SPF, DKIM and DMARC - why these records matter

Photo of a pink envelope  by πš‚πš’πš˜πš›πšŠ π™Ώπš‘πš˜πšπš˜πšπš›πšŠπš™πš‘πš’ on Unsplash

Fighting spam is a never-ending story for any mailhost and Netuxo is no different. And it is a tale of two halves...

Photo of pink envelope
Photo by πš‚πš’πš˜πš›πšŠ π™Ώπš‘πš˜πšπš˜πšπš›πšŠπš™πš‘πš’ on Unsplash

For incoming mail we take measures to identify and then either reject or quarantine spam messages according to severity (score) and the per-domain and per-mailbox configuration that our mail users have set in theirΒ control panel or via Roundcube settings. You can read more about that here:

When it comes to outgoing mail there are some things we can do to broadly demonstrate that the mail originating from Netuxo's mailserver is legitimate, for example ensuring only our customers can use it to send mail (ie it is not an "open relay"). However, confirming the legitimacy of the sending domain (ie your mailbox@domain-name) requires a suite of DNS records with digital signatures and info that "proves" that each message sent from your domainΒ  is coming from the right server and that the domain owner is accountable for it:

"Receivers who successfully validate a signature can use information about the signer as part of a program to limit spam, spoofing, phishing, or other undesirable behavior" - fromΒ http://dkim.org/info/dkim-faq.html

Improving deliverability for all

On 1 April 2019 we made a commitment to add SPF, DKIM and DMARC records for all our clients, without charge, where we also provide the domain and can control and create those DNS records.Β We are rolling this out over the course of the year and hope that this will improve each domain's reputation,Β the rate of successful delivery and indeed the reputation of the sending mailserver itself.

Where we do not manage these records, we strongly encourage our customers to take the following steps:


Add a TXT record

Sample record:

"v=spf1 include:spf.netuxo.coop ?all"

Note that if you also send mail via a third party such as Mailchimp, you need to adapt the SPF record to include their server IP as a legitimate source of mail from your domain name. See the help pages of the respective provider for further information.


Ask usΒ  to generate and send youΒ a key for your domain and add a DNS TXT record.

Sample record:Β 

mail._domainkey. 3600 TXT "v=DKIM1; t=s; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDkfTbs7llNbHSvFXPngV9/qK3OPzDSralzn3XnOg4RCWVpXTJSkj1yP/IsApBoaLGArlk5BuWguNe8B+a/ZR3b8X+9Fc5EfnU+NCqfFUBWqy5coMtE3OgUC01obNUOQpdKT1Z8PN6Kn7bserFr8QOPaYtOSpBx0+hc5IHonhlYZQIDAQAB"


Sample record:Β 

_dmarc.<YOUR-DOMAIN> Β Β Β  text = "v=DMARC1; p=quarantine; rua=mailto:dmarc-report@netuxo.coop; ruf=mailto:dmarc-report@netuxo.coop;fo=1"

NB there are various options, but this would be fine.

Why it matters

Failure to demonstrate a good reputation has an incremental impact on everyone, as recipient servers (eg Gmail, Yahoo!, etc) are more likely to downgrade the reputation of the mailserver itself, even blocking mail delivery completely.

Domain reputation matters!

If you are a Netuxo customer who provides your own domain name and needs help to create the appropriate records, please contact us and we will try to assist.