Applies To:
- mailRelay
Description:
To aid the delivery of emails the mailRelay services requires the sending domain to be appropriately configured to support SPF, DKIM and DMARC. This combination of technologies assist recipients in validating that emails sent from your domain originate from an authorised source and verify its authenticity. To support these technology it is necessary to configure a series of DNS records within your domain. This is particularly relevant as the large providers such as Google (GMail), Microsoft and Yahoo will make these once optional technologies mandatory in order reach their email users during 2024.
In the following steps 'example.co.uk' is assumed to be your domain for demonstration purposes. Adjust accordingly for your specific domain. If sending from a sub-domain (e.g. test.example.co.uk) please ensure you activate the records within the sub-domain and not the parent domain.
Step 1 - Configure DNS for SPF
To simplify the management of SPF we publish a record that is maintained to ensure it always reflects the potential source IP addresses for email originating from the mailRelay service. This record should be incorporated into your existing SPF record using the 'include' directive referencing 'spf.uksmtp.co.uk'. In practice this requires you to append 'include:spf.uksmtp.co.uk' to your record.
For example, your current SPF record is:
"v=spf1 a mx ip4:10.20.40.40 -all"
The revised record would become:
"v=spf1 a mx ip4:10.20.40.40 include:spf.uksmtp.co.uk -all"
It is important that the 'include' is placed before the '-all' directive.
For clarity, the required record should be configure as per below:
- Record Name: example.co.uk.
- Record Data: "v=spf1 a mx ip4:10.20.30.40 include:spf.uksmtp.co.uk -all"
- Record Type: TXT
The 'Record Name' in the example references the root of your domain but different DNS editors use a variety of notation. It may therefore be necessary to enter the domain name followed by a trailing dot (as per the example), as an @ symbol or left blank. If you are unsure please refer to your DNS supplier.
Important: If you do not currently have an SPF record it is necessary to create one. This should not be completed without due consideration as a wrongly configured record may result in your email being blocked if it does not include all sources.
Step 2 - Configure DNS for DKIM
Assuming your domain is example.co.uk, the following CNAME records would need to be implemented first:
Key 1:
- Record Name: uksmtp10._domainkey
- Record Data: uksmtp10._domainkey.uksmtp.co.uk
- Record Type: CNAME
Key 2:
- Record Name: uksmtp20._domainkey
- Record Data: uksmtp20._domainkey.uksmtp.co.uk
- Record Type: CNAME
Important: The 'record name' refers to the name within your domain, for demonstration purposes 'example.co.uk'. Depending upon the notation used by your DNS editor it may be necessary to specify it with the domain and a trailing dot. For example, the key 1 record name may need to be entered as 'uksmtp10._domainkey.example123.co.uk.'. If you are unsure of the correct notation please check with your DNS provider.
Step 3 - Configure DNS for DMARC
DMARC provides guidance to receivers on how to handle emails that do not pass SPF and DKIM checks. It is possible to advise the recipient to do nothing (p=none), quarantine or reject the emails and to indicate the percentage of emails received that this policy applies to.
The following example guides recipients to quarantine all emails that fail to pass either SPF or DKIM checks and to send reports to dmarc-reports@example.co.uk. Receiving reports is not mandatory but is recommended as helps with understanding where you may have mail problems or indeed whether your domain is being spoofed.
- Record Name: _dmarc.example.co.uk.
- Record Data: "v=DMARC1; p=quarantine; pct=100; rua=mailto:dmarc-reports@example.co.uk"
- Record Type: TXT
Important:
- This is our model DMARC policy that we find works in most scenarios but before settings we recommend that you verify it is suitable for your needs to avoid wider email delivery issues.
- It is important to note that the reporting address must be within the domain that the DMARC record is for, if you wish to send to an alternative domain it requires additional DNS records to be configured which is an advanced topic outside the scope of this document.
- The DMARC site is a good starting point to gain a better understanding of all the available options and implications of configuring DMARC. This should be reviewed before you implement DMARC.