When taking on a new project where the client doesn’t own the domain name(s) yet, we need to help them register the appropriate domains.
There is a variety of options out there for domain registration. All services are not all of the same quality though. If the client needs guidance in choosing a registrar, NameCheap has the best balance between records management, customer service, and price.
Once registered (through whichever registrar), the DNS should be pointed to a CloudFlare account. CloudFlare, even on the free plan, offers lots of useful options like free SSL, redirect rules, and much more.
If the client requires custom emails (e.g. [email protected]), then we can help them set it up.
The MX servers setup will vary based on which email server is being used. In case the client needs guidance when choosing the email server, G Suite is the most reliable option.
After the MX servers have been configured, it is important to set up the correct SPF record. In most cases, and for the maximum level of security, the record should be set to “fail” (meaning that an email sent from an unauthorized server will not be delivered).
With G Suite:
TXT | @ | v=spf1 include:_spf.google.com -all
Setting up the DKIM records is also essential as it will authenticate emails sent from the server.
The first thing that needs setting up is the DKIM policy. Without it, adding a DKIM public key would have no effect.
There are different ways to configure the DKIM policy depending on the level of security required. Here is an example of a base configuration:
TXT | _domainkey | v=DKIM1; o=-
The DKIM records will be communicated by the various email servers.
The DMARC record defines how emails that don’t align with the SPF and DKIM settings should be processed. Like the DKIM policy, there are many ways to configure the DMARC record. Here is an example of a base configuration:
There are two parts of the above DMARC setup that require attention.
rua parameter needs to be updated to use a valid email address on the domain being set up. It is where reports will be sent.
p parameter is what defines the behavior in case the SPF and DKIM records are misaligned in an email. When
p is set to
reject then the email will be rejected.
This configuration is best for high-security requirements and new domains.
In case the domain has already been used for a while, and the client may be using third-parties to send out emails without remembering them all, it might be a good idea to set
none. It means that emails will be accepted even if there is an SPF and DKIM misalignment, but reports will still be sent.