Tools against SPAM and domain spoofing:

  • SPF – Whitelist of hosts allowed to send email on behalf of the organization.
  • DKIM – Digital signatures used to verify that a message really came from the organization.
  • DMARC – Tells receiver servers what to do with emails that fail SPF and/or DKIM.

SPF (Sender Policy Framework) is one more weapon to fight email spam.

The idea is to use DNS records (TXT format) to advertise which sources are legitimately allowed to send email for your domain, reducing the chances of spoofing. See example:

  • Record name
    • (empty) or “*”
  • Value
    • “v=spf1 a mx include:mailvendor.com ~all”

Configure your DNS server using TXT records to define the sending rules for your domain:

  • . IN TXT “v=spf1 mx
    • Only the IP in the MX record is allowed to send emails for this domain.
  • . IN TXT “v=spf1 a
    • Only IPs with an A record are allowed.
  • . IN TXT “v=spf1 -all
    • Reject anything that does not comply.
  • . IN TXT “v=spf1 ~all
    • Accept but flag any non-compliant email.

Configure Reverse DNS (rDNS):

  • If your server is hosted on a VPS (AWS, GCP, Linode, etc.) you can go into your cloud dashboard and set the reverse DNS to your domain or subdomain.
  • If you own the server, set up a local DNS resolver. BIND9 is a solid choice.

Once SPF and rDNS are configured, verify that the records are correct by running the following commands:

dig +short DOMAIN.COM
dig -x 1.1.1.1 +short

The first command checks the SPF record in DNS.

The second checks the rDNS.

In this example, DOMAIN.COM has SPF pointing to 1.1.1.1, so 1.1.1.1 should also resolve in reverse to DOMAIN.COM.


DKIM (DomainKeys Identified Mail) is an authentication method designed to detect forged senders.

It works by copying the key generated by your outgoing email server into the DNS records using TXT format. See example:

  • Record name
    • itytzkakk._domainkey.
  • Value
    • “v=DKIM1; k=rsa; p=4GNADCBiQKBgQCgzjLMIGfMA0GCSqGSIb3DQEBAQUAAo9D2g8sCXXcad9/S5HAAG7m5yVMnSN5TCaYBDR30YhU/BAG8o8B93nkMGZwe9FAaUtD+qTMDp2dByA9n1rtPvssQbXUnwgmUD20e1lKOjyi/Yrbgr4JCNlP+7HTFviRfoMdtzfIBfK8Nkl0JeZ3GvNkQfwIDAQABRDtyuGSdFWtaS”

DMARC (Domain-based Message Authentication, Reporting & Conformance) defines the policy to apply when SPF and/or DKIM fail.

It also requires a DNS TXT record. See example:

  • Record name
    • _dmarc.
  • Value
    • “v=DMARC1; p=reject; fo=1; pct=100”

Syntax breakdown:

  • v=DMARC1
    • DMARC protocol version.
  • p=reject
    • Policy to apply: ‘none’, ‘quarantine’, or ‘reject’.
  • pct=100
    • The percentage of emails the policy applies to.
  • fo=1
    • Forensic reporting option: ‘0’ generates reports only if both DKIM and SPF fail; ‘1’ generates reports if either fails.

WEB TOOLS