Quick guide to email configuration (ITSAP.60.003) – Canadian Centre for Cyber Security

Summary

This guidance from the Canadian Centre for Cyber Security outlines the core email configuration controls you should have in place to reduce spoofing, phishing and interception risks. It explains Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), Transport Layer Security (TLS) and Domain-based Message Authentication Reporting and Conformance (DMARC) in plain terms and recommends configuring SPF, DKIM and DMARC together.

The document notes practical behaviours: add SPF as a DNS TXT record to declare authorised senders; rely on DKIM signatures to verify message integrity; use TLS to encrypt server-to-server transfers (but be aware not all hops are guaranteed); and deploy DMARC to define handling policies (none, quarantine, reject) and to obtain reports for monitoring.

Key Points

SPF: a DNS TXT record listing IPs allowed to send mail for your domain — helps prevent spoofing but must be kept accurate.
DKIM: cryptographic signatures added by senders and verifiable via DNS — ensures messages haven’t been altered in transit.
TLS: encrypts mail in transit between servers to protect privacy and integrity, though subsequent hops may not always use TLS.
DMARC: uses SPF and DKIM results to enforce a policy (p=none, p=quarantine, p=reject) and provides reporting to detect abuse.
Use DMARC reporting tools or third-party services to interpret reports and tune policies; regularly review rules to avoid blocking legitimate mail.
Choose an email provider that supports SPF, DKIM and DMARC, offers TLS and has robust anti-spam/threat mitigation features.

Context and relevance

Email remains the primary vector for phishing and business email compromise. Properly configured SPF, DKIM and DMARC reduce impersonation and increase deliverability, while TLS protects content in transit. For organisations handling sensitive data or relying on email for operations, these settings are foundational security hygiene and align with broader trends in tightening email authentication across the internet.

Why should I read this

If you manage email for an organisation, this short guide is a neat, no-nonsense checklist. It cuts through the jargon, tells you which DNS records to add, why TLS matters (and its limits), and why DMARC reporting is worth setting up. Saves you from wading through standards docs — quick, practical and useful.