How can we help you today?
< All Topics

SPF records

(look in DNS section of webdesign.xlsm “preventing email spoofing”)

365 – settings / domains

[this example is “inspectionsupport.com” sends email on behalf of gfengineers.com. Add this as a txt record to the giles domain]

This allows domain owners to explain who is allowed to send email on their behalf. You can add the ISN to your SPF record for your domain by adding the following include:


Thus, let’s say your SPF record is currently:

v=spf1 include:_spf.google.com ~all

After the update it would be:

v=spf1 include:_spf.google.com include:spf.inspectionsupport.com ~all

Thank you for the clarification. The Email Deliverability section in WHM relates to the hostname of the server host.digitalinfocloud.com. The respective SPF and DKIM records have been added to the DNS zone of host.digitalinfocloud.com, however these will need to be added at your registrar for the records to be properly seen by the internet due to the server having no authority over the DNS of the domain.

$ dig host.digitalinfocloud.com txt @ +short
“v=spf1 +mx +a +ip4: ~all”

$ dig default._domainkey.host.digitalinfocloud.com txt @ +short
“v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAoGrwDg/jJ1U6gmNSxqbElW8+KuZ8cXRSqMh60Jipcb8+YYK6aVZiQoZZ8bpAm8wcIXnRRKLhCn2ng6QSURQzzw0gRMTmh9Fp4CDO0R+OLoLh8e/PQrPArvYpVNRt+Li+n7xpll/10/qwF/Ma+X1yYYlLFeoT3eKrsrxeSlBU/GeYM3NUhVnaAQ3WPGfzvb2bD” “f32Jkrffs4MRiQkxI16VlJoPiewuh57s31ROogssruVVjmQEdKe8T6asZLwNfFXTTenl+JHRDaTAk7v53R+b++wGtUAAcfu6xrEq9UJAXrgUF4x8iiZxr+bEcxu2BbvlCS2gWla4++3knb3ATv3fwIDAQAB;”

Preventing email spoofing mxtoolbox.com to validate – “email  health” mxtoolbox – analyze header (copy from gmail)
if soa
SPF TXT @ openspf.org usually get from microsoft for 365
all servers authorized to send mail on your behalf
v=spf1 include:spf.protection.outlook.com -all need -all, make sure not +all
v=spf1 include:spf.myconnectwise.net include:spf.protection.outlook.com ~all
guarantees should only come from your email server
if you want any domain’s mail servers to be able to send on your behalf
pink thermos bag
DKIM doesn’t encrypt, just validates sender to minimize email spoof
makes sure message isn’t changed from source to destination. Uses keys set up alias “dnsdmarc@digital-info.com” as alias for me for these reports
365 / security / policies&rules / threat policies / email authentication settings / DKIM / click on domain / create keys if not already created
enable “sign msgs with dkim”
this gives an error that gives 2 cname records that you need to add to dns
dns type CNAME use the address to send a message to, a few minutes view results
name selector1._domainkey selector2._domainkey look for dkim & spf “pass”
value  (copy from error message in 365 when turned it on) selector1-stallsmedical-com._domainkey.stallsmedical.onmicrosoft.com
it usually takes several hours after adding cnames before 365 dkim enable will work
365 / turn on later when don’t get error
once can enable
send to gmail and show header dkim should be good
https://mxtoolbox.com/dmarcrecordgenerator.aspx then say “check DMARC” and it lets you create one
check dkim https://mxtoolbox.com/dkim.aspx
DMARC domain-based message authentication reporting & conformance sends you reports on who sends on your behalf
(need spf set up first) dnschecker.org / _dmarc.stallsmedical.com
v=DMARC1;p=reject;   (or p=quarantine) this tells destination mailserver what to do with email that doesn’t come from your spf server
if netsol says “already have dmarc”, use classic view
netsol this is txt record “other host” Host: ttl 1 hr
this is all you need _dmarc v=DMARC1;p=quarantine;rua=mailto:dnsdmarc@anniengo.us;ruf=mailto:dnsdmarc@anniengo.us;
sends to you when someone send email on your domain
reports are sent to anniengo
anniengo.us needed this DNS to accept reports
host stallsmedical.com._report._dmarc.anniengo.us
value v=DMARC1
TXT (subdomains)
host *.stallsmedical.com._report._dmarc.anniengo.us
value v=DMARC1

Any domain that would be sending from the server would have the same SPF record:v=spf1 +mx +a +ip4: ~allAny domains using the IP can have this SPF record instead:v=spf1 +mx +a +ip4: +ip4: ~all

Table of Contents