0Tin full of spamHow to reduce spam with SPF, DKIM & DMARC

Since I set up contact forms on various websites I’ve had a slowly increasing volume of spam.  Not direct spam sent to me, but bounces from non-existent addresses that were being spamme, apparently from my address.  Unfortunately the spam wasn’t originating from my address, but my address was somehow picked up (probably from before I secured the contact forms on the site) and was being used as the “reply to” address.  After some investigation I heard about SPF which is an e-mail anti-forgery system.

If I set up an SPF record on my domain name (which I use as my primary e-mail) then mail servers that support SPF will check that any e-mail they receive with my address as the “from” or “reply to” address did actually come from my mail server.  If it didn’t the server will clearly identify the mail as spam and will discard it without sending me an annoying bounce message.  DKIM is similar and effectively aims to achieve the same thing.  Finally, DMARC is a new system which standardises the behaviour of both SPF and DKIM and also generates reports of any e-mails which are not delivered instead of you getting bounce messages.  No system is perfect but DMARC (and therefore DKIM and SPF) are supported by Yahoo, AOL, Microsoft, Facebook and Google.  Between them they account for a large proportion of the e-mail “market” so to speak.

How to migrate DNS provider to Amazon Route 53

You’re going to need a DNS provider (in most cases your registrar) that supports SPF, DKIM and DMARC records.  Mine (123-reg) doesn’t support DKIM so I decided I would have to look to move.  However, I have been very happy with 123-reg for the past 9 years and moving to a new registrar didn’t appeal.  Instead I decided to simply move my DNS servers to a different DNS provider.  Amazon provide a DNS service as one of their web services called “Route 53”.  Whilst this isn’t free it is based on a “pay for what you use” model, and I anticipate it costing me under £10 a year.  As an added bonus Amazon’s DNS service is much faster than that of a typical registrar and so will speed up site access times.

  1. Sign up for Amazon web services.  You will have to provide a credit card, and verify your ID – in my case I did this by automated phone call which took under 1 minute
  2. Login to the AWS Management Console
  3. Click on the link in the AWS console to open the Route 53 console
  4. Create a “hosted zone” for your domain
  5. Go to the record sets of the hosted zone
  6. In a new window (or tab) log in to your current registrar and have a look at your existing DNS records.
  7. Switch back to Route 53
  8. Create any DNS entries you need, probably by duplicating what you see in your current settings with your registrar
  9. Make a note of the 4 name servers (type NS)
  10. Switch back to your registrar’s control panel / console and change your name servers to the 4 you made a note of in #6.

This should complete the basic DNS migration from your registrar to Amazon Route 53.  It might take up to 48 hours to fully propagate through the DNS system but I found it was almost instant for me.  As long as you created all the records you need (probably by duplicating what you had set up previously on your registrar) you shouldn’t see any interruption of service.

Setting up SPF, DKIM and DMARC on Route 53 for Google Apps e-mail

I manage my e-mail through Google Apps.  Setting up e-mail authentication on Google apps is fairly straightforward.

  1. Make sure you’re logged into route 53, and open the hosted zone for the domain you wish to create records for
  2. You will create 4 records – 2 SPF, 1 DKIM and 1 DMARC.  1 SPF record will be a special “SPF” type of record, the other 3 types will all be TXT records
  3. Both SPF records will contain the text “v=spf1 include:_spf.google.com -all”, including the ” marks.  Remember to set one as type TXT and one as type SPF
  4. The DMARC record will have the value “v=DMARC1; p=quarantine; pct=100; rua=mailto:you@your-domain.com“, and will have the name _dmarc.  Make sure you change you@your-domain.com to the address you want DMARC reports sent to.  You can also change some of the properties, there is a guide by google which will help you decide what properties you wish to use.
  5. Finally, the DKIM record is the most complicated and requires some information from google which is specific to your domain…
  6. Log in to your google domain administrator panel at https://www.google.com/a/cpanel/primary-domain-name – remember to change primary-domain-name to your domain name
  7. Click on “advanced tools” and scroll down to the bottom, and click on “Set up email authentication (DKIM)”
  8. Make sure the correct domain is selected in the pull-down box (you probably only have 1 domain) and click on “generate new record”
  9. Enter a prefix if you want one – I just used “google” and click generate
  10. In the box that displays there is the record you need to enter at your registrar along with the hostname
  11. Copy the TXT record value and make a note of the DNS Host Name
  12. Switch back to Route 53
  13. Create the final (4th) new record – give it the name of the DNS Host Name you made a note of.  Give it the value you copied from the TXT record value – remember to put the value inside “” marks
  14. Wait a few minutes and then click “Start Authentication”.  If successful you’ll see “Status: Authenticating email
  15. You may have to wait up to 24 hours for DNS to propagate so that you can start authentication, but generally it should happen pretty quickly

For another take on this process I recommend 2 articles by Christopher Maish – the first on SPF and DKIM, the second on DMARC.  Good luck!

Got some thoughts of your own? Indulge yourself below by commenting! If you would like to subscribe please use the subscribe link on the menu at the top right. You can also share this with your friends by using the social links below. Cheers.

Leave a Reply