Suped

What are wildcard, DKIM, and DMARC best practices?

8 Marketer opinions4 Expert opinions5 Technical articles1 Resource

Summary

Effective email deliverability and security involve a combination of strategies related to wildcard DNS, DKIM, and DMARC. DKIM best practices include generating a 2048-bit key, regular key rotation, and DNS record publication. DMARC implementation necessitates a policy for handling authentication failures, starting with 'p=none' for monitoring and gradually increasing stringency. Wildcard DNS simplifies subdomain creation but requires careful security planning to avoid unintended matches. Stunt DNS servers further simplify DMARC setup for dynamic subdomains. SPF, DKIM, and DMARC work together for anti-spoofing, with DMARC reporting crucial for understanding deliverability. Key rotation prevents compromises, and RFC 7489 provides the standard. Wildcard TLS certificates present similar risks to wildcard DNS entries.

Key findings

  • DKIM Setup: Generate 2048-bit keys, rotate regularly, and publish the DKIM record in DNS.
  • DMARC Policy: Implement a DMARC policy, starting with 'p=none' and increasing stringency.
  • Wildcard DNS Security: Wildcard DNS simplifies setup but requires careful planning and monitoring to avoid security risks.
  • Anti-Spoofing: SPF, DKIM, and DMARC provide anti-spoofing protection.
  • Stunt DNS Servers: Stunt DNS servers simplify DMARC setup for dynamic subdomains.
  • DMARC Reporting: DMARC reporting is critical for analyzing deliverability.
  • Key Rotation: Regular DKIM key rotation mitigates key compromise risks.
  • Wildcard TLS Certificates: Wildcard TLS certificates present similar challenges to Wildcard DNS entries.

Key considerations

  • DKIM Key Management: Establish a consistent schedule for DKIM key rotation.
  • DMARC Enforcement: Gradually increase DMARC policy strictness as confidence grows.
  • Wildcard DNS Planning: Plan subdomain coverage carefully when using wildcard DNS.
  • DMARC reports analysis: Analyze DMARC reports to identify areas to improve email deliverability.
  • TLS certificates: Consider the impact Wildcard TLS certificates may have.

What email marketers say
8Marketer opinions

Several best practices for wildcard DNS, DKIM, and DMARC have been identified. DMARC setup involves publishing a DMARC record in DNS settings, instructing email providers on handling authentication failures, starting with a 'p=none' policy for monitoring. DKIM and DMARC protect against spoofing and phishing; DKIM authenticates, while DMARC builds on SPF and DKIM. Wildcard DNS simplifies subdomain creation but poses security risks, requiring careful planning. DMARC enhances deliverability and brand reputation through continuous monitoring and policy adjustments. Correctly configuring SPF and DKIM is essential, using dedicated sending domains and regular checks. DMARC reporting aids in understanding and addressing deliverability issues. Regular DKIM key rotation mitigates key compromise risks. Finally, Wildcard TLS Certificates also present challenges, use with caution.

Key opinions

  • DMARC Setup: Publish a DMARC record in DNS settings and start with a 'p=none' policy for monitoring.
  • Security Protection: DKIM and DMARC protect against email spoofing and phishing attacks.
  • Wildcard DNS Risks: Wildcard DNS simplifies subdomain creation but can introduce security risks; plan carefully.
  • Deliverability Enhancement: DMARC implementation enhances email deliverability and protects brand reputation.
  • SPF/DKIM Configuration: Correctly configure SPF and DKIM using a dedicated sending domain and regular checks.
  • Reporting Importance: DMARC reporting helps understand and address email deliverability issues.
  • Key Rotation: Regular DKIM key rotation mitigates the risk of key compromise.
  • TLS Wildcards: Wildcard TLS Certificates presents security challenges, use with caution.

Key considerations

  • Monitoring: Continuously monitor DMARC reports and adjust policies for optimal email authentication.
  • Planning: Carefully plan subdomain coverage when using wildcard DNS records.
  • Security: Address security risks associated with wildcard DNS by implementing appropriate controls.
  • Key Management: Implement a process for regular DKIM key rotation to minimize compromise risks.
  • TLS Wildcards: Consider all subdomains and security implications when using Wildcard TLS Certificates.
Marketer view

Email marketer from EasyDMARC shares that implementing DMARC enhances email deliverability, protects brand reputation, and prevents phishing attacks. They emphasize the importance of continuous monitoring and adjusting DMARC policies to optimize email authentication.

July 2022 - EasyDMARC
Marketer view

Email marketer from Proofpoint explains that DKIM and DMARC are essential for protecting your brand from email spoofing and phishing attacks. DKIM authenticates the sender's domain, while DMARC builds upon DKIM and SPF to provide instructions to email receivers on how to handle unauthenticated emails.

October 2022 - Proofpoint
Marketer view

Email marketer from Mimecast explains that DMARC reporting is crucial for understanding your email authentication ecosystem. They recommend analyzing DMARC reports to identify and address any issues with email deliverability.

April 2021 - Mimecast
Marketer view

Email marketer from Mailchimp shares that to set up DMARC, you need to publish a DMARC record in your DNS settings. This record tells email providers what to do with messages that fail authentication checks. They also recommend starting with a 'p=none' policy to monitor results before enforcing stricter policies.

January 2022 - Mailchimp
Marketer view

Email marketer from Reddit explains that using wildcard DNS records can simplify the creation of multiple subdomains but advises caution due to potential security risks. They recommend carefully planning which subdomains should be covered by the wildcard record.

October 2024 - Reddit
Marketer view

Email marketer from Agari shares that regular DKIM key rotation is a best practice to mitigate the risk of key compromise. Rotating DKIM keys ensures that even if a key is compromised, the impact is limited to the period before the rotation.

January 2025 - Agari
Marketer view

Email marketer from ReturnPath explains that whilst not DNS wildcard records, wildcard TLS certificates also present similar challenges around security and control. Use with caution and consider all subdomains it may impact.

October 2023 - ReturnPath
Marketer view

Email marketer from SparkPost explains that correctly configuring SPF (Sender Policy Framework) and DKIM is crucial for email deliverability. They recommend using a dedicated sending domain and regularly checking SPF and DKIM records for accuracy.

May 2022 - SparkPost

What the experts say
4Expert opinions

Experts recommend careful planning and monitoring when using wildcard DNS with DKIM/DMARC due to potential unexpected authentication results. A 'stunt DNS server' can simplify DMARC setup, especially for dynamically created subdomains, by only answering queries for existing subdomains. Blog posts cover wildcard DNS with DKIM/DMARC and deployment of stunt DNS servers.

Key opinions

  • Wildcard DNS Caveats: Wildcard DNS can simplify setup but lead to unexpected authentication results if not properly managed with DKIM/DMARC.
  • Stunt DNS Server: Stunt DNS servers simplify DMARC setup for dynamically created subdomains.

Key considerations

  • Planning & Monitoring: Carefully plan and monitor wildcard DNS usage with DKIM/DMARC to avoid authentication issues.
  • Stunt DNS Deployment: Consider deploying a stunt DNS server to streamline DMARC configuration for dynamic subdomains.
Expert view

Expert from Word to the Wise explains the relationship between wildcard DNS records and DKIM/DMARC, noting that wildcard DNS can simplify setup but can also lead to unexpected authentication results if not properly managed. Atkins recommends careful planning and monitoring when using wildcard DNS with DKIM/DMARC.

July 2022 - Word to the Wise
Expert view

Expert from Email Geeks shares a blog post regarding wildcards, DKIM, and DMARC.

February 2025 - Email Geeks
Expert view

Expert from Word to the Wise shares the setup of a stunt DNS server to help with DMARC. The stunt DNS server will only answer DNS queries for subdomains that exist on the sending domain. This simplifies the DMARC setup when the subdomains are dynamically created.

April 2024 - Word to the Wise
Expert view

Expert from Email Geeks shares a followup blog post regarding stunt DNS servers, including the software and config to deploy one.

January 2022 - Email Geeks

What the documentation says
5Technical articles

DKIM involves generating a 2048-bit key, regularly rotating keys, and publishing the DKIM record to your DNS. DMARC requires setting up a policy to handle emails failing DKIM/SPF, starting with 'p=none' and gradually increasing stringency. Wildcard DNS simplifies subdomain configuration but needs careful security consideration. SPF, DKIM, and DMARC together provide anti-spoofing protection. RFC 7489 defines the DMARC standard.

Key findings

  • DKIM Key Management: Generate 2048-bit DKIM keys, rotate them regularly, and publish the DKIM record.
  • DMARC Policy: Implement DMARC by setting up a policy, starting with 'p=none' and increasing stringency gradually.
  • Wildcard DNS Security: Use wildcard DNS to simplify configuration, but carefully consider security implications.
  • Anti-Spoofing Trio: SPF, DKIM, and DMARC together provide effective anti-spoofing protection.
  • DMARC Standard: RFC 7489 defines the DMARC standard and its technical specifications.

Key considerations

  • Key Rotation Frequency: Establish a regular schedule for DKIM key rotation to minimize compromise risks.
  • Policy Enforcement: Gradually increase DMARC policy stringency as confidence in authentication increases.
  • Security Implications: Thoroughly evaluate the security implications of wildcard DNS records before implementation.
  • Comprehensive Approach: Implement SPF, DKIM, and DMARC together for optimal email security and deliverability.
  • RFC Compliance: Adhere to RFC 7489 specifications when implementing DMARC.
Technical article

Documentation from Microsoft shares that SPF, DKIM, and DMARC work together to provide anti-spoofing protection. Microsoft recommends using all three methods to ensure the best possible email security and deliverability.

May 2022 - Microsoft
Technical article

Documentation from Google explains that DKIM (DomainKeys Identified Mail) is an email authentication method that helps prevent spammers from forging your domain's email address. Best practices include generating a 2048-bit key, regularly rotating keys, and publishing the DKIM record to your DNS.

March 2025 - Google
Technical article

Documentation from Cloudflare explains that wildcard DNS records are used to match requests for non-existent domain names. Best practices include using them to simplify DNS configuration for subdomains but carefully considering security implications to avoid unintended matches.

June 2022 - Cloudflare
Technical article

Documentation from IETF explains that RFC 7489 defines the DMARC standard. The document provides detailed technical specifications for implementing DMARC, including the syntax and semantics of DMARC records.

August 2023 - IETF
Technical article

Documentation from DMARC.org explains that implementing DMARC (Domain-based Message Authentication, Reporting & Conformance) involves setting up a DMARC policy to instruct recipient mail servers on how to handle emails that fail DKIM and SPF checks. Best practices include starting with a policy of 'p=none' to monitor email streams, then gradually moving to 'p=quarantine' and finally 'p=reject' as confidence increases.

October 2024 - DMARC.org

Related resources
1Resource

Cloudflare should strongly recommend Wildcard SPF subdomain ...
Cloudflare should strongly recommend Wildcard SPF subdomain ...

(NOTE: The strange treatment of some words in the following is because I can’t disable auto-link generation. The forum software blocked this post until I converted all of those words into code 😉 ) We have a domain that neither sends nor receives any email. It’s properly configured with SPF, DKIM and DMARC to block all email. Yet, without a wildcard SPF subdomain DNS entry, it’s surprising how much spam is generated, spoofing our domain as source…and accepted by millions of email servers ...

Cloudflare Community

Related questions