DKIM is an email authentication method that uses digital signature verification to protect recipients from fraudulent emails. The public key is stored in the domain's TXT record, and it is necessary for email services to verify the authenticity of the sender.



To configure DKIM signatures and DNS records, a private-public key pair must be generated using OpenSSL or another online service, and then the path with the secret key should be specified in the mail server's configuration file, while the public key should be placed in DNS. An ADSP record can be registered, which determines whether the letter must be signed or not, with three possible values: all, discardable, or unknown.

SPF, on the other hand, is a mechanism for verifying messages by checking the sender's server, usually setup in conjunction with DKIM and DMARC. The setup of SPF records involves specifying the version (always SPF1), allowing sending emails from the IP address, domain's MX record, or another domain, adding individual IP addresses or including SPF records from another domain, and finally determining what should happen to letters that do not comply with the policy.

 DMARC is an extension of SPF that allows organizations to specify policies and reports for how to handle unauthenticated messages, and it relies on the use of DKIM and SPF as a prerequisite.

DMARC is a technical specification that helps reduce spam and phishing emails by identifying the sender email domains based on rules specified on the recipient's mail server. This allows the mail server to decide whether a received email is legitimate or not according to the DMARC record. To configure DMARC records, a typical entry includes tags such as version, rule for the domain, subdomain, relaxed or strict record matching, percentage of emails to filter, and email reports for those that did not pass the DMARC check.

The rules can take values such as none, quarantine, or reject, while reports can be sent daily to specified emails. However, it should be noted that even with DKIM, SPF, and DMARC in place, there is still a risk of security breaches if the server is hacked or emails are sent to unsupported servers. Configuring records requires a unique setup for each server. Feedback and corrections are welcomed.

This is a checklist for those who are familiar with email authentication methods. Now I know how to generate DKIM signatures myself, with the note that ADSP is not recommended as it has become obsolete according to its authors. For email authentication, DKIM, SPF, and DMARC are sufficient.
but, multiple SPF records should not be used for a single domain as there can only be one record per domain. It is also important to avoid using an obsolete standard such as "spf2.0". To check the validity of SPF, there are various services available, such as the one found here.

If you are wondering whether implementing DKIM is enough for email authentication, the answer is no. While DKIM helps confirm the legitimacy of senders by encrypting email messages with a cryptographic signature, it does not provide a way for recipients to respond to messages that do not work with DKIM. However, DMARC can address this issue.

DMARC, or Domain-Based Message Authentication, Reporting and Compliance, is an email authentication protocol that enables domain owners to take action against messages that fail SPF/DKIM authentication. This helps reduce the likelihood of domain and BEC spoofing attacks. By combining DMARC with SPF and DKIM, email delivery can be improved by 10% over time while also enhancing the reputation of your domain name.

Setting up DKIM, SPF, and DMARC records can significantly improve your email deliverability. They are DNS records that help authenticate your email, proving to the recipient's server that it's not spam.

Here's a brief summary of what each one does:

1. **SPF (Sender Policy Framework)**: This is used to provide a list of IP addresses or servers that are allowed to send emails on behalf of your domain.
2. **DKIM (DomainKeys Identified Mail)**: Provides an encryption key and digital signature that verifies that an email message was not forged or altered.
3. **DMARC (Domain-based Message Authentication, Reporting & Conformance)**: Is built on top of SPF and DKIM protocols and adds linkage to the author ("From:") domain name, among other things.

Here is a simple overview of steps you can take to set these up:

**SPF**

1. Identify the servers that are permitted to send emails on behalf of your domain. This could be IP addresses or hostnames of your own server, your hosting company, your email service, etc.
2. Formulate an SPF record, which should look like: `v=spf1 ip4:192.0.2.0/24 ip4:198.51.100.123 a -all` (Replace the IPs with yours).
3. Add this record to your Domain Name Service (DNS) entries (You'll do this via your hosting or domain company).

**DKIM**

1. You'll need to generate a DKIM key. Often, your email service will do this for you. If not, there are tools online that can generate these keys.
2. You will get a TXT record which contains the public part of the key. This might look like: `v=DKIM1; h=sha256; k=rsa; p=MIIBIj...` (truncated).
3. Add this record to your DNS.

**DMARC**

1. You decide your DMARC policy - what should happen if an email fails the checks (for example, `none`, `quarantine`, or `reject`).
2. Formulate a DMARC record, for example: `v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com`.
3. Add the DMARC record to your DNS.

This is a very high-level overview. The specifics will depend on your domain registrar, your hosting provider, and your email service. Be sure to look up their specific instructions.


For a more detailed process, let's have a look at each protocol.

**1. SPF (Sender Policy Framework)**

The primary step in SPF setup involves creating an SPF record that lists all the servers authorized to send email on your domain's behalf.

Here is how you create an SPF TXT Record:

A simple example of an SPF TXT record is:

`v=spf1 include:_spf.google.com ~all`

This SPF TXT record indicates that:

- `v=spf1` defines the version of SPF being used.
- `include:_spf.google.com` specifies that the IPs used by Google's mail servers are allowed to send email on behalf of your domain.
- `~all` specifies a SoftFail, meaning that if the sending server is not listed in your SPF record, mark it but still deliver.

Insert this SPF TXT record into your DNS. The process of adding the record may vary because hosting providers have different interfaces.

**2. DKIM (DomainKeys Identified Mail)**

DKIM setup often starts with your email service provider (ESP). Many ESPs offer a DKIM signing service where they generate the public-private key pair for you.

Once the keys are generated:

1. Paste the private DKIM key into your ESP system. Your ESP will use it to create encrypted DKIM signatures in the headers of outgoing emails.

2. The public key is placed in your domain's DNS records in a new TXT record. When receiving servers get your email, they check this TXT record and use the public key to decrypt the DKIM signature from the email header. If the decryption is successful, your email passes the DKIM check.

For example, the content of the DKIM TXT record may look something like this:

`"v=DKIM1; k=rsa; p=MIGf..."`

**3. DMARC (Domain-based Message Authentication, Reporting & Conformance)**

DMARC involves aligning the SPF and DKIM records, and specifying a policy.

Here are the steps:

1. Create a DMARC policy record:

A basic DMARC policy might look like this:

`"v=DMARC1; p=none; rua=mailto:reports@yourdomain.com"`

This tells receiving servers to send you aggregate reports about DMARC failures, but doesn't dictate any specific actions to be taken upon DMARC failure (`p=none`).

2. Insert this policy record into your domain's DNS as a TXT record at `_dmarc.yourdomain.com`.

DMARC, SPF, and DKIM are all established by creating DNS TXT records. You have to create these records on your domain's DNS management platform. After it's set, it may take some time varying from few minutes to several hours for the record to propagate and be recognized by other servers.


let's go through a detailed example using Google Workspace as your Email Service Provider:

1. To Setup Sender Policy Framework (SPF)

Go to the DNS management page at your DNS/Hosting provider
Add a new DNS record with the following details:
Record type: TXT
TXT name: @ (or leave it blank depending on your DNS/Hosting provider)
TXT value: v=spf1 include:_spf.google.com ~all
Time to Live (TTL): 3600 or 1 hour (This may vary based on your DNS/Hosting provider)
2. To Setup DomainKeys Identified Mail (DKIM)

Sign in to your Google Admin console
From the dashboard, go to Apps > Google Workspace > Gmail
Scroll to the 'Authenticate email' section, click on 'Set up email authentication (DKIM)', and then the 'Generate New Record' button.
In the 'Prefix selector' box, it's recommended to leave the default 'google' but you can also edit it.
Leave the default 1024-bit key in the 'Key bit-length' box
Click 'Generate'
Now go the DNS management console at your DNS hosting provider
Add a new TXT record with the following information:
TXT Name: google._domainkey (replace 'google' if you chose a different prefix in the Google console)
TXT Value: Paste the value you obtain from the Google console. This will look something like v=DKIM1; k=rsa; p=MIIBIjANB...
TTL: 3600 or according to your host.
Go back to the Google Admin console after updating this TXT record, and click 'Start Authentication'. It's essential to understand that DNS propagation might take up to 48 hours.
3. To Setup Domain-based Message Authentication, Reporting & Conformance (DMARC)

Go to the DNS management page at your DNS/Hosting provider
Add a new DNS record with the following details:
Record type: TXT
TXT Name: _dmarc
TXT Value: v=DMARC1; p=none; rua=mailto:yourMail@yourDomain.com. This is a very basic DMARC TXT record. 'p=none' tells the receiving servers not to take any actions should they encounter a policy violation. rua=mailto:yourMail@yourDomain.com is where you want to receive the aggregate reports.
Time to Live (TTL): 3600 or 1 hour.
NOTE: Always remember to verify your SPF, DKIM, and DMARC records using separate 'SPF Record Checker', 'DKIM Record Checker', and 'DMARC Record Checker' tools online to ensure you've set them up correctly.

Keep in mind that this is an example with Google Workspace; the processes could vary with different service providers. But the concept will remain the same.

It's also crucial to note that configuring these records incorrectly might stop your emails from being delivered, therefore take extra caution and consult a professional if you are unsure.