DNS Security: SPF, DKIM, DMARC, and DNSSEC Explained for Developers
A practical Fusebox guide to dns security.
DNS Security: SPF, DKIM, DMARC, and DNSSEC Explained for Developers
Published: January 2024
Reading time: 9 minutes
DNS security isn't just about preventing domain hijacking. It's the foundation of email authentication, protecting your brand from spoofing, and ensuring data integrity. Here's how SPF, DKIM, DMARC, and DNSSEC work together to secure your domain.
Why DNS Security Matters
The Threats You're Facing
- Email spoofing - Attackers send emails from your domain
- DNS hijacking - Redirecting traffic to malicious servers
- Cache poisoning - Corrupting DNS resolver caches
- Man-in-the-middle - Intercepting DNS queries
- Brand damage - Phishing using your domain name
Real Impact
Without DNS security:
- 91% of cyberattacks start with email
- 3.4 billion fake emails sent daily
- $1.7 billion lost to email fraud annually
- 30% of phishing emails get opened
- Takes 197 days average to identify breach
SPF (Sender Policy Framework)
What Is SPF?
SPF tells the world which servers can send email for your domain. It's a TXT record listing authorized IP addresses and domains.
SPF Record Analyzer
// Analyze and validate SPF records
async function analyzeSPF(domain) {
console.log(`π SPF Analysis for ${domain}\n`);
// Example SPF record
const spfRecord = "v=spf1 include:_spf.google.com include:sendgrid.net ip4:192.168.1.0/24 ~all";
console.log('SPF Record:');
console.log(` ${spfRecord}\n`);
// Parse SPF components
const components = spfRecord.split(' ');
const analysis = {
version: '',
includes: [],
ip4: [],
ip6: [],
mechanism: '',
warnings: []
};
components.forEach(component => {
if (component.startsWith('v=')) {
analysis.version = component;
} else if (component.startsWith('include:')) {
analysis.includes.push(component.substring(8));
} else if (component.startsWith('ip4:')) {
analysis.ip4.push(component.substring(4));
} else if (component.startsWith('ip6:')) {
analysis.ip6.push(component.substring(4));
} else if (component.match(/^[~\-\+\?]all$/)) {
analysis.mechanism = component;
}
});
// Analyze configuration
console.log('π SPF Configuration:');
console.log(`Version: ${analysis.version === 'v=spf1' ? 'β
Valid' : 'β Invalid'}`);
console.log(`\nAuthorized Senders:`);
if (analysis.includes.length > 0) {
console.log(' Included domains:');
analysis.includes.forEach(include => {
console.log(` - ${include}`);
});
}
if (analysis.ip4.length > 0) {
console.log(' IPv4 addresses:');
analysis.ip4.forEach(ip => {
console.log(` - ${ip}`);
});
}
// Check mechanism
console.log(`\nFail mechanism: ${analysis.mechanism}`);
switch(analysis.mechanism) {
case '-all':
console.log(' β
Hard fail (recommended) - Reject unauthorized');
break;
case '~all':
console.log(' π‘ Soft fail - Mark as spam but accept');
analysis.warnings.push('Consider using -all for better protection');
break;
case '+all':
console.log(' β Allow all - NO PROTECTION!');
analysis.warnings.push('CRITICAL: Anyone can send email as your domain');
break;
case '?all':
console.log(' β οΈ Neutral - No policy');
analysis.warnings.push('SPF provides no protection with ?all');
break;
}
// Check for common issues
if (analysis.includes.length > 10) {
analysis.warnings.push('Too many includes - may hit DNS lookup limit');
}
if (spfRecord.length > 255) {
analysis.warnings.push('SPF record too long - may be ignored');
}
// DNS lookup count
const dnsLookups = analysis.includes.length +
analysis.includes.filter(i => i.includes('include')).length;
console.log(`\nπ DNS Lookups: ${dnsLookups}/10`);
if (dnsLookups > 10) {
console.log(' β Too many DNS lookups - SPF will fail!');
}
// Show warnings
if (analysis.warnings.length > 0) {
console.log('\nβ οΈ Warnings:');
analysis.warnings.forEach(warning => {
console.log(` - ${warning}`);
});
}
return analysis;
}
// Example SPF check
analyzeSPF('example.com');
SPF Best Practices
// Generate optimal SPF record
function generateSPFRecord(config) {
console.log('\nπ§ SPF Record Generator\n');
const parts = ['v=spf1'];
// Add authorized services
if (config.google) {
parts.push('include:_spf.google.com');
}
if (config.microsoft) {
parts.push('include:spf.protection.outlook.com');
}
if (config.sendgrid) {
parts.push('include:sendgrid.net');
}
if (config.mailchimp) {
parts.push('include:servers.mcsv.net');
}
// Add IP addresses
if (config.ipv4 && config.ipv4.length > 0) {
config.ipv4.forEach(ip => {
parts.push(`ip4:${ip}`);
});
}
// Add fail mechanism
parts.push(config.strict ? '-all' : '~all');
const spfRecord = parts.join(' ');
console.log('Generated SPF Record:');
console.log(`"${spfRecord}"`);
// Validate
console.log('\nβ
Validation:');
console.log(`Length: ${spfRecord.length} characters ${spfRecord.length > 255 ? 'β TOO LONG' : 'β
'}`);
console.log(`DNS lookups: ${parts.filter(p => p.includes('include')).length}/10`);
// Implementation steps
console.log('\nπ Implementation Steps:');
console.log('1. Add as TXT record at root domain (@)');
console.log('2. Start with ~all (soft fail) for testing');
console.log('3. Monitor email delivery for 1 week');
console.log('4. Switch to -all (hard fail) when confident');
return spfRecord;
}
// Example configuration
generateSPFRecord({
google: true,
sendgrid: true,
ipv4: ['192.168.1.0/24'],
strict: false
});
DKIM (DomainKeys Identified Mail)
What Is DKIM?
DKIM adds a digital signature to emails, proving they came from your domain and weren't tampered with in transit.
DKIM Implementation Guide
// DKIM setup and verification
function implementDKIM(domain) {
console.log(`\nπ DKIM Implementation for ${domain}\n`);
// Generate selector recommendation
const selector = `k1.${new Date().getFullYear()}${(new Date().getMonth() + 1).toString().padStart(2, '0')}`;
console.log('1οΈβ£ DKIM Selector Strategy:');
console.log(` Recommended selector: ${selector}`);
console.log(' Pattern: k1.YYYYMM for easy rotation\n');
// Example DKIM record
const dkimRecord = {
selector: selector,
record: `${selector}._domainkey.${domain}`,
value: 'v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC...',
keySize: 2048
};
console.log('2οΈβ£ DKIM DNS Record:');
console.log(` Name: ${dkimRecord.record}`);
console.log(` Type: TXT`);
console.log(` Value: ${dkimRecord.value.substring(0, 50)}...`);
console.log(` Key Size: ${dkimRecord.keySize} bits β
\n`);
// Key rotation schedule
console.log('3οΈβ£ Key Rotation Schedule:');
const rotationSchedule = [
{ month: 0, action: 'Generate new key pair', selector: 'k1.202401' },
{ month: 1, action: 'Add new selector to DNS', selector: 'k2.202401' },
{ month: 2, action: 'Start signing with new key', selector: 'k2.202401' },
{ month: 3, action: 'Remove old selector', selector: 'k1.202401' }
];
rotationSchedule.forEach(step => {
console.log(` Month ${step.month}: ${step.action} (${step.selector})`);
});
// Multiple selector strategy
console.log('\n4οΈβ£ Multiple Selector Strategy:');
console.log(' Production: k1._domainkey');
console.log(' Transition: k2._domainkey');
console.log(' Emergency: emergency._domainkey');
// Verification steps
console.log('\n5οΈβ£ Verification Commands:');
console.log(` dig TXT ${selector}._domainkey.${domain}`);
console.log(` nslookup -type=TXT ${selector}._domainkey.${domain}`);
return dkimRecord;
}
// DKIM health check
function checkDKIMHealth(domain) {
console.log(`\nπ₯ DKIM Health Check for ${domain}\n`);
const checks = {
'Selector exists': true,
'Valid key format': true,
'Key size >= 1024 bits': true,
'Key size >= 2048 bits': true,
'No syntax errors': true,
'Selector naming convention': true
};
let score = 0;
Object.entries(checks).forEach(([check, passed]) => {
console.log(`${passed ? 'β
' : 'β'} ${check}`);
if (passed) score++;
});
const percentage = (score / Object.keys(checks).length * 100).toFixed(0);
console.log(`\nDKIM Health Score: ${percentage}%`);
// Common issues
console.log('\nβ οΈ Common DKIM Issues:');
console.log('β’ Key too small (< 1024 bits) - Rejected by Gmail');
console.log('β’ Multiple TXT records at same selector - Only one used');
console.log('β’ Spaces in public key - Breaks signature validation');
console.log('β’ Not rotating keys - Security risk');
console.log('β’ Wrong selector in email headers - Signature fails');
}
implementDKIM('example.com');
checkDKIMHealth('example.com');
DMARC (Domain-based Message Authentication)
What Is DMARC?
DMARC ties SPF and DKIM together, telling receivers what to do with emails that fail authentication.
DMARC Policy Builder
// Build and analyze DMARC policies
function buildDMARCPolicy(domain, config = {}) {
console.log(`\nπ§ DMARC Policy Builder for ${domain}\n`);
// Default conservative settings
const policy = {
version: 'v=DMARC1',
policy: config.policy || 'none',
subdomainPolicy: config.sp || config.policy || 'none',
percentage: config.pct || 100,
aggregate: config.rua || `mailto:dmarc@${domain}`,
forensic: config.ruf || null,
alignment: {
spf: config.aspf || 'r', // relaxed
dkim: config.adkim || 'r' // relaxed
}
};
// Build record
const parts = [policy.version];
parts.push(`p=${policy.policy}`);
if (policy.subdomainPolicy !== policy.policy) {
parts.push(`sp=${policy.subdomainPolicy}`);
}
if (policy.percentage < 100) {
parts.push(`pct=${policy.percentage}`);
}
parts.push(`rua=${policy.aggregate}`);
if (policy.forensic) {
parts.push(`ruf=${policy.forensic}`);
}
if (policy.alignment.spf !== 'r') {
parts.push(`aspf=${policy.alignment.spf}`);
}
if (policy.alignment.dkim !== 'r') {
parts.push(`adkim=${policy.alignment.dkim}`);
}
const dmarcRecord = parts.join('; ');
console.log('Generated DMARC Record:');
console.log(`"${dmarcRecord}"\n`);
// Explain policy
console.log('π Policy Explanation:');
console.log(`Main domain policy: ${policy.policy}`);
switch(policy.policy) {
case 'none':
console.log(' π Monitoring only - No email rejected');
break;
case 'quarantine':
console.log(' π‘ Failed emails sent to spam');
break;
case 'reject':
console.log(' β Failed emails rejected completely');
break;
}
console.log(`\nSubdomain policy: ${policy.subdomainPolicy}`);
console.log(`Percentage affected: ${policy.percentage}%`);
console.log(`SPF alignment: ${policy.alignment.spf === 'r' ? 'Relaxed' : 'Strict'}`);
console.log(`DKIM alignment: ${policy.alignment.dkim === 'r' ? 'Relaxed' : 'Strict'}`);
// Implementation roadmap
console.log('\nπΊοΈ Implementation Roadmap:');
const roadmap = [
{ week: 1, action: 'Deploy p=none', monitor: 'Establish baseline' },
{ week: 2, action: 'Analyze reports', monitor: 'Identify legitimate senders' },
{ week: 4, action: 'Fix SPF/DKIM issues', monitor: 'Reduce failure rate' },
{ week: 6, action: 'Move to p=quarantine', monitor: 'Watch for issues' },
{ week: 8, action: 'Increase pct gradually', monitor: 'Monitor delivery' },
{ week: 12, action: 'Move to p=reject', monitor: 'Full protection' }
];
console.log('Week | Action | Monitor');
console.log('-----|--------|--------');
roadmap.forEach(step => {
console.log(`${step.week.toString().padEnd(4)} | ${step.action.padEnd(20)} | ${step.monitor}`);
});
return dmarcRecord;
}
// DMARC report analyzer
function analyzeDMARCReport() {
console.log('\nπ DMARC Report Analysis\n');
// Simulated aggregate report data
const report = {
domain: 'example.com',
dateRange: '2024-01-01 to 2024-01-07',
messages: {
total: 10000,
passed: 9500,
failed: 500
},
sources: [
{ ip: '192.168.1.1', count: 8000, spf: 'pass', dkim: 'pass' },
{ ip: '10.0.0.1', count: 1500, spf: 'pass', dkim: 'fail' },
{ ip: '1.2.3.4', count: 400, spf: 'fail', dkim: 'fail' },
{ ip: '5.6.7.8', count: 100, spf: 'fail', dkim: 'fail' }
]
};
console.log(`Domain: ${report.domain}`);
console.log(`Period: ${report.dateRange}\n`);
// Summary
const passRate = (report.messages.passed / report.messages.total * 100).toFixed(1);
console.log('π Summary:');
console.log(`Total messages: ${report.messages.total.toLocaleString()}`);
console.log(`Pass rate: ${passRate}%`);
console.log(`Failed: ${report.messages.failed} messages\n`);
// Source analysis
console.log('π Source Analysis:');
console.log('IP Address | Messages | SPF | DKIM | Status');
console.log('--------------|----------|------|------|--------');
report.sources.forEach(source => {
const status = source.spf === 'pass' && source.dkim === 'pass' ? 'β
' :
source.spf === 'pass' || source.dkim === 'pass' ? 'π‘' : 'β';
console.log(
`${source.ip.padEnd(13)} | ${source.count.toString().padEnd(8)} | ${source.spf.padEnd(4)} | ${source.dkim.padEnd(4)} | ${status}`
);
});
// Recommendations
console.log('\nπ‘ Recommendations:');
report.sources.forEach(source => {
if (source.spf === 'fail' && source.count > 50) {
console.log(`β’ Add ${source.ip} to SPF record if legitimate`);
}
if (source.dkim === 'fail' && source.spf === 'pass') {
console.log(`β’ Fix DKIM signing for ${source.ip}`);
}
});
}
// Generate DMARC policy
buildDMARCPolicy('example.com', {
policy: 'quarantine',
pct: 50,
ruf: 'mailto:forensic@example.com'
});
analyzeDMARCReport();
DNSSEC (DNS Security Extensions)
What Is DNSSEC?
DNSSEC adds cryptographic signatures to DNS records, ensuring responses haven't been tampered with.
DNSSEC Implementation
// DNSSEC deployment guide
function implementDNSSEC(domain) {
console.log(`\nπ DNSSEC Implementation for ${domain}\n`);
// Check current status
console.log('1οΈβ£ Pre-Deployment Checklist:');
const checklist = {
'Registrar supports DNSSEC': true,
'DNS provider supports DNSSEC': true,
'Understand key management': true,
'Backup DNS configuration': true,
'Plan rollback procedure': true
};
Object.entries(checklist).forEach(([item, ready]) => {
console.log(`${ready ? 'β
' : 'β'} ${item}`);
});
// Key configuration
console.log('\n2οΈβ£ Key Configuration:');
console.log('KSK (Key Signing Key):');
console.log(' Algorithm: RSASHA256 (8)');
console.log(' Key Size: 2048 bits');
console.log(' Rollover: Annual');
console.log('\nZSK (Zone Signing Key):');
console.log(' Algorithm: RSASHA256 (8)');
console.log(' Key Size: 1024 bits');
console.log(' Rollover: Quarterly');
// DS record for parent zone
console.log('\n3οΈβ£ DS Record for Parent Zone:');
console.log('example.com. 3600 IN DS 12345 8 2 ABC123...');
console.log(' Key Tag: 12345');
console.log(' Algorithm: 8 (RSASHA256)');
console.log(' Digest Type: 2 (SHA256)');
// Deployment steps
console.log('\n4οΈβ£ Deployment Steps:');
const steps = [
'Generate KSK and ZSK key pairs',
'Sign zone with keys',
'Test signed zone',
'Publish DS record at registrar',
'Wait for DS propagation (24-48h)',
'Monitor DNSSEC validation',
'Set up key rotation automation'
];
steps.forEach((step, index) => {
console.log(`${index + 1}. ${step}`);
});
// Validation testing
console.log('\n5οΈβ£ Validation Testing:');
console.log('dig +dnssec example.com');
console.log('dig DS example.com');
console.log('delv example.com');
return {
ksk: { algorithm: 8, keySize: 2048, rollover: 'annual' },
zsk: { algorithm: 8, keySize: 1024, rollover: 'quarterly' }
};
}
// DNSSEC validation checker
function validateDNSSEC(domain) {
console.log(`\nβ
DNSSEC Validation for ${domain}\n`);
// Simulated validation chain
const validationChain = [
{ level: 'Root (.)' , signed: true, status: 'Valid' },
{ level: 'TLD (.com)', signed: true, status: 'Valid' },
{ level: domain, signed: true, status: 'Valid' }
];
console.log('π Validation Chain:');
validationChain.forEach((level, index) => {
const indent = ' '.repeat(index);
const icon = level.signed ? 'β
' : 'β';
console.log(`${indent}${icon} ${level.level} - ${level.status}`);
});
// Common issues
console.log('\nβ οΈ Common DNSSEC Issues:');
const issues = {
'Missing DS record at parent': 'Contact registrar to add DS',
'Expired signatures': 'Re-sign zone immediately',
'Key mismatch': 'Verify DS record matches DNSKEY',
'Algorithm not supported': 'Use RSA or ECDSA',
'Clock skew': 'Sync server time with NTP'
};
Object.entries(issues).forEach(([issue, fix]) => {
console.log(`β’ ${issue}`);
console.log(` Fix: ${fix}`);
});
}
implementDNSSEC('example.com');
validateDNSSEC('example.com');
Complete DNS Security Audit
Comprehensive Security Check
// Full DNS security audit
async function completeDNSSecurityAudit(domain) {
console.log('π COMPLETE DNS SECURITY AUDIT');
console.log('β'.repeat(50));
console.log(`Domain: ${domain}`);
console.log(`Date: ${new Date().toLocaleDateString()}\n`);
const auditResults = {
spf: { configured: false, valid: false, strict: false },
dkim: { configured: false, keySize: 0, selector: '' },
dmarc: { configured: false, policy: 'none', reports: false },
dnssec: { enabled: false, validated: false },
additional: {
mta_sts: false,
bimi: false,
caa: false
}
};
// SPF Check
console.log('1οΈβ£ SPF (Sender Policy Framework)');
console.log('β'.repeat(40));
// In practice, perform actual DNS lookup
auditResults.spf.configured = true;
auditResults.spf.valid = true;
auditResults.spf.strict = false;
console.log(`β
SPF record found`);
console.log(`β
Valid syntax`);
console.log(`π‘ Using soft fail (~all)`);
console.log(` Recommendation: Switch to -all\n`);
// DKIM Check
console.log('2οΈβ£ DKIM (DomainKeys Identified Mail)');
console.log('β'.repeat(40));
auditResults.dkim.configured = true;
auditResults.dkim.keySize = 2048;
auditResults.dkim.selector = 'google';
console.log(`β
DKIM configured`);
console.log(`β
Key size: 2048 bits`);
console.log(`β
Selector: ${auditResults.dkim.selector}`);
console.log(` Next rotation: ${new Date(Date.now() + 90*24*60*60*1000).toLocaleDateString()}\n`);
// DMARC Check
console.log('3οΈβ£ DMARC (Domain Message Authentication)');
console.log('β'.repeat(40));
auditResults.dmarc.configured = true;
auditResults.dmarc.policy = 'quarantine';
auditResults.dmarc.reports = true;
console.log(`β
DMARC record found`);
console.log(`π‘ Policy: ${auditResults.dmarc.policy}`);
console.log(`β
Aggregate reports: Enabled`);
console.log(`β Forensic reports: Not configured\n`);
// DNSSEC Check
console.log('4οΈβ£ DNSSEC (DNS Security Extensions)');
console.log('β'.repeat(40));
auditResults.dnssec.enabled = false;
console.log(`β DNSSEC not enabled`);
console.log(` Impact: Vulnerable to DNS spoofing`);
console.log(` Action: Enable at registrar and DNS provider\n`);
// Additional Security
console.log('5οΈβ£ Additional Security Measures');
console.log('β'.repeat(40));
console.log(`${auditResults.additional.mta_sts ? 'β
' : 'β'} MTA-STS (Mail Transfer Agent Strict Transport Security)`);
console.log(`${auditResults.additional.bimi ? 'β
' : 'β'} BIMI (Brand Indicators for Message Identification)`);
console.log(`${auditResults.additional.caa ? 'β
' : 'β'} CAA (Certificate Authority Authorization)`);
// Security Score
console.log('\nπ Security Score');
console.log('β'.repeat(40));
let score = 0;
if (auditResults.spf.configured && auditResults.spf.valid) score += 20;
if (auditResults.spf.strict) score += 5;
if (auditResults.dkim.configured) score += 20;
if (auditResults.dkim.keySize >= 2048) score += 5;
if (auditResults.dmarc.configured) score += 20;
if (auditResults.dmarc.policy !== 'none') score += 10;
if (auditResults.dnssec.enabled) score += 15;
if (auditResults.additional.mta_sts) score += 5;
console.log(`Total Score: ${score}/100`);
if (score >= 90) {
console.log('π Excellent DNS security!');
} else if (score >= 70) {
console.log('π Good security with room for improvement');
} else if (score >= 50) {
console.log('β οΈ Basic security - significant gaps exist');
} else {
console.log('β Poor security - immediate action required');
}
// Recommendations
console.log('\nπ‘ Priority Recommendations:');
const recommendations = [];
if (!auditResults.spf.strict) {
recommendations.push('Switch SPF to hard fail (-all)');
}
if (!auditResults.dmarc.configured || auditResults.dmarc.policy === 'none') {
recommendations.push('Implement DMARC with quarantine policy');
}
if (!auditResults.dnssec.enabled) {
recommendations.push('Enable DNSSEC for domain integrity');
}
if (!auditResults.additional.mta_sts) {
recommendations.push('Deploy MTA-STS for email encryption');
}
if (!auditResults.additional.caa) {
recommendations.push('Add CAA records to control certificate issuance');
}
recommendations.forEach((rec, index) => {
console.log(`${index + 1}. ${rec}`);
});
return auditResults;
}
// Run complete audit
completeDNSSecurityAudit('example.com');
Quick Implementation Guide
DNS Security Checklist
// Step-by-step implementation guide
function dnsSecurityChecklist(domain) {
console.log(`\nβ
DNS Security Implementation Checklist for ${domain}\n`);
const tasks = [
{
category: 'Email Authentication',
items: [
{ task: 'Deploy SPF record', priority: 'High', effort: 'Low' },
{ task: 'Configure DKIM signing', priority: 'High', effort: 'Medium' },
{ task: 'Implement DMARC policy', priority: 'High', effort: 'Low' },
{ task: 'Set up DMARC reporting', priority: 'Medium', effort: 'Low' }
]
},
{
category: 'DNS Integrity',
items: [
{ task: 'Enable DNSSEC', priority: 'Medium', effort: 'High' },
{ task: 'Add CAA records', priority: 'Medium', effort: 'Low' },
{ task: 'Implement DNS monitoring', priority: 'High', effort: 'Medium' }
]
},
{
category: 'Advanced Security',
items: [
{ task: 'Deploy MTA-STS', priority: 'Medium', effort: 'Medium' },
{ task: 'Configure DANE TLSA', priority: 'Low', effort: 'High' },
{ task: 'Implement BIMI', priority: 'Low', effort: 'Medium' }
]
}
];
tasks.forEach(category => {
console.log(`π ${category.category}`);
console.log('β'.repeat(40));
category.items.forEach(item => {
const priority = item.priority === 'High' ? 'π΄' :
item.priority === 'Medium' ? 'π‘' : 'π’';
const effort = item.effort === 'High' ? 'π' :
item.effort === 'Medium' ? 'π' : 'π';
console.log(`${priority} ${item.task} ${effort}`);
});
console.log('');
});
// Timeline
console.log('π
Implementation Timeline:');
console.log('Week 1: SPF + Basic DMARC (monitoring)');
console.log('Week 2-3: DKIM configuration');
console.log('Week 4-8: DMARC enforcement gradual rollout');
console.log('Week 9-12: DNSSEC deployment');
console.log('Ongoing: Monitoring and optimization');
}
dnsSecurityChecklist('example.com');
The Bottom Line
DNS security is non-negotiable for modern domains:
- SPF prevents spoofing - Tell the world who can send your email
- DKIM proves authenticity - Cryptographic signatures on every email
- DMARC enforces policy - Decide what happens to fake emails
- DNSSEC ensures integrity - DNS responses can't be forged
- Together = Complete protection - Each layer adds critical security
Start with SPF, add DKIM, enforce with DMARC, secure with DNSSEC. Your domain's reputation depends on it.
Monitor DNS security instantly: Fusebox analyzes SPF, DKIM, DMARC, and DNSSEC configuration while you browse. Ensure complete domain security. $29 one-time purchase.