2 min read

The Ultimate SPF / DKIM / DMARC Best Practices 2023

The Ultimate SPF / DKIM / DMARC Best Practices 2023
By www.URIPorts.com

URIPorts: https://www.URIPorts.com
Curated: https://www.MailEdge.net

Reduce spoofing and phishing, build and maintain a solid reputation, and increase email deliverability with SPF, DKIM, and DMARC.

Freddie Leeman

The internet is evolving, and so are email security best practices. Unfortunately, these recommendations can contradict each other over time due to outdated information and superseded security standards. That's why we've created the ultimate best practice guide for SPF, DKIM, and DMARC. We've included explanations and links to the official documentation and are dedicated to keeping this guide up-to-date and following the recommendations from the M3AAWG and cyber security specialists worldwide.

These best practices are for active domains. Follow the "M3AAWG Protecting Parked Domains Best Common Practices" guidelines for domains that do not send emails (parked domains).


  • Publish SPF records for EHLO [1] and RFC5321.MailFrom [2] domains
  • SPF records should end with ~all [3]
  • SPF record should not exceed the 10 DNS lookup limit [4]
  • SPF records should not authorize more sources than necessary [5]
  • RFC5321.MailFrom domain should align with RFC5322.From domain where possible

  1. At the start of SMTP transmission, the sending server identifies itself by sending the EHLO command followed by its domain name. This domain name can differ from the RFC5321.MailFrom domain name. The EHLO domain is only used for SPF validation when the RFC5321.MailFrom address is unavailable. ↩︎
  2. After identification, the sending server communicates the RFC5321.MailFrom address by sending the command MAIL FROM. If an email cannot be delivered, this address is used for the non-delivery report. The domain of this address is used to retrieve the SPF policy. ↩︎
  3. The use of ~all (softfail) instead of -all (fail) is best practice, as the latter can cause receiving servers to block the message at SMTP transmission instead of evaluating possible DKIM signatures and DMARC policies. For more details on fail and softfail, please read chapter 8.4 of the SPF RFC and chapter 10.1 of the DMARC RFC. A softfail will still cause DMARC to fail without a valid and aligned DKIM signature. ↩︎
  4. Administrators can implement SPF macros to avoid exceeding the 10 DNS lookup limit mentioned in chapter 4.6.4 of the SPF RFC. We'll dedicate a separate blog on how to implement SPF macros soon. ↩︎
  5. Avoid using CIDR notation to allowlist large network blocks, and use a DMARC monitoring service to monitor and detect unutilized sources. ↩︎

    Read More  on URIPorts.com
Connect with us [Infosec.Exchange] | Mastodon