All our email accounts have DKIM, SPF and DMARC support. We enable it as an added protection for our clients and monitor the whole thing using dmarcian.com
Email protected using DKIM will be signed using secure encryption and publicly authenticated by other mail servers that verify your emails are sent from our systems the same goes for SPF telling the world that your email hosted on our servers are allowed to send on your behalf its essentially IP based protection. DMARC is the global policy that tells other mail servers what to do if your email is sent from an unauthorized server.
We encrypt all emails on our server with a public signature ensuring other mail providers that we are the source of your business mail.
Our implimentation of DMARC consists of this simple dns text record.
and that points to our default client rule of
"v=DMARC1; p=quarantine; sp=quarantine; adkim=r; aspf=s; rua=mailto:email@example.com; ruf=mailto:firstname.lastname@example.org; rf=afrf; pct=100; fo=1; ri=3600"
A break down of the rule is as follow.
v is for the protocol version, in this case, it should be DMARC1
p is the Policy for organizational domain aka yourdomain.tld, you can have it set to REJECT but we set it to quarantine as a default.
sp is the Policy for subdomains of the Organizational domain. This applies to any and all subdomains of your primary domain.
adkim is set to R for Relaxed, We run the DKIM in relaxed mode since our users might have web scripts that sent email without authenticating and signing the mail before sending.
aspf is set to S for Strict since most of all accounts are hosted on our servers and should always follow the default SPF policy of "v=spf1 include:_spf.zenithmedia.net -all"
rua is the email address used for reporting on the email itself. If you wish to use your own, visit the links below.
ruf is the forensics reports we receive from other providers like google/yahoo/microsoft ^
rf is the file format we receive the records in afrf.
pct is the amount in percent that email is scanned in this case 100%. We don't recommend lowering this number without consulting our support team.
fo is used as a queue to send us reports about malicious servers trying to use your domain. It should always be set to 1 for ON
ri is the time we request reports from providers. 3600 seconds is 1 hour and that seems like enough to catch any malicious activity. Most providers won't send it if its lowered anyway.
If you wish to monitor your own emails the great guys at dmarcian.com will set you up and you will start receiving a nicely designed graph showing you who and what is using your domain name.
dmarc.org , dmarc.io and dkim.org for further reference.