Email authentication (SPF, DKIM, DMARC)
Executive Overview
In the modern business world, sending an email is more than just clicking "Send." Behind the scenes, global mail providers (like Gmail, Outlook, and iCloud) perform a series of "identity checks" to ensure that an email is legitimate and not a phishing attempt or spam.
SPF, DKIM, and DMARC are the three pillars of email security. Think of them as the digital "passport and visa" for your email. If these settings are correct, your emails are trusted and delivered. If they are missing or incorrect, your emails may be marked as "Spam" or blocked entirely.
1. The Hands-Free Approach: DotSync
If the technical details below seem overwhelming, Clearbox offers an automated solution.
- DotSync-Managed Domains: If your domain is managed by DotSync, Clearbox handles all of this for you. We automatically generate the security keys and publish the records. You don't need to do anything.
- External Domains: If you keep your domain with another provider (like GoDaddy), you will need to copy and paste specific values from your Clearbox Dashboard into your provider's settings.
Need help? If you are uncomfortable editing these settings, simply contact Alfrolia Support. Our engineers can join a secure session to handle the configuration for you.
2. The Three Pillars of Security
SPF (Sender Policy Framework)
- The Analogy: The "Approved Guest List."
- What it does: SPF tells the world exactly which servers are allowed to send mail on behalf of your domain.
- The Record: You add a "TXT" record to your domain settings that includes
spf.clearbox.email. - Why it matters: It prevents hackers from pretending to be you and sending fake emails from your address.
DKIM (DomainKeys Identified Mail)
- The Analogy: The "Official Wax Seal."
- What it does: DKIM adds a hidden digital signature to every email you send. When the recipient receives your mail, their computer checks the signature against a "key" published on your domain.
- Why it matters: It proves that the content of your email wasn't tampered with or changed while it was traveling across the internet.
DMARC (Domain-based Message Authentication)
- The Analogy: The "Security Guard's Instructions."
- What it does: DMARC tells other mail providers what to do if an email fails the SPF or DKIM tests.
- The Strategy: We recommend a three-step rollout:
- Monitor (
p=none): Watch reports to see who is sending mail as you. - Warning (
p=quarantine): Move suspicious emails to the recipient's Spam folder. - Strict (
p=reject): Block unauthorized emails entirely.
3. Implementation Table
If you are manually configuring your domain, use these general formats. Please refer to your Clearbox Dashboard for your unique DKIM keys.
| Record Type | Host / Name | Value (Example) |
|---|---|---|
| SPF | @ or leave blank | v=spf1 include:spf.clearbox.email -all |
| DKIM | cb1._domainkey | v=DKIM1; k=rsa; p=MIIBIjANBg... |
| DMARC | _dmarc | v=DMARC1; p=none; rua=mailto:admin@yourdomain.com |
4. Troubleshooting & Verification
Once these records are saved, it can take up to 24 hours for the global internet to update (though it often happens within minutes).
- SPF Failure: Usually caused by having more than one SPF record. You should only have one SPF record that includes all your services.
- DKIM Failure: Often caused by a "copy-paste" error where a single character or space was missed. Always use the "Copy" button in the dashboard to ensure accuracy.
- Alignment Issues: Ensure the "From" address in your email exactly matches the domain you have authenticated.
How to Verify
To confirm your settings are perfect, send a test email to a service like Mail-Tester or check the "Health" status in your Clearbox Admin Console. A green checkmark means your business is fully protected.
Professional Assistance
Email deliverability is critical to your business operations. If you would like us to verify your current records or help you move from a "Monitor" to a "Reject" policy for maximum security, please reach out to our team.