Contents

Enable DNSSEC
Prevent abuse of domains that send/receive email
Prevent abuse of domains that do not send/receive email

Enable DNSSEC

Coming soon. Ask Customer Service.

Prevent abuse of domains that send/receive email

SPF

SPF has been set up per default in Bricksite Mail, but you can increase the protection level against email abuse by changing from ~all to -all at the very end of the SPF record.

DKIM

Must be set up through Customer Service.

DMARC on a single domain

_dmarc.maindomain.tld. 3600 IN TXT "v=DMARC1; p=reject; rua=mailto:mail@maindomain.tld; ruf=mailto:mail@maindomain.tld; fo=1;"

We recommend setting DMARC to p=reject; (or as the bare minimum p=quarantine;), which blocks spam and prevents abuse of your domain.

DMARC across multiple domains

If you have many domains you are able to synchronize the DNS–settings, which means you need only edit these settings once.

On all secondary domains the following record is set, which redirects to the main domain:
_dmarc.secondarydomain.tld. 3600 IN CNAME _dmarc.maindomain.tld.

On the main domain these two records need to be set up. This record is the only one which needs updating in future.
_dmarc.maindomain.tld. 3600 IN TXT "v=DMARC1; p=reject; rua=mailto:mail@maindomain.tld; ruf=mailto:mail@maindomain.tld; fo=1;"
*._report._dmarc.maindomain.tld. 3600 IN TXT "v=DMARC1;"

Prevent abuse of domains that do not send/receive email

MX

MX should be deleted completely, or filled with a single dot (.).

SPF

maindomain.tld. 3600 IN TXT "v=spf1 -all"
and
*.maindomain.tld. 3600 IN TXT "v=spf1 redirect=maindomain.tld"

DKIM

*._domainkey.maindomain.tld. 3600 IN TXT "v=DKIM1; p=;"
and
*._domainkey.*.maindomain.tld. 3600 IN CNAME dkim-reject._domainkey.maindomain.tld.

DMARC

_dmarc.maindomain.tld. 3600 IN TXT "v=DMARC1; p=reject;"

Updated on: 28/10/2021