Welcome to the Aprender Tech Blog | Setting Up SPF, DKIM, DMARC

Configure SPF (Sender Policy Framework)

Purpose: Specifies which mail servers are allowed to send email on behalf of your domain. This will prevent email spoofing.

Add the SPF record in DNS: Type: TXT Name / Host: @ (or your domain name) Value: “v=spf1 include:zohomail.com ~all”

Online tool to Check your SPF record: https://mxtoolbox.com/spf.aspx

2️⃣ Configure DKIM (DomainKeys Identified Mail) Purpose: Adds a digital signature to emails to verify authenticity and integrity.

🔹 Steps: Go to Zoho Mail Admin Console: Admin Console → Mail Administration → Email Authentication → DKIM Generate DKIM selector: Click Add DKIM Choose or enter a selector (e.g., zoho) Zoho will generate a DNS TXT record Add the DKIM record to DNS: Type: TXT Name / Host: zoho._domainkey

Value: The DKIM value provided by Zoho (starts with v=DKIM1; k=rsa; p=…) Save the DNS record and wait for propagation. Verify DKIM in Zoho: Back in the Zoho Admin Console, click Verify once DNS is updated.

3️⃣ Configure DMARC (Domain-based Message Authentication, Reporting, and Conformance) Purpose: Tells receiving servers how to handle emails that fail SPF and DKIM checks.

🔹 Steps: Create a DMARC record: Start with a monitoring policy:

“v=DMARC1; p=quarantine; rua=mailto:<Mail_admin_email>@aprender.tec.br; ruf=mailto:<Mail_admin_email>@aprender.tec.br; sp=quarantine; adkim=r; aspf=r; pct=100”

Add the DMARC record to DNS: Type: TXT Name / Host: _dmarc Value: v=DMARC1; p=none; rua=mailto:<Mail_admin_email>@aprender.tec.br; fo=1; pct=100

Set up a mailbox for reports: e.g., <Mail_admin_email>@aprender.tec.br Monitor reports for 2–4 weeks, then increase policy strictness: Move to: p=quarantine → Send failures to spam p=reject → Block unauthenticated mail

In summary: SPF: Verifies sending servers (can’t validate forwarded emails) DKIM: Verifies content and source (can validate forwarded emails) DMARC: Tells the world how to handle failed SPF/DKIM checks These settings work with the domain email provider (who generates the DomainKeys) and DNS records (who publishes DomainKeys and other values, so receiving email servers can validate them) working together.