Step-by-Step Guide: Securing Your Domain from Email Spoofing and Abuse

This guide shows how to secure your domain's email with SPF, DKIM, and DMARC using Cloudflare for DNS and ProtonMail for email. The process is similar for any provider, helping protect your domain from email spoofing and abuse.

Prerequisites #

Before you begin, ensure you have:

• Access to your domain registrar
  You must be able to log in to the control panel of your domain registrar to manage DNS settings.
• Basic understanding of DNS
  Familiarity with DNS record types will help you understand and apply the changes.

Step 1: Set Up SPF #

SPF (Sender Policy Framework) specifies which mail servers are authorised to send email on behalf of your domain.

ProtonMail SPF Record:

v=spf1 include:_spf.protonmail.ch -all

Explanation:

• v=spf1: Specifies the SPF version (SPF version 1).
• include:_spf.protonmail.ch: Authorizes ProtonMail’s mail servers to send emails on behalf of the domain.
• -all: Indicates that emails from any other servers are not authorised and should be rejected.

Instructions:

1. Log in to Cloudflare
2. Go to DNS for your domain
3. Click Add record
4. Set:
   • Type: TXT
   • Name: @
   • Content: v=spf1 include:_spf.protonmail.ch -all
   • TTL: Auto
5. Save

Step 2: Set Up DKIM #

DKIM (DomainKeys Identified Mail) uses a cryptographic signature to verify that an email was indeed sent by ProtonMail and that it hasn’t been altered in transit.

Find DKIM record in ProtonMail:

1. Log in to ProtonMail
2. Go to Settings > Go to Settings
3. Navigate to: Security > Email Authentication (SPF/DKIM/DMARC)
4. Under DKIM, find:
   • Selector (e.g. protonmail1)
   • DKIM key / public key

Add DKIM record in Cloudflare:

1. Go to Cloudflare DNS
2. Click Add record
3. Set:
   • Type: TXT
   • Name: protonmail1._domainkey
   • Content: (Paste the DKIM key from ProtonMail)
   • TTL: Auto
4. Save

If ProtonMail provides multiple selectors (e.g., protonmail2, protonmail3), repeat the above process for each selector.

Step 3: Set Up DMARC #

DMARC (Domain-based Message Authentication, Reporting & Conformance) instructs receiving servers on how to handle emails that fail SPF and/or DKIM checks, and optionally provides reporting of abuse.

Recommended DMARC Record:

v=DMARC1; p=quarantine; adkim=s; aspf=s; pct=100; rua=mailto:[email protected]

Explanation:

• v=DMARC1: Specifies the DMARC version being used.
• p=quarantine: The policy for handling unauthenticated emails (move to spam or quarantine).
• rua=mailto:[email protected]: The email address where aggregate reports about DMARC activity are sent.
• adkim=s: Specifies that the alignment for DKIM (DomainKeys Identified Mail) must be strict.
• aspf=s: Specifies that the alignment for SPF (Sender Policy Framework) must be strict.
• pct=100: Indicates that 100% of emails are subject to the DMARC policy.

Instructions:

1. Go to Cloudflare DNS
2. Click Add record
3. Set:
   • Type: TXT
   • Name: _dmarc
   • Content: v=DMARC1; p=quarantine; rua=mailto:[email protected]; adkim=s; aspf=s; pct=100
   • TTL: Auto
4. Save

Aggregate Reports Email

To keep your main inbox clean, use separate addresses for each report type:

• Aggregate reports: [email protected]
• Forensic reports: [email protected]
• General reports: [email protected]

Step 4: Verify #

Once you have added the records, you should verify their existence to ensure they have been correctly set up.

SPF:

dig +short TXT example.com

DKIM:

dig +short TXT protonmail1._domainkey.example.com

DMARC:

dig +short TXT _dmarc.example.com

DNS Records Checklist #

Result #

This guide ensures that your domain is protected against email spoofing and abuse by using SPF, DKIM, and DMARC correctly, with ProtonMail and Cloudflare. Following these steps will help authenticate your emails and improve email security.