1. Home
  2. Messages
  3. Custom domain
  4. How to set up anti-spoofing defense for my domain?

How to set up anti-spoofing defense for my domain?

After adding your domain name and email addresses, you would need to set-up following DNS entries to prevent email spoofing.

Sender Policy Framework (SPF):

1. Go your account Settings -> Messages -> E-mail domains.

2. On your domain name entry, Click on SPF.

spoofing defense
Click on Copy to directly copy the whole value.
Use ‘@’ for Name/Host (if the field is present) in your domain-name/hosting or DNS service provider.
  • If emails will be sent only using mailfence.com servers (webmail, authenticated SMTP, forwarding), use following value:
    v=spf1 include:_spf.mailfence.com all
  • If emails will be sent from other servers as well, use following value:
    v=spf1 include:_spf.mailfence.com ~all

3. Once the respective DNS TXT record has been successfully included, click on Validate.

Note: In case if you plan to “include” multiple SPF record entries, then please be aware of the SPF 10-Lookup limit, which can lead to failed SPF authentication at receiving side. You can automatically flatten your SPF records by using any external service of your choice e.g., autospf.com (comes with a free plan), etc.

Domain Keys Identified Mail (DKIM)

1. You can either continue in above wizard by clicking on Next, OR if you are doing it at a later time:

  1. Go your account Settings -> Messages -> E-mail domains.
  2. On your domain name entry, Click on DKIM.

2. Choose the size of DKIM key:

spoofing defense
It is recommended to use 2048 bits DKIM key pair.
In case if your domain-name/hosting or DNS service provider does not support long DNS TXT values, then choose 1024 bits.

Note: This option will not appear after you click on Validate.

spoofing defense
Click on Copy to directly copy the whole value for each of the field.

3. Once the respective DNS TXT record has been successfully included, click on Validate.

  • If an external tool verifies the existence of your DKIM key but validation still fails at Mailfence, then set-up DKIM signing policy by creating following DNS TXT record:
    Name/Host: _domainkey
    Value: o=~
    • ‘o=~’ refers to ‘some, but not all mails from this domain are signed’.
    • ‘o=-‘ refers to ‘all e-mails from this domain are signed’.
  • Emails will only be DKIM signed after the respective DKIM record has been validated.

Note: For changing/rotating your domain’s DKIM key, please contact our support by email.

Domain-based Message Authentication, Reporting and Conformance (DMARC)

1. You can either continue in above wizard by clicking on Next, OR if you are doing it at a later time:

  1. Go your account Settings -> Messages -> E-mail domains.
  2. On your domain name entry, Click on DMARC.
spoofing defense

2. Before clicking on validate:

  • The suggested DMARC entry is report-only (i.e., you will receive DMARC reports indicating spoofing attempts of your domain based addresses). Make sure that you have replaced the address in rua=mailto: with an actual address that you own. It can be any email address where you would like to receive DMARC reports for your custom domain. You can stop receiving DMARC reports at any time.
  • If there is an existing DNS TXT record with the name/host ‘_dmarc’ for your domain, then edit this record instead of creating a new one. This is important as you can’t have multiple DMARC records for a given domain.
  • The ‘p=’ specifies the action to take for emails that fail DMARC and none basically means don’t do anything (if SPF and/or DKIM fails) and follow the receiving end policy. The other options are quarantine and reject. Make sure you understand the risks involved on your email delivery before using a policy other than none.

3. Once the respective DNS TXT record has been successfully included, click on Validate.

Was this article helpful?

Related Articles

Need more details?
We have documented the whole application.
CHECK DOCUMENTATION