SPF, DMARC, and Compliance Addresses
To meet the main email service specifications, the following guidelines should be followed. It is recommended that every email service have the following configurations:
- A TXT record in DNS for SPF, which will allow sending messages from specific servers. Example lines are as follows:
"v=spf1 include:_spf.google.com -all" "v=spf1 include:spf.protection.outlook.com -all"
- A DKIM configuration, used by the email server to authenticate the messages being sent, which can vary as either a TXT or CNAME record depending on the email service strategy
- A DMARC configuration, which will declare the rule adopted for SPF and DKIM records. The following value is recommended, changing the email address that will receive the DKIM report results:
"v=DMARC1; p=reject; sp=reject; fo=1; adkim=r; aspf=r; pct=100; rua=mailto:dmarc@example.com; ruf=mailto:dmarc@example.com; rf=afrf; ri=86400;"
- If the domain you are configuring also receives DMARC reports from another domain, a TXT record is required on the subdomain
*._report._dmarc(or the email domain instead of the wildcard *, e.g.,example.com._report._dmarc):
"v=DMARC1;"
- Email groups or distribution lists with the following IDs:
abuse (contact for email service abuse) admin (administrator contact - not documented in RFC) administrator (administrator contact - not documented in RFC) hostmaster (contact for domain zone issues - also for SOA) noc (contact for network infrastructure issues) postmaster (contact for email infrastructure issues) security (contact for security issues - also for CAA, security.txt) webmaster (contact for websites)
Google Workspace Forwarding Strategy:
It is recommended to forward all other administrative mailboxes to a group named security@ using the routing feature found in Apps > Google Workspace > Settings for Gmail > Routing (link), since Google reserves some email addresses such as abuse@, preventing them from being added as aliases. Google allows external addresses and groups to be members of local groups; if necessary, you can add the external contact directly to the group.
For forwarding individual mailboxes to external recipients, if forwarding is blocked, it is necessary to create a new OU with forwarding permission granted to perform external forwarding for that user. Check the Automatic forwarding settings here.
Microsoft 365 Forwarding Strategy:
It is recommended to forward all other administrative mailboxes to a group named security@ through an alias on the group itself. Microsoft allows external addresses and groups to be members of local groups if added as contacts. If necessary, add the external contact on the platform under Users > Contacts (link) and add this contact as a group member.
For forwarding individual mailboxes to external recipients, blocking is enabled by default. You can configure a policy via PowerShell to allow the specified local account to forward messages to external recipients using the following commands:
Connect-ExchangeOnline
Get-HostedOutboundSpamFilterPolicy
New-HostedOutboundSpamFilterPolicy -Name "Allow Specific Forwarding" -AutoForwardingMode On
New-HostedOutboundSpamFilterRule -Name "Allow Specific Forwarding Rule" -HostedOutboundSpamFilterPolicy "Allow Specific Forwarding" -From "localaccount@domain.example"Forwarding rules can also be checked here, but it is recommended to create them via PowerShell to avoid creation errors.
Locaweb Strategy:
The provider is inconsistent about sending messages from groups. It is recommended to create a mailbox named security@, add aliases with the other alternatives, and add a rule through webmail to forward messages to the desired contact, which can be internal or external.
Additional Information:
Domain monitoring and reputation services are also recommended, such as Postmaster Tools offered by the Google Gmail platform.
Domains without email service should use MX with an invalid hostname 0 . and SPF with no authorizations "v=spf1 -all", in addition to the appropriate DMARC rules to prevent spoofing attacks using these domains, although having a valid messaging service with compliance addresses is still recommended.