How to Setup SPF, DKIM, and DMARC with Domain.com & Microsoft Outlook

What are SPF, DKIM, and DMARC?

This guide is designed for those who want to ensure their email communications are safe and trustworthy. We'll be diving into three key security measures:

• SPF (Sender Policy Framework)
• DKIM (Domain Keys Identified Mail)
• DMARC (Domain-based Message Authentication, Reporting,and Conformance

Each of these serves a unique role in safeguarding your emails, like different pieces of a puzzle working together to secure your email identity. Think of them as your email’s personal security team, each member specializing in a different aspect of protection. We'll explain these in simple terms and guide you step-by-step on how to set them up.

‍

How to setup SPF with Domain.com and Microsoft Outlook / M365

SPF stands for Sender Policy Framework. It's a security measure for email that helps to verify if an email sent from a domain (likeyourcompany.com) is legitimate. Think of it as a list of approved email senders for your digital mail. When an email is sent, SPF checks if it's from a mail server that's allowed to send emails for that domain. It's like a bouncer checking if an email sender is on the guest list. This helps prevent spammers from pretending to be you (like forging your return address on an envelope), which can protect your reputation and prevent your emails from being mistakenly marked as spam. Without SPF, there's a higher risk that spammers can send emails pretending to be from your domain, which can lead to phishing attacks (where scammers trick people into giving away personal information) or damage to your domain's reputation.

‍

SPF Setup Instructions for Domain.com

1. Log in to your Domains Dashboard (https://www.domain.com/controlpanel/foundation)
2. On the dashboard, select the domain where you're updating the SPF record. There are two views in the Domains dashboard - the Card and List views. Click on the view icons to switch to your preferred view
3. Choose the domain you wish to modify. In the Card view, click the domain’s Manage button. In List view, click the domain or its gear icon on the right-hand side
4. Click on DNS & Nameservers in the left-hand menu
5. On the DNS & Nameservers page, select the DNS Records tab
6. Add a new TXT Record by clicking the blue + button. Or, scroll to the bottom for TXT records and click on the 3 dots to “edit” an existing record
7. Here you can either edit an existing record but we want to create a new TXT record by clicking on Add More Records
8. Name: The hostname or prefix of the record, without the domain name. Enter @ to put the record on your root domain, or enter a prefix, such as mail.
9. Value: The SPF rule to indicate emails are only allowed from your mail server. Enter the following SPF record: v=spf1 include:spf.protection.outlook.com -all
10. This record specifies that only servers listed in the spf.google.com mechanism are authorized to send email on behalf of your domain, and all other servers will be considered unauthorized.
11. Set the TTL (Time to Live) to an appropriate value, such as 1 hour (3600 seconds). TTL determines how long the record is cached by DNS servers.
12. Select Save to add your new record. If you added multiple records at the same time, select Save All Records.
13. That's it! Mission accomplished 🚀 Most DNS updates take effect within an hour but could take up to 48 hours to update globally.

‍

How to setup DKIM with Domain.com and Microsoft Outlook / M365

DKIM, which stands for Domain Keys Identified Mail, is like a digital signature for your emails. Imagine sending a sealed letter with a unique stamp that proves it's really from you. When you send an email, DKIM adds a hidden digital signature to it. This signature is created based on a private key that only you have. The receiving mail server then checks this signature against a public key that's listed in your DNS records. It's like verifying the stamp on your letter matches the one you've shown to the world as yours. This process helps to ensure that the email hasn't been tampered with and really comes from your domain. It's important for security because it helps prevent someone from altering your emails or sending fake emails that look like they're from you. Without DKIM, your emails could be more easily spoofed, leading to increased phishing risks and potential harm to your domain's trustworthiness.
‍

DKIM Setup Instructions for Microsoft Outlook / M365

1. Sign into the Microsoft 365 Defender portal (https://security.microsoft.com/) using your administrator credentials.
2. On the portal, navigate and click on Policies & Rules under Email & Collaboration.
3. On the Policies & Rules page, select Threat Policies.
4. Select Domain Keys Identified Mail (DKIM) to open the DKIM page.
5. On the DKIM page, select the domain you want to enable DKIM for (this is the domain you use to send outbound messages)
6. You can now toggle the Enable button to start the activation process for DKIM. A dialogue box will appear which may contain the following status. Simply click on the Create DKIM keys button to view your keys
7. Keep this table open because we need to copy and paste those values into Domain.com
8. Log in to your Domains Dashboard (https://www.domain.com/controlpanel/foundation)
9. On the dashboard, select the domain where you're updating the DKIM record. There are two views in the Domains dashboard - the Card and List views. Click on the view icons to switch to your preferred view
10. Choose the domain you wish to modify. In the Card view, click the domain’s Manage button. In List view, click the domain or its gear icon on the right-hand side. Check out the screenshot from the SPF instructions above
11. Click on DNS & Nameservers in the left-hand menu
12. On the DNS & Nameservers page, select the DNS Records tab
13. Add a new TXT Record by clicking the blue + button. Or, scroll to the bottom for TXT records and click on the 3 dots to “edit” an existing record. Check out the screenshot from the SPF instructions above
14. Here you can either edit an existing record but we want to create a new TXT record by clicking on Add More Records
15. Name: The DKIM value that you get from Microsoft in Step 7
16. ‍Value: The DKIM value that you get from Microsoft in Step 7
17. Set the TTL (Time to Live) to an appropriate value, such as 1 hour (3600 seconds). TTL determines how long the record is cached by DNS servers
18. Select Update DNS to add your new record
19. That's it! Mission accomplished 🚀 Most DNS updates take effect within an hour but could take up to 48 hours to update globally

‍

‍

‍

How to setup DMARC with Domain.com and Microsoft Outlook / M365

DMARC stands for Domain-based Message Authentication, Reporting, and Conformance. Think of DMARC as a set of rules for your email's security guards: SPF and DKIM. It tells these guards how to handle emails that fail SPF and DKIM checks. Imagine you have two security checks at the entrance of a building. SPF checks if the visitor (email) is coming from a trusted location, and DKIM verifies their ID (digital signature). If a visitor fails either check, DMARC decides what to do with them—like turning them away or putting them in a waiting area (spam folder).

DMARC also sends reports back to you, informing you about who's trying to send emails using your name and how these emails are being dealt with. This helps in identifying and stopping email impersonation and phishing attacks. Without DMARC, even if you have SPF and DKIM, you don't have control over what happens to emails that fail these checks, potentially leaving your domain more vulnerable to misuse and your recipients at risk of receiving fraudulent emails.

Before setting up DMARC, you need to have SPF and DKIM properly configured for your domain. Then you can decide on your DMARC policy which determine how receiving mail servers to handle emails that fail SPF and/or DKIM checks. You can choose from three policies:

• None: Do nothing (used mainly for monitoring purposes). ⛔ Don't use this setting. It leaves you totally unprotected.
• Quarantine: Mark the email as suspicious and move it to the spam or junk folder. 👎 This setting is still risky because people will still receive your forged emails.
• Reject: Reject the email outright and do not deliver it. 👈 This is the one you should use ✅

An example DMARC record that follows our recommended security settings would look like this:

v=DMARC1; p=reject; rua=mailto:youremail@yourdomain.com

You can use a DMARC record generator tool, such as Global Cyber Alliance’s DMARC tool (https://dmarcguide.globalcyberalliance.org), to create your DMARC record, if needed.

DMARC Setup Instructions for Domain.com

1. Log in to your Domains Dashboard (https://www.domain.com/controlpanel/foundation)
2. On the dashboard, select the domain where you're updating the DMARC record. There are two views in the Domains dashboard - the Card and List views. Click on the view icons to switch to your preferred view
3. Choose the domain you wish to modify. In the Card view, click the domain’s Manage button. In List view, click the domain or its gear icon on the right-hand side. Check out the screenshot from the SPF instructions above
4. Click on DNS & Nameservers in the left-hand menu
5. On the DNS & Nameservers page, select the DNS Records tab
6. Add a new TXT Record by clicking the blue + button. Or, scroll to the bottom for TXT records and click on the 3 dots to “edit” an existing record. Check out the screenshot from the SPF instructions above
7. Here you can either edit an existing record, or select Add More Records to create a new one. We want to create a TXT record.
8. Name: The hostname or prefix of the record, without the domain name. Set this to _dmarc
9. Value: The record value you generated earlier. For example: v=DMARC1; p=reject; rua=mailto:youremail@yourdomain.com
10. Save the changes.
11. That's it! Mission accomplished 🚀 Most DNS updates take effect within an hour but could take up to 48 hours to update globally.

‍

Conclusion

That’s it – you're all done! By implementing these three pillars of email security, you're not just protecting your domain from being misused by spammers and phishers, but you're also safeguarding your reputation and building trust with your recipients. SPF ensures that only authorized servers can send emails on behalf of your domain, DKIM provides a unique signature that verifies your emails are genuine and untampered, and DMARC ties it all together by dictating how to handle emails that fail SPF and DKIM checks,while keeping you informed about your email traffic. Together, these measures form a robust defence system against email-based threats. Remember, in the digital world, being proactive about security is not just a best practice; it’s a necessity. By taking these steps, you’re not only securing your email communications but also contributing to a safer, more trustworthy internet for everyone.

‍

‍

‍