Setting of SPF and DMARC records

If you set the SPF record for your domain and you send your emails through the server smtp.forpsi.com, please, add into your SPF record this item:
include:_spf.forpsi.com

Here is a sample of the value of SPF record with included item
v=spf1 a mx include:_spf.forpsi.com -all
The DMARC record is TXT record with hostname _dmarc.

Illustrated instruction of setting the SPF and DMARC records

1. Login with your credentials of your customer account on admin.forpsi.com.

2. Click on the "Domains" link

3. Click on the domain name

4. Click on the "edit DNS records" link (if this button is missing, you don't use our NS servers and you have to set these TXT records on your NS servers)

 
5. The SPF record is a TXT record of the domain. We recommend the value

v=spf1 a mx include:_spf.forpsi.com -all

At first, check if the SPF record of the domain is set. The domain can have only one SPF record


If the SPF record has the policy Softfal (~all) or Neutral (~all), we recommend from safety reason to change it to Fail (-all). After clicking on the Edit button, you can change the value in the fields on the bottom (the sam fields as for adding the new records. Edit the value and svae changes.
 
 
5. Add the DMARC record as a TXT record with the hostname _dmarc, we recommend the value with reject policy v=DMARC1; p=reject. If you have set the DMARC with the policy none, or quarantine, we recommend to change it to reject (prevent to deliver fraudulent emails with forged domain in the From parameter in headers

 
 
SPF records of external services
If you send emails through the smtp server of your ISP, from internal system, or you are using some marketing services, it is neccessary to allow also IPs of these services. Because every domain can have set only one SPF record, you have to add items of external services into the existing SPF record. It can be

An IP address "ip4:XXX.XXX.XXX.XXX", resp. ip6, or a range of IP addresses "ip4:XXX.XXX.XXX.XXX/24", resp. ip6.

An item of external service, see samples bellow
- Office365: include:spf.protection.outlook.com
- Shoptet: include:_spf.myshoptet.com
- Mailchimp: "include:servers.mcsv.net
- Google: include:_spf.google.com

Add the items into your SPF record, see sample
v=spf1 a mx include:_spf.forpsi.com include:spf.protection.outlook.com ~all

Qualifiers - determine proccessing your emails
The mechanism and qualifiers all allow you to determine, how the emails, that do not correspond with allowed IP address, will be processed.

"-" Fail - the emails from disallowed IPs should be rejected. 
"~" Softfail - typically, messages that return a Softfail are accepted but tagged.
 
In the sample "v=spf1 a mx include:_spf.forpsi.com -all", the qualifier Fail is used. Emails sent via our mailservers match the SPF test. Emails sent via other mailservers (e.g. SMTP server of the ISP) don't match the SPF test, and will be rejected. Choose this qualifier, if you exactly know, which servers you use to send your emails and if you want to secure your domain against abusing in spams.
 
If you choose the qulifier Softfail (~all), sample "v=spf1 a mx include:_spf.forpsi.com ~all", not matched emails will be accepted, but almost marked as spam.

The flow chart of DMARC check (combines DKIM and SPF) 


Note
If the owner of the domain wants to set also the SPF2.0 record (SID), add into it the item
include:_sid.forpsi.com

The value of the SID record can be
spf2.0/pra a mx include:_sid.forpsi.com -all