would be:
v=spf1 include:spf.protection.out
Am I on the right track here?
Resource: Here
So...in SPF, if I am suppose to specify which IPs can send, and I have Office 365, and I have no On-Premise email server since its all online, then according to the MS instructions my SPF record would be:
v=spf1 include:spf.protection.out
Am I on the right track here?
Resource: Here
Yes, that is correct.
But you could also have "scan to mail", or Application servers that generate and send messages.
In that case, it can be necessary to add some (public) IP addresses used by these servers.
But you could also have "scan to mail", or Application servers that generate and send messages.
In that case, it can be necessary to add some (public) IP addresses used by these servers.
ASKER
Ah good point!
Where ever mail sends initiate for your domain, then you must setup your SPF record to include all sender's SPF include blocks.
Something like this... for both GSuite + O365...
For each service where email sends initiate, you'll include the related SPF include block.
Something like this... for both GSuite + O365...
@ IN TXT "v=spf1 include:_spf.google.com include:spf.protection.outlook.com ~all"For each service where email sends initiate, you'll include the related SPF include block.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
@Scott... Thanks... I must have been reading 2x questions, as I was certain there was a mention of GSuite above... and now... searching... I find no GSuite mention.
I'll leave the comment as it's correct - All sending mail systems must appear in SPF records.
@al4629740, in your case, you'll only require the O365 SPF record.
I'll leave the comment as it's correct - All sending mail systems must appear in SPF records.
@al4629740, in your case, you'll only require the O365 SPF record.
Ah... I see... I had conflated/merged in @al4629740's previous question...
https://www.experts-exchange.com/questions/29219412/Email-returned-errors.html which included GSuite.
https://www.experts-exchange.com/questions/29219412/Email-returned-errors.html which included GSuite.
ASKER
Scott is correct.
Dave, the previous question you posted was a separate situation. Sorry for the confusion.
That being said, thanks to everyone for giving me a clear explanation on this subject.
Dave, the previous question you posted was a separate situation. Sorry for the confusion.
That being said, thanks to everyone for giving me a clear explanation on this subject.
You're welcome!
Just be sure to include SPF blocks for all systems initiating mail sends + you're SPF tests will pass.
When in doubt, run a Port25 test to check your sending infrastructure + DNS records.
Just be sure to include SPF blocks for all systems initiating mail sends + you're SPF tests will pass.
When in doubt, run a Port25 test to check your sending infrastructure + DNS records.
ASKER
Will do. Thank you as always.
You're welcome!
Good luck!
Good luck!
ASKER
Should I be implementing both SPF and DKIM all the time in any email tenant?
Also, when an email domain is setup in the first place, why don't they automatically tell you to setup the SPF and DKIM records in the DNS? It seems like that would be a good thing to do, wouldn't it?