Domain Management
When taking on a new project where the client does not own the domain name(s) yet, the team needs to help them register the appropriate domains.
There is a variety of options out there for domain registration. All services are not of the same quality, though. If the client needs guidance in choosing a registrar, NameCheap has the best balance between records management, customer service, and price.
Once registered (through whichever registrar), the DNS should be pointed to a CloudFlare account. CloudFlare, even on the free plan, offers lots of useful options like free SSL, redirect rules, and much more.
Emails Setup
If the client requires custom emails (e.g., [email protected]), the team can help them set it up.
The MX servers setup will vary based on which email server is being used. In case the client needs guidance when choosing the email server, G Suite is the most reliable option.
SPF Record
After the MX servers have been configured, it is important to set up the correct SPF record. In most cases, and for the maximum level of security, the record should be set to “fail” (meaning that an email sent from an unauthorized server will not be delivered).
Example
With G Suite:
TXT | @ | v=spf1 include:_spf.google.com -all
DKIM Records
Setting up the DKIM records is also essential, as it will authenticate emails sent from the server.
Policy
The first thing that needs setting up is the DKIM policy. Without it, adding a DKIM public key would have no effect.
There are different ways to configure the DKIM policy depending on the level of security required. Here is an example of a base configuration:
TXT | _domainkey | v=DKIM1; o=-
Records
The DKIM records will be communicated by the various email servers.
DMARC
The DMARC record defines how emails that don’t align with the SPF and DKIM settings should be processed. Like the DKIM policy, there are many ways to configure the DMARC record. Here is an example of a base configuration:
v=DMARC1; p=reject; rua=mailto:[email protected]; ruf=mailto:[email protected]; fo=1; adkim=s; aspf=s;
There are two parts of the above DMARC setup that require attention.
First, the rua
parameter needs to be updated to use a valid email address on the domain being set up. It is where reports will be sent.
Second, the p
parameter is what defines the behavior in case the SPF and DKIM records are misaligned in an email. When p
is set to reject
, then the email will be rejected.
This configuration is best for high-security requirements and new domains.
In case the domain has already been used for a while, and the client may be using third parties to send out emails without remembering them all, it might be a good idea to set p
to none
. It means that emails will be accepted even if there is an SPF and DKIM misalignment, but reports will still be sent.