MoinQ: SPF/Cloudflare

How to protect domains that do not send email

1. SPF

SPF records can be formatted to protect domains against attempted phishing attacks by rejecting any emails sent from the domain. To do so, an SPF record must use the following format.

v=spf1 -all

• Note, SPF records are set directly on the domain itself, meaning they do not require a special subdomain.

Here is what the individual components of this record mean:

• v=spf1 lets the server know that the record contains an SPF policy.
  • All SPF records must begin with this component.
  The indicator -all tells the server what to do with non-compliant emails or any senders that are not explicitly listed in the SPF record.

With this type of SPF record, no IP addresses or domains are allowed, so -all states that all non-compliant emails will be rejected. For this type of record, all emails are considered non-compliant because there are no accepted IP addresses or domains.

2. DKIM

*._domainkey.example.com        TXT     v=DKIM1; p=

• In this DKIM record, the p value should be empty because there is no signature/public key to tie back to.

3. DMARC

_dmarc.example.com      TXT     v=DMARC1;p=reject;sp=reject;adkim=s;aspf=s

4. history

CategoryDns CategoryWatch CategoryTemplate