SPF Filtering
Add the following into DNS as txt records with the name as the top level domain
To only authorise email out from the host specified in your MX record - v=spf1 mx -all
Same but an additional host, in this case stackmail.com - v=spf1 mx include:stackmail.com -all
IMPORTANT: The usage of -all specified that you are instructing recipient mail servers to reject any mail that doesn't come from the hosts specified in this record. This does mean that they neccesarily will, but they will if they have hard SPF filtering enabled. You can use a tilde symbol instead of the hyphen to give a softfail response that lets recipient servers know it is probably spoof mail but not 100%
DMARC
To configure DMARC reporting only, add the following to DNS as a txt record with name _dmarc. This should have email addresses that you want to receive reports back to (replace email@address.com)
v=DMARC1; p=none; rua=mailto:email@address.com; ruf=mailto:email@address.com; fo=1
This will send aggregate reports to you from other organizations
To setup a reject policy you should configure DKIM and SPF first. DMARC will evaluate these. Once this is in place, put the following into your DNS
"v=DMARC1;p=reject;pct=100;rua=mailto:email@address.com"
For more info, see the dmarc website https://dmarc.org/overview/
No comments:
Post a Comment