Configure-dkim,spf,dmarc-to-protect-against-spoofing: Difference between revisions

From LHYcloud Docs
Jump to navigation Jump to search
(Created page with " <big>Email Authentications prevent the email from going into the spam folder of recipients. cPanel uses DKIM and SPF to reduce the amount of spam mails. Enabling these features will prevent spammers from forging messages that claims to be coming from your domain.</big> <big>DKIM</big> <big>Domain Key Identification Mechanism (DKIM) verifies your incoming emails to check whether they are same as they were before when they were sent. This means, if they are altered duri...")
 
No edit summary
Line 1: Line 1:


<big>Email Authentications prevent the email from going into the spam folder of recipients. cPanel uses DKIM and SPF to reduce the amount of spam mails. Enabling these features will prevent spammers from forging messages that claims to be coming from your domain.</big>


<big>DKIM</big>
<big>'''Email authentication:'''  Email authentication makes sure your emails '''don’t land in the recipient’s spam folder'''.</big>


<big>Domain Key Identification Mechanism (DKIM) verifies your incoming emails to check whether they are same as they were before when they were sent. This means, if they are altered during the transit. It also checks whether they are from the same address, whom they claim to be. This feature prevents incoming spam emails.</big>
<big>In '''cPanel''', three methods are used: '''DKIM, SPF, and DMARC'''.</big>


<big>When DKIM is enabled, the sender signs the email with a digital signature using a private key. When the email approaches the recipient, it retrieves the public key of its sender and checks if the signature matches. If the signature is invalid, then message is treated as a spam message.</big>
<big>These features protect your domain and stop spammers from sending fake emails using your name.</big>
----


<big>Enabling DKIM</big>
===  <big>DKIM (Domain Keys Identified Mail)</big> ===
 
* <big>DKIM checks if an email is '''safe and unchanged''' during delivery.</big>
* <big>It also verifies that the email really came from the sender’s address.</big>
* <big>This helps reduce fake or spam emails.</big>
 
<big>'''How DKIM Works:'''</big>
 
# <big>When you send an email, it is signed with a '''digital signature''' using a private key.</big>
# <big>When the receiver gets the email, their system checks it using your '''public key'''.</big>
# <big>If the signature matches → the email is valid.</big>
# <big>If the signature does not match → the email is treated as '''spam'''.</big>
 
----
 
=== <big>Enabling DKIM in cPanel</big> ===
<big>You just need to go to '''cPanel → Email Authentication''' and turn on '''DKIM'''.</big>
 
<big>Once enabled, all outgoing emails from your domain will automatically include this security signature.</big>


<big>To enable DKIM follow these steps −</big>
<big>To enable DKIM follow these steps −</big>
Line 60: Line 78:
<big>'''Step 2''' − Find SPF setting, if enabled, then click '''Disable''' button to disable SPF.</big>
<big>'''Step 2''' − Find SPF setting, if enabled, then click '''Disable''' button to disable SPF.</big>


'''<big>DMARC (Domain-based Message Authentication, Reporting, and Conformance)</big>'''
=== <big>DMARC (Domain-based Message Authentication, Reporting, and Conformance)</big> ===
 
<big>DMARC works together with '''SPF''' and '''DKIM''' to stop fake emails. It tells mail servers what to do if an email fails authentication and also sends reports back to the domain owner.</big>
<big>DMARC builds upon SPF and DKIM by:</big>
 
# <big>Providing clear policies for handling authentication failures</big>
# <big>Enabling domain owners to receive detailed feedback reports about email authentication</big>
# <big>Creating alignment between the various sender identities in an email</big>
# <big>Allowing for progressive implementation through graduated enforcement policies</big>
 
'''<big>How DMARC Works</big>'''
 
<big>DMARC operates through a DNS TXT record that instructs receiving mail servers how to handle emails that fail authentication. The process works as follows:</big>
 
# <big>The sending domain publishes a DMARC policy in its DNS records</big>
# <big>When an email arrives, the receiving server checks for SPF and DKIM authentication</big>
# <big>The receiving server verifies "alignment" between the authenticated domain and the visible From: domain</big>
# <big>Based on the published DMARC policy, the receiver takes appropriate action (none, quarantine, or reject)</big>
# <big>The receiver generates reports and sends them back to the address specified in the DMARC record</big>
 
'''<big>DMARC Policies</big>'''
 
<big>DMARC offers three policy options of increasing strictness:</big>
 
* <big>'''p=none''': Monitor mode that requests reports but takes no action against failing messages</big>
* <big>'''p=quarantine''': Suggests that failing messages should be placed in spam or junk folders</big>
* <big>'''p=reject''': Instructs receivers to block failing messages entirely</big>
 
'''<big>Implementing DMARC: A Step-by-Step Approach</big>'''
 
'''<big>1. Assessment and Planning</big>'''
 
* <big>Identify all legitimate sources of email from your domain</big>
* <big>Map out your email infrastructure</big>
* <big>Determine which third parties send email on your behalf</big>
* <big>Set goals and timelines for DMARC implementation</big>
 
'''<big>2. Implement SPF</big>'''
 
* <big>Create an SPF record listing all authorized sending servers</big>
* <big>Publish the SPF record in your DNS</big>
* <big>Test to ensure legitimate emails are passing</big>
* <big>Example SPF record: v=spf1 ip4:192.0.2.0/24 include:_spf.example.com -all</big>


'''<big>3. Implement DKIM</big>'''
=== <big>How DMARC Works</big> ===


* <big>Generate DKIM key pairs</big>
# <big>Domain owner adds a '''DMARC record''' in DNS.</big>
* <big>Configure your mail servers to sign outgoing messages</big>
# <big>When an email arrives:</big>
* <big>Publish your DKIM public keys in DNS</big>
#* <big>Server checks '''SPF''' and '''DKIM'''.</big>
* <big>Verify signatures are being applied correctly</big>
#* <big>It also checks if the email matches the sender’s domain.</big>
# <big>Based on the DMARC policy → action is taken:</big>
#* <big>'''none''' → Just monitor, no action.</big>
#* <big>'''quarantine''' → Put in spam/junk.</big>
#* <big>'''reject''' → Block the email.</big>
# <big>Reports are sent to the email address in the DMARC record.</big>


'''<big>4. Deploy DMARC in Monitoring Mode</big>'''
===    <big>DMARC Policies</big> ===


* <big>Start with a "p=none" policy to gather data without affecting mail flow</big>
* <big>'''p=none''' → Only monitoring, no blocking.</big>
* <big>Publish a basic DMARC record: v=DMARC1; p=none; rua=<nowiki>mailto:dmarc-reports@example.com</nowiki></big>
* <big>'''p=quarantine''' → Suspicious emails go to spam.</big>
* <big>Analyze the resulting reports to identify legitimate sources that may be failing authentication</big>
* <big>'''p=reject''' → Block fake emails completely.</big>


'''<big>5. Coordinate with Third-Party Senders</big>'''
===    <big>Steps to Implement DMARC</big> ===


* <big>Share your DMARC implementation plans with authorized third parties</big>
# <big>'''Plan''' → List all sources sending emails for your domain.</big>
* <big>Help them configure proper authentication for your domain</big>
# <big>'''Add SPF''' → Publish SPF record in DNS with allowed servers.</big>
* <big>Consider implementing subdomain delegation where appropriate</big>
# <big>'''Add DKIM''' → Generate keys, sign emails, and publish public key in DNS.</big>
# <big>'''Enable DMARC (p=none)''' → Collect reports first, no blocking.</big>
# <big>'''Fix Issues with Third Parties''' → Make sure they pass SPF/DKIM.</big>
# <big>'''Increase Enforcement''' → Change policy to quarantine → then reject.</big>
# <big>'''Full Protection''' → Set policy to reject once everything works fine.</big>  


'''<big>6. Gradually Increase Enforcement</big>'''


* <big>Move to "p=quarantine" with a percentage tag once monitoring shows minimal false positives</big>
<big>'''Example Records:'''</big>
* <big>Example: v=DMARC1; p=quarantine; pct=25; rua=<nowiki>mailto:dmarc-reports@example.com</nowiki></big>
* <big>Gradually increase the percentage to 100%</big>


'''<big>7. Move to Full Rejection</big>'''
* <big>SPF: <code>v=spf1 ip4:192.0.2.0/24 include:_spf.example.com -all</code></big>
* <big>DMARC (monitoring): <code>v=DMARC1; p=none; rua=<nowiki>mailto:dmarc-reports@example.com</nowiki></code></big>
* <big>DMARC (reject): <code>v=DMARC1; p=reject; rua=<nowiki>mailto:dmarc-reports@example.com</nowiki></code></big>


* <big>Once confident in your authentication coverage, implement "p=reject"</big>
*
* <big>Example: v=DMARC1; p=reject; rua=<nowiki>mailto:dmarc-reports@example.com</nowiki>; ruf=<nowiki>mailto:forensic@example.com</nowiki></big>
* <big>Continue monitoring reports for unexpected failures</big>

Revision as of 05:17, 6 September 2025


Email authentication: Email authentication makes sure your emails don’t land in the recipient’s spam folder.

In cPanel, three methods are used: DKIM, SPF, and DMARC.

These features protect your domain and stop spammers from sending fake emails using your name.

DKIM (Domain Keys Identified Mail)

  • DKIM checks if an email is safe and unchanged during delivery.
  • It also verifies that the email really came from the sender’s address.
  • This helps reduce fake or spam emails.

How DKIM Works:

  1. When you send an email, it is signed with a digital signature using a private key.
  2. When the receiver gets the email, their system checks it using your public key.
  3. If the signature matches → the email is valid.
  4. If the signature does not match → the email is treated as spam.

Enabling DKIM in cPanel

You just need to go to cPanel → Email Authentication and turn on DKIM.

Once enabled, all outgoing emails from your domain will automatically include this security signature.

To enable DKIM follow these steps −

Step 1 − Open Email Authentication by clicking Authentication found under Mail Section of cPanel Home.

Ath1.png


Step 2 − Find DKIM settings, if disabled then, click Enable button to Enable DKIM.

Auth2.png


Disable DKIM

To disable DKIM follow these steps −

Step 1 − Open Email Authentication by clicking Authentication found under Mail Section of cPanel Home.

Step 2 − Find DKIM setting, if enabled, then click Disable button to Disable DKIM.

Ath4.png


Note − To Enable DKIM, your Nameservers must point to your hosting. It is recommended that you use DKIM Authentication in your hosting.

Advertisement

SPF

Sender Policy Framework (SPF) helps in preventing outgoing messages to spams. This helps to prevent spammers in creating a message that looks like it is originated through your domain. SPF uses TXT type DNS resource records, which specify the hosts that send emails through your domain.

Enable SPF

To enable SPF, follow these steps −

Step 1 − Open Email Authentication by clicking Authentication found under Mail Section of cPanel Home.

Step 2 − Find SPF setting, if disabled, then click Enable button to Enable SPF.

Ath5.png


Disable SPF

To disable SPF, follow these steps −

Step 1 − Open Email Authentication by clicking Authentication found under Mail Section of cPanel Home.

Step 2 − Find SPF setting, if enabled, then click Disable button to disable SPF.

DMARC (Domain-based Message Authentication, Reporting, and Conformance)

DMARC works together with SPF and DKIM to stop fake emails. It tells mail servers what to do if an email fails authentication and also sends reports back to the domain owner.

How DMARC Works

  1. Domain owner adds a DMARC record in DNS.
  2. When an email arrives:
    • Server checks SPF and DKIM.
    • It also checks if the email matches the sender’s domain.
  3. Based on the DMARC policy → action is taken:
    • none → Just monitor, no action.
    • quarantine → Put in spam/junk.
    • reject → Block the email.
  4. Reports are sent to the email address in the DMARC record.

DMARC Policies

  • p=none → Only monitoring, no blocking.
  • p=quarantine → Suspicious emails go to spam.
  • p=reject → Block fake emails completely.

Steps to Implement DMARC

  1. Plan → List all sources sending emails for your domain.
  2. Add SPF → Publish SPF record in DNS with allowed servers.
  3. Add DKIM → Generate keys, sign emails, and publish public key in DNS.
  4. Enable DMARC (p=none) → Collect reports first, no blocking.
  5. Fix Issues with Third Parties → Make sure they pass SPF/DKIM.
  6. Increase Enforcement → Change policy to quarantine → then reject.
  7. Full Protection → Set policy to reject once everything works fine.


Example Records:

  • SPF: v=spf1 ip4:192.0.2.0/24 include:_spf.example.com -all
  • DMARC (monitoring): v=DMARC1; p=none; rua=mailto:dmarc-reports@example.com
  • DMARC (reject): v=DMARC1; p=reject; rua=mailto:dmarc-reports@example.com
Retrieved from "https://docs.lhycloud.com/index.php?title=Configure-dkim,spf,dmarc-to-protect-against-spoofing&oldid=679"