0Tin full of spamHow to reduce spam with SPF, DKIM & DMARC

Since I set up con­tact forms on vari­ous web­sites I’ve had a slowly increas­ing volume of spam.  Not dir­ect spam sent to me, but bounces from non-exist­ent addresses that were being spamme, appar­ently from my address.  Unfor­tu­nately the spam was­n’t ori­gin­at­ing from my address, but my address was some­how picked up (prob­ably from before I secured the con­tact forms on the site) and was being used as the “reply to” address.  After some invest­ig­a­tion I heard about SPF which is an e‑mail anti-for­gery system.

If I set up an SPF record on my domain name (which I use as my primary e‑mail) then mail serv­ers that sup­port SPF will check that any e‑mail they receive with my address as the “from” or “reply to” address did actu­ally come from my mail serv­er.  If it did­n’t the serv­er will clearly identi­fy the mail as spam and will dis­card it without send­ing me an annoy­ing bounce mes­sage.  DKIM is sim­il­ar and effect­ively aims to achieve the same thing.  Finally, DMARC is a new sys­tem which stand­ard­ises the beha­viour of both SPF and DKIM and also gen­er­ates reports of any e‑mails which are not delivered instead of you get­ting bounce mes­sages.  No sys­tem is per­fect but DMARC (and there­fore DKIM and SPF) are sup­por­ted by Yahoo, AOL, Microsoft, Face­book and Google.  Between them they account for a large pro­por­tion of the e‑mail “mar­ket” so to speak.

How to migrate DNS provider to Amazon Route 53

You’re going to need a DNS pro­vider (in most cases your regis­trar) that sup­ports SPF, DKIM and DMARC records.  Mine (123-reg) does­n’t sup­port DKIM so I decided I would have to look to move.  How­ever, I have been very happy with 123-reg for the past 9 years and mov­ing to a new regis­trar did­n’t appeal.  Instead I decided to simply move my DNS serv­ers to a dif­fer­ent DNS pro­vider.  Amazon provide a DNS ser­vice as one of their web ser­vices called “Route 53”.  Whilst this isn’t free it is based on a “pay for what you use” mod­el, and I anti­cip­ate it cost­ing me under £10 a year.  As an added bonus Amazon’s DNS ser­vice is much faster than that of a typ­ic­al regis­trar and so will speed up site access times.

  1. Sign up for Amazon web ser­vices.  You will have to provide a cred­it card, and veri­fy your ID — in my case I did this by auto­mated phone call which took under 1 minute
  2. Login to the AWS Man­age­ment Console
  3. Click on the link in the AWS con­sole to open the Route 53 console
  4. Cre­ate a “hos­ted zone” for your domain
  5. Go to the record sets of the hos­ted zone
  6. In a new win­dow (or tab) log in to your cur­rent regis­trar and have a look at your exist­ing DNS records.
  7. Switch back to Route 53
  8. Cre­ate any DNS entries you need, prob­ably by duplic­at­ing what you see in your cur­rent set­tings with your registrar
  9. Make a note of the 4 name serv­ers (type NS)
  10. Switch back to your regis­trar’s con­trol pan­el / con­sole and change your name serv­ers to the 4 you made a note of in #6.

This should com­plete the basic DNS migra­tion from your regis­trar to Amazon Route 53.  It might take up to 48 hours to fully propag­ate through the DNS sys­tem but I found it was almost instant for me.  As long as you cre­ated all the records you need (prob­ably by duplic­at­ing what you had set up pre­vi­ously on your regis­trar) you should­n’t see any inter­rup­tion of service.

Setting up SPF, DKIM and DMARC on Route 53 for Google Apps e‑mail

I man­age my e‑mail through Google Apps.  Set­ting up e‑mail authen­tic­a­tion on Google apps is fairly straightforward.

  1. Make sure you’re logged into route 53, and open the hos­ted zone for the domain you wish to cre­ate records for
  2. You will cre­ate 4 records — 2 SPF, 1 DKIM and 1 DMARC.  1 SPF record will be a spe­cial “SPF” type of record, the oth­er 3 types will all be TXT records
  3. Both SPF records will con­tain the text “v=spf1 include:_spf.google.com ‑all”, includ­ing the ” marks.  Remem­ber to set one as type TXT and one as type SPF
  4. The DMARC record will have the value “v=DMARC1; p=quarantine; pct=100; rua=mailto:you@your-domain.com”, and will have the name _dmarc.  Make sure you change you@your-domain.com to the address you want DMARC reports sent to.  You can also change some of the prop­er­ties, there is a guide by google which will help you decide what prop­er­ties you wish to use.
  5. Finally, the DKIM record is the most com­plic­ated and requires some inform­a­tion from google which is spe­cif­ic to your domain…
  6. Log in to your google domain admin­is­trat­or pan­el at https://www.google.com/a/cpanel/primary-domain-name — remem­ber to change primary-domain-name to your domain name
  7. Click on “advanced tools” and scroll down to the bot­tom, and click on “Set up email authen­tic­a­tion (DKIM)”
  8. Make sure the cor­rect domain is selec­ted in the pull-down box (you prob­ably only have 1 domain) and click on “gen­er­ate new record”
  9. Enter a pre­fix if you want one — I just used “google” and click generate
  10. In the box that dis­plays there is the record you need to enter at your regis­trar along with the hostname
  11. Copy the TXT record value and make a note of the DNS Host Name
  12. Switch back to Route 53
  13. Cre­ate the final (4th) new record — give it the name of the DNS Host Name you made a note of.  Give it the value you copied from the TXT record value — remem­ber to put the value inside “” marks
  14. Wait a few minutes and then click “Start Authen­tic­a­tion”.  If suc­cess­ful you’ll see “Status: Authen­tic­at­ing email
  15. You may have to wait up to 24 hours for DNS to propag­ate so that you can start authen­tic­a­tion, but gen­er­ally it should hap­pen pretty quickly

For anoth­er take on this pro­cess I recom­mend 2 art­icles by Chris­toph­er Maish — the first on SPF and DKIM, the second on DMARC.  Good luck!

What do you think? Drop us a comment below! If you would like to subscribe please use the subscribe link on the menu at the top right. You can also share this with your friends by using the social links below. Cheers.

Leave a Reply