email authentication

2021-10-21

Email Authentication

| Contents | ii

Contents

About Email Authentication................................................................................................ 3

Checking the DNS Settings of Your Own Domains..................................................4

Methods for Sender Authentication............................................................................... 6SPF Check.........................................................................................................................................................................................................................................6

SPF Check Logic...................................................................................................................................................................................................... 7Setting an SPF Record...................................................................................................................................................................................... 9Activating the SPF Check...............................................................................................................................................................................9Configuring Advanced Options for SPF Check...................................................................................................................13Troubleshooting....................................................................................................................................................................................................... 16

DKIM Validation and DKIM Signing.................................................................................................................................................................... 18Setting a CNAME Record............................................................................................................................................................................ 18Activating the DKIM Validation............................................................................................................................................................... 18Configuring Advanced Options for DKIM Validation.................................................................................................... 20Activating DKIM Signing..................................................................................................................................................................................21

DMARC Validation..................................................................................................................................................................................................................22Setting a DMARC Record............................................................................................................................................................................23Tags in DMARC Records..............................................................................................................................................................................24DMARC Decision Matrix................................................................................................................................................................................ 26Activating the DMARC Validation.......................................................................................................................................................28Configuring Advanced Options for DMARC Validation.............................................................................................29

Adding Exceptions.................................................................................................................................................................................................................32Emails in the Control Panel........................................................................................................................................................................................ 34

Index....................................................................................................................................................................... 36

About Email Authentication

About Email AuthenticationEmail Authentication offers different methods to authenticate email senders.

You can authenticate email senders by the following methods.

• SPF check (Sender Policy Framework) (see SPF Check on page 6)

• DKIM validation and DKIM signing (DomainKeys Identified Mail) (see DKIM Validation and DKIMSigning on page 18)

• DMARC validation (Domain-based Message Authentication, Reporting and Conformance) (seeDMARC Validation on page 22)

Before you activate these methods, check the DNS settings of your domains (see Checking the DNSSettings of Your Own Domains on page 4).

3

Checking the DNS Settings of Your Own Domains

Checking the DNS Settings of Your Own DomainsYou can check the DNS settings of your own domains. In this process, the SPF, DKIM and DMARCsettings of your domains will be checked.

You have activated Spam and Malware Protection.

Notice:

You can only check the DNS settings of the domains for which Spam and MalwareProtection is activated.

Before setting up sender authentication methods, check whether the DNS settings of your domainsare correctly configured.

Important:

You can only activate the SPF check, the DKIM validation and the DMARC validation for thoseof your domains for which the corresponding DNS settings are correctly configured.

Notice:

To find out how to set an SPF record, see Setting an SPF Record on page 9.

To find out how to set a CNAME record, see Setting a CNAME Record on page 18.

1. Log in to the Control Panel with your administrative credentials.

2. Select your domain from the scope selection.

3. Navigate to Security Settings → Email Authentication.

4

Checking the DNS Settings of Your Own Domains

4. Click on Refresh DNS settings to check the status of the DNS settings of your domains.

Figure 1: Update DNS settings

The status of the DNS settings of your domains is displayed in a table. The following threeresults are possible:

The settings of the domain are correctlyconfigured.

No records have been set for the domain.

The settings of the domain are not correctlyconfigured.

You have checked the DNS settings of your domains.

Activate sender authentication methods (see Methods for Sender Authentication on page 6).

5

Methods for Sender Authentication

Methods for Sender AuthenticationYou can activate different methods for the authentication of email senders for your domains.

You can choose from the following methods:

• SPF Check on page 6

• DKIM Validation and DKIM Signing on page 18

• DMARC Validation on page 22

These methods enhance the protection of your company's email infrastructure against spam andphishing. You can use these methods individually or combine them.

Combining several methods delivers the best protection. For instance, on servers that only use DKIM,spam can be distributed by an email with a valid DKIM signature. As long as this email is not altered,the email can be sent with a valid DKIM signature in bulk to different people. To prevent this, SPF canbe added. SPF checks the origin of the email. The IP address and the domain name of the mail serverare checked. SPF rejects emails from unauthorized servers. This prevents the distribution of spam viaemails with a valid DKIM signature.

Furthermore, you can exclude some of your domains from the application of these methods bydefining exceptions (see Adding Exceptions on page 32).

Emails for which an SPF check, a DKIM validation or a DMARC validation has failed are displayed inthe Control Panel, see Emails in the Control Panel on page 34.

SPF CheckSPF (Sender Policy Framework) is a sender authentication method that checks whether the senderaddress of an email has been faked.

With an SPF check, the incoming server checks whether an incoming email has been sent by anauthorized server. For this purpose, the incoming server checks whether the IP address of theoutgoing server is registered in an SPF record in the DNS zone of the sender’s domain. An SPFrecord contains the IP addresses of the servers that are authorized to send emails from a domain.

For more information about the logic of the SPF check, see SPF Check Logic on page 7.

6


You can set up the SPF check for incoming emails of your domains. To do so, first set the SPFrecords for all your domains to which outgoing emails SPF checks shall be applied. Then activate theSPF check (see Activating the SPF Check on page 9) and configure the advanced options (seeConfiguring Advanced Options for SPF Check on page 13).

You can also learn how to solve SPF check errors (see Troubleshooting on page 16).

SPF Check Logic

The logic of the SPF check is described in more detail.

When an email is received on a destination server, the IP address of the sending server is comparedwith the records stored in the TXT record of the domain of the sending server. If the IP address of thesending server is not included in the SPF record, an error is returned. Depending on the severity, thecheck of the SPF record returns either a hardfail or a softfail.

You can decide which measures shall be taken for each type of fail (see Activating the SPF Check onpage 9). If no errors occur, the email is delivered as usual.

Notice:

The following explanations are based on the assumption that both the sender details from theenvelope (MAIL FROM) and the sender details from the header (From) are being checked. Ifonly one of these specifications is to be checked, a single check takes place and its fail typeis decisive.

The following logic is considered when checking the TXT record:

1. In the first step, the envelope (MAIL FROM) and the header (From) are checkedsimultaneously. If one of the checks fails, the type of its fail is considered in the next step. Ifboth checks fail, the most serious type of fail is considered in the next step. There are threepossible cases.

Table 1: Case 1 - Both SPF checks end with a softfail

If both the SPF check for the envelope and the SPF check for the header end with a softfail, asoftfail is considered in the next step.

7


PART OF THE EMAIL CONFIGURATION TYPE OF FAIL

Envelope (MAIL FROM) ~all Softfail

Header (From) ~all Softfail

Table 2: Case 2 - Both SPF checks end with a hardfail

If both the SPF check for the envelope and the SPF check for the header end with a hardfail, a

hardfail is considered in the next step.


Envelope (MAIL FROM) -all Hardfail

Header (From) -all Hardfail

Table 3: Case 3 - The SPF checks end with different fails

If the SPF checks for the envelope and the header end with different fails, a hardfail is

considered in the next step.


Envelope (MAIL FROM) -all Hardfail

Header (From) ~all Softfail

2. The second step is to check which measures you have set for a hardfail or a softfail. These arethe measures which will be applied.

8


Notice:

In the SPF check, only the qualifiers - and ~ are supported. The qualifier - represents theresult code hardfail and the qualifier ~ represents the result code softfail. The qualifier ? is notsupported.

Setting an SPF Record

You can set an SPF record in your domain's DNS zone to authorize our servers to send emails onbehalf of your domain.

You can set an SPF record in your domain's DNS zone to authorize our servers to send emails onbehalf of your domain. Spam and Malware Protection can detect deception attempts such asspoofing in time based on the SPF record. Recipients outside your organization can use the SPFrecord to perform SPF checks on emails from your domain. You also need the SPF record to enableEmail Authentication to perform SPF checks for incoming emails.

Important:

Register all servers that are authorized to send emails from your domain in the SPF record.

Notice:

Our SPF record is not required for customers who have configured their primary environmentwith the IP/Hostname option but have not specified relay server addresses for outgoingemails. For more information on how to set the primary environment, see the chapter"Adjusting the Primary Environment Settings" in the Control Panel manual.

Contact support to set an SPF record in the DNS zone.

Activating the SPF Check

You can enable the SPF check.

For your domains, valid SPF records are set in the DNS zone.

9


Important:

SPF checks are only performed for domains with valid SPF records.

Important:

The SPF check can only be enabled if the customer meets one of the followingconditions:

• The customer has configured their primary environment with the IP/Hostnameoption and defined relay server IP addresses for outgoing emails. The customer hasset our SPF record in the DNS zone in addition to their own SPF records.

• The customer has configured their primary environment with the IP/Hostnameoption but has not defined relay server IP addresses for outgoing emails. Thecustomer has set their own SPF records in the DNS zone.

For more information on how to set the primary environment, see the chapter "Adjustingthe Primary Environment Settings" in the Control Panel manual. For more information onhow to set our SPF record, see Setting an SPF Record on page 9.

You can activate the SPF check to check whether the outgoing server of an incoming email matchesthe SPF records of the sender’s domain and is authorized to send emails from the domain.




10


4. Check the Activate SPF check checkbox under Sender Authentication.

Figure 2: Activate SPF check

A warning message is displayed.

5. Click on Confirm.

Figure 3: Confirm

The SPF check is activated for all domains that are under the selected domain and for whichcorrect SPF records have been set.

11


6. Select in which situations an SPF check shall be performed.

• To check all incoming emails that have an SPF record set for their sender’s domain, selectFor all incoming emails.

Notice:

This option is recommended if there is generally a high volume of address forgeryfrom different sender domains. If you use this variant, the false positive rate mayincrease if several communication partners have not configured their SPF recordscorrectly.

• To only check incoming emails sent from the recipient’s domain or one of their aliasdomains, select Only for emails within one of your own domains.

Notice:

Only internal emails are checked. This option is recommended to prevent targetedattacks under fake email addresses from your own domain.

Figure 4: Select emails for SPF check

The SPF check has been activated.

Next, you can configure the advanced options for the SPF check (see Configuring AdvancedOptions for SPF Check on page 13).

12


Configuring Advanced Options for SPF Check

You can configure how to proceed depending on the results of SPF checks.

You have activated the SPF check.

You can configure how to proceed depending on the results of SPF checks.




4. Click on Advanced options.

Figure 5: Open advanced options


13


5.Important:

Changes to the advanced options can result in the delivery of malicious emails.

To change the advanced options, click on Confirm.

Figure 6: Confirm6. Optional: Under Behavior after an SPF hard fail, define what shall happen after an SPF

hardfail. You have the following options:

• Quarantine email as spam: The email is marked as spam and stored in quarantine.

• Reject email: The email is rejected. The email is neither delivered to the recipient norstored in quarantine.

• Take no action: The SPF hardfail does not trigger any action. Subsequently, the email ischecked by other filters of our services.

Figure 7: Select behavior after an SPF hardfail

14


7. Optional: Under Behavior after an SPF soft fail, define what shall happen after an SPF softfail.You have three options:



• Take no action: The SPF softfail does not trigger any action. Subsequently, the email ischecked by other filters of our services.

Figure 8: Select behavior after an SPF softfail8. Optional: Under Analysis, determine which email elements shall be analyzed. You have the

following options:

• Only analyze 'envelope from'• Only analyze 'header from'• Analyze 'envelope from' and 'header from'

Notice:

If both elements are checked, this increases security, but also the false positive rate.

Figure 9: Configure analysis

15


9. Optional: To reset the SPF settings to the default settings, click on Default settings for SPFcheck.

Notice:

The default settings are to store emails as spam in quarantine after an SPF hardfail andan SPF softfail and to only analyze the envelope from.

The advanced options for the SPF check have been configured.

Troubleshooting

This section explains how to resolve errors related to SPF checks.

This section explains how to resolve errors related to SPF checks while sending (seeTroubleshooting: Problems when sending emails with an SPF entry set up on page 16) andreceiving (see Troubleshooting: Problems when receiving emails with SPF checks on page 17)emails.

Troubleshooting: Problems when sending emails with an SPF entry set up

The recipient's server declares emails sent by you invalid because of SPF checks and does notdeliver the emails.

Condition:

One of the following conditions is fulfilled:

• SPF checks are only performed if the sender’s domain and the recipient’s domain are the same.Incoming internal emails are incorrectly declared invalid.

• Your communication partner informs you that emails from your domain are declared invalid bySPF checks.

16


Cause: Your own TXT record is wrong

The IP addresses of your mail servers registered in the TXT record are wrong or missing.

Remedy: Editing the TXT entry

Add the missing IP addresses of your mail servers to the TXT entry or correct the IP addresses.

Troubleshooting: Problems when receiving emails with SPF checks

Emails that should be delivered are declared invalid by SPF checks.

Condition:

SPF checks are performed for all incoming emails for whose sender’s domain a TXT record is set.Incoming emails of certain domains are incorrectly declared invalid.

Cause: Errors in TXT entry of the communication partner

Remedy: Informing your communication partner

Inform the communication partner about a possible incorrect SPF configuration.

Remedy: Adding IP addresses to the allow list

1. Open the Control Panel.

2. Select the affected domain from the scope selection.

3. Navigate to Deny & Allow Lists.

4. Select the tab Allow list.

5. Enter the IP address of the communication partner in the field Add entry.

6. Click on Add to confirm your input.

17


DKIM Validation and DKIM SigningDKIM (DomainKeys Identified Mail) is an email authentication method that checks whether emailshave been manipulated during transfer.

DKIM signing adds a DKIM signature to the email header of an outgoing email. Once a serverreceives an email with a DKIM signature and performs a DKIM validation, the receiving server queriesthe public key that has been entered in the DNS zone of the sending domain in a TXT record. Thiskey is used to check whether the DKIM signature is correct. The DKIM validation reveals if an emailwas altered during delivery.

Set CNAME records for all of your domains for which you would like to use DKIM (see Setting aCNAME Record on page 18).

You can authenticate the senders of incoming emails with DKIM validations. To do so, first activatethe DKIM validation (see Activating the DKIM Validation on page 18) and then configure theadvanced options (see Configuring Advanced Options for DKIM Validation on page 20).

To enable the recipients of your outgoing emails to perform DKIM validations, add DKIM signatures toyour outgoing emails (see Activating DKIM Signing on page 21).

Setting a CNAME Record

If you would like to use DKIM, set CNAME records in the DNS zone of your domain.

Set CNAME records for your domains for which you would like to use DKIM.

Contact support to set the CNAME records.

Activating the DKIM Validation

Activate the DKIM validation for incoming emails.

For your domains, valid DKIM records are set in the DNS zone.

18


Notice:

To find out how to set CNAME records in the DNS zone, see Setting a CNAME Recordon page 18.

Activate the DKIM validation to check whether the DKIM signatures of incoming emails match theDKIM settings of the sender’s domain.




4.Important:

The DKIM validation can only be activated for your domains that have valid DKIMsettings.

Activate the checkbox Activate DKIM validation for incoming emails under SenderAuthentication.

Figure 10: Activate DKIM validation

You have activated the DKIM validation for incoming emails.

Configure the advanced options for the DKIM validation (see Configuring Advanced Options forDKIM Validation on page 20).

19


Configuring Advanced Options for DKIM Validation

You can configure how to proceed depending on the results of DKIM validations.

You have activated the DKIM validation.

You can configure how to proceed depending on the results of DKIM validations.







5.Important:



Figure 12: Confirm

20


6. Optional: Under Advanced DKIM settings, define what shall happen after a DKIM fail. Youhave the following options:



Figure 13: Select advanced options7. Optional: To reset the DKIM settings to the default settings, click on Default settings for DKIM

validation.

Notice:

The default setting is to store emails after a DKIM fail as spam in quarantine.

The advanced options for the DKIM validation have been configured.

Activating DKIM Signing

Activate DKIM signing for outgoing emails.

For your domains, valid DKIM records are set in the DNS zone.

Activate DKIM signing for outgoing emails of your domains to enable the recipients of the emails toperform DKIM validations.




21


4.Important:

The DKIM validation can only be activated for your domains that have valid DKIMrecords.

Activate the checkbox Activate DKIM signature for outgoing emails under SenderAuthentication.

Figure 14: Activate DKIM signature

You have activated DKIM signing for outgoing emails.

DMARC ValidationDMARC (Domain-based Message Authentication, Reporting & Conformance) defines how anincoming email should be handled depending on the results of the SPF check and the DKIMvalidation as well as other alignments of addresses and domains.

A DMARC validation checks if an incoming email corresponds to what the recipient knows aboutthe sender. The DMARC validation is performed after the SPF check and the DKIM validation. Basedon the results of the SPF check and the DKIM validation as well as the results of the alignment ofaddresses in the envelope from and in the header from of the email (SPF alignment) on the onehand, and the alignment of domains in the header from and in the DKIM signature (DKIM alignment)on the other hand, the DMARC validation decides how to handle the email. For more informationabout the DMARC decision matrix, see DMARC Decision Matrix on page 26.

22


You can set up the DMARC validation for incoming emails of your domains. To do so, first activatethe DKIM validation (see Activating the DMARC Validation on page 28) and then configure theadvanced options (see Configuring Advanced Options for DMARC Validation on page 29).

Setting a DMARC Record

You can set a DMARC Record in the DNS zone of your domain. The DMARC record is required forDMARC validations.

A DMARC record is required to perform DMARC validations for emails from a domain. You can set aDMARC record for your domain.

1. Create a TXT record with the following name in the DNS zone of your domain. Replace<domain.tld> with your domain._dmarc.<domain.tld>

2. Define the DMARC policy according to the following sample pattern in the TXT record.Replace <[email protected]> with an email address.v=DMARC1;p=quarantine;pct=100;rua=mailto:<[email protected]>

Important:

The chapter Setting a DMARC Record on page 23 provides an overview andexplanation of the tags that can be used in DMARC records.

Notice:

The specifications from the DMARC record are applied to emails sent to recipientsoutside the domain. The settings for emails sent to recipients within the domain can beconfigured in the Email Authentication module.

A DMARC record has been set in the DNS zone of the domain.

23


Tags in DMARC Records

DMARC records are made up of tags. The tags contain specifications for DMARC validations.

DMARC records are made up of tags. The tags of a DMARC record contain specifications for DMARCvalidations of emails sent from the domain to recipients outside the domain.

The following table provides an overview and explanation of the tags that can be used in DMARCentries. All tags but v and p are optional.

Important:

The tags v and p are required.

TAG EXPLANATION POSSIBLE VALUES

v This tag determines whichDMARC protocol version isused.

v=DMARC1

Notice:

The only possiblevalue for this tag isv=DMARC1.

p This tag determines how tohandle an email from thedomain in case its DMARCvalidation fails.

p=quarantine: The email isstored in quarantine.

p=reject: The email is rejected.

p=none: No measures are takenfor the email.

Notice:

We recommend thevalue p=quarantine.

24



pct This tag determines thepercentage of emails forwhich DMARC validations areperformed. Possible values forthis tag are numbers from 1 to100.

pct=100

Notice:

We recommend thevalue pct=100 so thatDMARC validations areperformed for all emailsfrom the domain.

rua This tag determines theemail address to which dailyaggregate reports about failedDMARC validations are sent.

rua=mailto:<[email protected]>

<[email protected]>should be replaced with theemail address to which theaggregate reports are to besent.

ruf This tag determines the emailaddress to which forensicreports about single emails forwhich the DMARC validation hasfailed are sent.

ruf=mailto:<[email protected]>

<[email protected]>should be replaced with theemail address to which theforensic reports should be sent.

sp This tag determines howto handle an email from asubdomain of the domain if theDMARC validation for the emailfails.

sp=quarantine: The email isstored in quarantine.

sp=reject: The email is rejected.

sp=none: No measures aretaken for the email.

25



adkim This tag determines thealignment mode for DKIMsignatures. The alignmentmode determines the degreeof accuracy with which an emailmust match the DKIM signaturein order to be accepted.

adkim=r: The alignment modeis relaxed. A partial match isenough.

adkim=s: The alignment modeis strict. An exact match isrequired.

aspf This tag determines thealignment mode for SPFsignatures. The alignmentmode determines the degreeof accuracy with which an emailmust match the SPF signature inorder to be accepted.

adkim=r: The alignment modeis relaxed. A partial match isenough.

adkim=s: The alignment modeis strict. An exact match isrequired.

DMARC Decision Matrix

The DMARC decision matrix indicates how incoming emails are handled after successful or failedSPF checks and DKIM validations.

Table 4: DMARC decision matrix

SPF CHECK DKIMVALIDATION

SPFALIGNMENT

DKIMALIGNMENT

DMARCRESULT

ACTION

Pass Pass Pass Pass Pass Deliver

Pass Pass Pass Fail Pass Deliver

Pass Pass Fail Pass Pass Deliver

26



SPFALIGNMENT

DKIMALIGNMENT

DMARCRESULT

ACTION

Pass Pass Fail Fail Fail Store as spamin quarantineor reject

Pass Fail Pass Pass Pass Deliver

Pass Fail Pass Fail Pass Deliver

Pass Fail Fail Pass Fail Store as spamin quarantineor reject

Pass Fail Fail Fail Fail Store as spamin quarantineor reject

Fail Pass Pass Pass Pass Deliver

Fail Pass Pass Fail Fail Store as spamin quarantineor reject

Fail Pass Fail Pass Pass Deliver

Fail Pass Fail Fail Fail Store as spamin quarantineor reject

Fail Fail Pass Pass Fail Store as spamin quarantineor reject

Fail Fail Pass Fail Fail Store as spamin quarantineor reject

27



SPFALIGNMENT

DKIMALIGNMENT

DMARCRESULT

ACTION

Fail Fail Fail Pass Fail Store as spamin quarantineor reject

Fail Fail Fail Fail Fail Store as spamin quarantineor reject

The DMARC result is only positive if both the SPF check or DKIM validation and the correspondingalignment (SPF alignment or DKIM alignment) have been passed. If the DMARC result is positive, theemail will be delivered. Otherwise, the email will be either stored as spam in quarantine or rejected,depending on the settings in the Email Authentication module in the Control Panel.

Activating the DMARC Validation

Activate the DMARC validation for incoming emails.

For at least one of your domains, valid SPF, DKIM and DMARC records are set.

Activate DMARC validation to specify how incoming emails are handled depending on the results ofSPF checks and DKIM validations.




28


4.Important:

The DMARC validation can only be activated for your domains that have valid SPF,DKIM and DMARC records.

Activate the checkbox Activate DMARC validation for incoming emails under SenderAuthentication.

Figure 15: Activate DMARC validation

You have activated the DMARC validation for incoming emails.

Configure the advanced options for the DMARC validation (see Configuring Advanced Options forDMARC Validation on page 29).

Configuring Advanced Options for DMARC Validation

You can configure how to proceed depending on the results of DMARC validations.

You have activated the DMARC validation.

You can configure how to proceed depending on the results of DMARC validations.




29





5.Important:



Figure 17: Confirm

30


6. Optional: Under Advanced DMARC settings, define what shall happen after a DMARC fail. Youhave the following options:



• Apply sender domain policy: After a DMARC Fail, the email is handled according to theDMARC policy of the sender’s domain.

Notice:

If you select this option, you trust the DMARC policies of third parties.

Figure 18: Select behavior after a DMARC fail

If the option Apply sender domain policy has been selected, additional settings aredisplayed.

31


7. If you have selected the option Apply sender domain policy, select under If sender policyis set to "None": the behavior to apply if the DMARC policy of the sender's domain has beenset to “None”. You have the following options:



• Take no action: The DMARC fail does not trigger any action. Subsequently, the email ischecked by other filters of our services.

Figure 19: Behavior if sender policy is set to "None"8. Optional: To reset the DMARC settings to the default settings, click on Default settings for

DMARC validation.

Notice:

The default setting is to store emails after a DMARC fail as spam in quarantine.

The advanced options for the DMARC validation have been configured.

Adding ExceptionsAdd exceptions to Email Authentication.

You have activated sender authentication methods in the Email Authentication module.

If you have activated the SPF check, the DKIM validation, and/or the DMARC validation and wouldlike to deactivate these for one of your domains, add an exception.

32





4. Click on Add exception under Exceptions.

Figure 20: Add exception

An extended view opens.

Figure 21: Extended view5. Under Domain, select the domain for which you would like to add the exception.

Notice:

You can only select domains for which Spam and Malware Protection is activated.

6. Activate the checkbox under the name of the check that you would like to deactivate for thedomain.

Notice:

You can only deactivate the SPF check, the DKIM validation or the DMARC validationfor a domain if the domain has the corresponding valid DNS settings. For all otherdomains, no checks are performed.

33


7. Click on Add.

The exception is added and appears in the table below.

You have added an exception to Email Authentication.

Emails in the Control Panel

Emails that have failed the sender authentication are marked with SPF Failure, DKIM Failure orDMARC Failure in the Control Panel.

SPF

Emails found not to have been sent by a server registered in the DNS during an SPF check will bestored as spam in quarantine, rejected or delivered, depending on your settings (see ConfiguringAdvanced Options for SPF Check on page 13).

In the Email Live Tracking module in the Control Panel, these emails are displayed with the reasonsEnvelope SPF Failure and Message Header SPF Failure regardless of the measure performed.

DKIM

Emails that have failed the DKIM validation are stored as spam in quarantine or rejected dependingon your settings (see Configuring Advanced Options for DMARC Validation on page 29).

In the Email Live Tracking module in the Control Panel, these emails are displayed with the reasonDKIM Failure.

34


DMARC

Emails found in a DMARC check not to comply with the SPF and/or DKIM policies are stored asspam in quarantine or rejected, depending on your settings (see Configuring Advanced Options forDMARC Validation on page 29).

In the Email Live Tracking module in the Control Panel, these emails are displayed with the reasonDMARC Failure.

35

| Index | 36

Index

Aactivating

DKIM signature 21DKIM validation 18DMARC validation 28SPF check 9

adding to allow listIP address 16, 17

authentication 3

Bbehavior after DKIM validation

configuring 20behavior after DMARC validation

configuring 29behavior after SPF check

configuring 13

Cchecking

DKIM configuration 4DMARC configuration 4SPF configuration 4

classificationemail 34

CNAME recordsetting 18

configuringbehavior after DKIM validation 20behavior after DMARC validation 29behavior after SPF check 13

DDKIM 3, 18DKIM configuration

checking 4DKIM signature

activating 21DKIM validation

activating 18

| Index | 37

DMARC 3, 22decision matrix 26

DMARC configurationchecking 4

DMARC recordsetting 23

DMARC validationactivating 28

Domain-based Message Authentication, Reporting & Conformance 22DomainKeys Identified Mail 18

Eemail

classification 34Email Authentication 3

exception 32exception

Email Authentication 32

Ffalse positives

incoming emails 17outgoing emails 16

IIP address

adding to allow list 16, 17

Mmethod

sender authenticationsender authentication

method 6

Ssender authentication

method 6Sender Policy Framework 6setting

CNAME record 18DMARC record, See DMARC record settingSPF record 9TXT record for DMARC, See TXT record for DMARC setting

| Index | 38

TXT record for SPF, See setting SPF recordSPF 3, 6

logic 7SPF check

activating 9SPF configuration

checking 4SPF record

setting 9

Ttroubleshooting

incoming emails 17outgoing emails 16

TXT recordSetting for SPF, See SPF record settingwrong 16, 17

TXT record for DMARCsetting 23

email authentication

Documents