0Tin full of spamHow to reduce spam with SPF, DKIM & DMARC

Since I set up con­tact forms on vari­ous web­sites I’ve had a slowly increas­ing volume of spam.  Not dir­ect spam sent to me, but bounces from non-existent addresses that were being spamme, appar­ently from my address.  Unfor­tu­nately the spam wasn’t ori­gin­at­ing from my address, but my address was some­how picked up (prob­ably from before I secured the con­tact forms on the site) and was being used as the “reply to” address.  After some invest­ig­a­tion I heard about SPF which is an e-mail anti-forgery system.

How to migrate DNS pro­vider to Amazon Route 53

You’re going to need a DNS pro­vider (in most cases your regis­trar) that sup­ports SPF, DKIM and DMARC records.  Mine (123-reg) doesn’t sup­port DKIM so I decided I would have to look to move.  How­ever, I have been very happy with 123-reg for the past 9 years and mov­ing to a new regis­trar didn’t appeal.  Instead I decided to simply move my DNS serv­ers to a dif­fer­ent DNS pro­vider.  Amazon provide a DNS ser­vice as one of their web ser­vices called “Route 53″.  Whilst this isn’t free it is based on a “pay for what you use” model, and I anti­cip­ate it cost­ing me under £10 a year.  As an added bonus Amazon’s DNS ser­vice is much faster than that of a typ­ical regis­trar and so will speed up site access times.

  1. Sign up for Amazon web ser­vices.  You will have to provide a credit card, and verify your ID — in my case I did this by auto­mated phone call which took under 1 minute
  2. Login to the AWS Man­age­ment Console
  3. Click on the link in the AWS con­sole to open the Route 53 console
  4. Cre­ate a “hos­ted zone” for your domain
  5. Go to the record sets of the hos­ted zone
  6. In a new win­dow (or tab) log in to your cur­rent regis­trar and have a look at your exist­ing DNS records.
  7. Switch back to Route 53
  8. Cre­ate any DNS entries you need, prob­ably by duplic­at­ing what you see in your cur­rent set­tings with your registrar
  9. Make a note of the 4 name serv­ers (type NS)
  10. Switch back to your registrar’s con­trol panel / con­sole and change your name serv­ers to the 4 you made a note of in #6.

This should com­plete the basic DNS migra­tion from your regis­trar to Amazon Route 53.  It might take up to 48 hours to fully propag­ate through the DNS sys­tem but I found it was almost instant for me.  As long as you cre­ated all the records you need (prob­ably by duplic­at­ing what you had set up pre­vi­ously on your regis­trar) you shouldn’t see any inter­rup­tion of service.

Set­ting up SPF, DKIM and DMARC on Route 53 for Google Apps e-mail

I man­age my e-mail through Google Apps.  Set­ting up e-mail authen­tic­a­tion on Google apps is fairly straightforward.

  1. Make sure you’re logged into route 53, and open the hos­ted zone for the domain you wish to cre­ate records for
  2. You will cre­ate 4 records — 2 SPF, 1 DKIM and 1 DMARC.  1 SPF record will be a spe­cial “SPF” type of record, the other 3 types will all be TXT records
  3. Both SPF records will con­tain the text “v=spf1 include:_spf.google.com –all”, includ­ing the ” marks.  Remem­ber to set one as type TXT and one as type SPF
  4. The DMARC record will have the value “v=DMARC1; p=quarantine; pct=100; rua=mailto:you@your-domain.com”, and will have the name _dmarc.  Make sure you change you@your-domain.com to the address you want DMARC reports sent to.  You can also change some of the prop­er­ties, there is a guide by google which will help you decide what prop­er­ties you wish to use.
  5. Finally, the DKIM record is the most com­plic­ated and requires some inform­a­tion from google which is spe­cific to your domain…
  6. Log in to your google domain admin­is­trator panel at https://www.google.com/a/cpanel/primary-domain-name — remem­ber to change primary-domain-name to your domain name
  7. Click on “advanced tools” and scroll down to the bot­tom, and click on “Set up email authen­tic­a­tion (DKIM)”
  8. Make sure the cor­rect domain is selec­ted in the pull-down box (you prob­ably only have 1 domain) and click on “gen­er­ate new record”
  9. Enter a pre­fix if you want one — I just used “google” and click generate
  10. In the box that dis­plays there is the record you need to enter at your regis­trar along with the hostname
  11. Copy the TXT record value and make a note of the DNS Host Name
  12. Switch back to Route 53
  13. Cre­ate the final (4th) new record — give it the name of the DNS Host Name you made a note of.  Give it the value you copied from the TXT record value — remem­ber to put the value inside “” marks
  14. Wait a few minutes and then click “Start Authen­tic­a­tion”.  If suc­cess­ful you’ll see “Status: Authen­tic­at­ing email
  15. You may have to wait up to 24 hours for DNS to propag­ate so that you can start authen­tic­a­tion, but gen­er­ally it should hap­pen pretty quickly

For another take on this pro­cess I recom­mend 2 art­icles by Chris­topher Maish — the first on SPF and DKIM, the second on DMARC.  Good luck!

Please send us your thoughts by commenting below! If you would like to subscribe please use the subscribe link on the menu at the top right. You can also share this with your friends by using the social links below. Cheers.

Leave a Reply

Fill in your details below or click an icon to log in: