0Tin full of spamHow to reduce spam with SPF, DKIM & DMARC

Published by & filed under Web Technologies. Last updated .

Since I set up con­tact forms on vari­ous web­sites I’ve had a slowly increas­ing volume of spam.  Not dir­ect spam sent to me, but bounces from non-exist­ent addresses that were being spamme, appar­ently from my address.  Unfor­tu­nately the spam was­n’t ori­gin­at­ing from my address, but my address was some­how picked up (prob­ably from before I secured the con­tact forms on the site) and was being used as the “reply to” address.  After some invest­ig­a­tion I heard about SPF which is an e‑mail anti-for­gery system.

If I set up an SPF record on my domain name (which I use as my primary e‑mail) then mail serv­ers that sup­port SPF will check that any e‑mail they receive with my address as the “from” or “reply to” address did actu­ally come from my mail serv­er.  If it did­n’t the serv­er will clearly identi­fy the mail as spam and will dis­card it without send­ing me an annoy­ing bounce mes­sage.  DKIM is sim­il­ar and effect­ively aims to achieve the same thing.  Finally, DMARC is a new sys­tem which stand­ard­ises the beha­viour of both SPF and DKIM and also gen­er­ates reports of any e‑mails which are not delivered instead of you get­ting bounce mes­sages.  No sys­tem is per­fect but DMARC (and there­fore DKIM and SPF) are sup­por­ted by Yahoo, AOL, Microsoft, Face­book and Google.  Between them they account for a large pro­por­tion of the e‑mail “mar­ket” so to speak.

How to migrate DNS provider to Amazon Route 53

You’re going to need a DNS pro­vider (in most cases your regis­trar) that sup­ports SPF, DKIM and DMARC records.  Mine (123-reg) does­n’t sup­port DKIM so I decided I would have to look to move.  How­ever, I have been very happy with 123-reg for the past 9 years and mov­ing to a new regis­trar did­n’t appeal.  Instead I decided to simply move my DNS serv­ers to a dif­fer­ent DNS pro­vider.  Amazon provide a DNS ser­vice as one of their web ser­vices called “Route 53”.  Whilst this isn’t free it is based on a “pay for what you use” mod­el, and I anti­cip­ate it cost­ing me under £10 a year.  As an added bonus Amazon’s DNS ser­vice is much faster than that of a typ­ic­al regis­trar and so will speed up site access times.

  1. Sign up for Amazon web ser­vices.  You will have to provide a cred­it card, and veri­fy your ID — in my case I did this by auto­mated phone call which took under 1 minute
  2. Login to the AWS Man­age­ment Console
  3. Click on the link in the AWS con­sole to open the Route 53 console
  4. Cre­ate a “hos­ted zone” for your domain
  5. Go to the record sets of the hos­ted zone
  6. In a new win­dow (or tab) log in to your cur­rent regis­trar and have a look at your exist­ing DNS records.
  7. Switch back to Route 53
  8. Cre­ate any DNS entries you need, prob­ably by duplic­at­ing what you see in your cur­rent set­tings with your registrar
  9. Make a note of the 4 name serv­ers (type NS)
  10. Switch back to your regis­trar’s con­trol pan­el / con­sole and change your name serv­ers to the 4 you made a note of in #6.

This should com­plete the basic DNS migra­tion from your regis­trar to Amazon Route 53.  It might take up to 48 hours to fully propag­ate through the DNS sys­tem but I found it was almost instant for me.  As long as you cre­ated all the records you need (prob­ably by duplic­at­ing what you had set up pre­vi­ously on your regis­trar) you should­n’t see any inter­rup­tion of service.

Setting up SPF, DKIM and DMARC on Route 53 for Google Apps e‑mail

I man­age my e‑mail through Google Apps.  Set­ting up e‑mail authen­tic­a­tion on Google apps is fairly straightforward.

  1. Make sure you’re logged into route 53, and open the hos­ted zone for the domain you wish to cre­ate records for
  2. You will cre­ate 4 records — 2 SPF, 1 DKIM and 1 DMARC.  1 SPF record will be a spe­cial “SPF” type of record, the oth­er 3 types will all be TXT records
  3. Both SPF records will con­tain the text “v=spf1 include:_spf.google.com ‑all”, includ­ing the ” marks.  Remem­ber to set one as type TXT and one as type SPF
  4. The DMARC record will have the value “v=DMARC1; p=quarantine; pct=100; rua=mailto:you@your-domain.com”, and will have the name _dmarc.  Make sure you change you@your-domain.com to the address you want DMARC reports sent to.  You can also change some of the prop­er­ties, there is a guide by google which will help you decide what prop­er­ties you wish to use.
  5. Finally, the DKIM record is the most com­plic­ated and requires some inform­a­tion from google which is spe­cif­ic to your domain…
  6. Log in to your google domain admin­is­trat­or pan­el at https://www.google.com/a/cpanel/primary-domain-name — remem­ber to change primary-domain-name to your domain name
  7. Click on “advanced tools” and scroll down to the bot­tom, and click on “Set up email authen­tic­a­tion (DKIM)”
  8. Make sure the cor­rect domain is selec­ted in the pull-down box (you prob­ably only have 1 domain) and click on “gen­er­ate new record”
  9. Enter a pre­fix if you want one — I just used “google” and click generate
  10. In the box that dis­plays there is the record you need to enter at your regis­trar along with the hostname
  11. Copy the TXT record value and make a note of the DNS Host Name
  12. Switch back to Route 53
  13. Cre­ate the final (4th) new record — give it the name of the DNS Host Name you made a note of.  Give it the value you copied from the TXT record value — remem­ber to put the value inside “” marks
  14. Wait a few minutes and then click “Start Authen­tic­a­tion”.  If suc­cess­ful you’ll see “Status: Authen­tic­at­ing email
  15. You may have to wait up to 24 hours for DNS to propag­ate so that you can start authen­tic­a­tion, but gen­er­ally it should hap­pen pretty quickly

For anoth­er take on this pro­cess I recom­mend 2 art­icles by Chris­toph­er Maish — the first on SPF and DKIM, the second on DMARC.  Good luck!

Leave a Reply