Tuta Mail supports SPF, DMARC and DKIM for best security when using your custom domain.

Secure your custom domain emails with Tuta - the email service with built-in encryption.

2019-07-30 / Updated 2024-05-17
Authentication Failed - this warning is shown when DKIM checks fail for an email.
Tuta, the world's only quantum-resistant encrypted email provider supports Sender Policy Framework (SPF), Domain-based Message Authentication, Reporting, and Conformance (DMARC), and Domain Keys Identified Mail (DKIM). While we have supported DKIM for Tuta domains from the start, the demand from our growing number of users using their own domain required that we also introduce SPF, DKIM and DMARC support for custom domains on our secure email platform.

Tuta protects your custom domain with SPF, DKIM and DMARC

Using a custom domain for your emails is a crucial part for achieving a polished and professional online presence. Tuta offers full support for custom domains and even allows for the creation of unlimited email alias addresses once the domain has been linked to your account. In addition to all of the great features and functions of your encrypted email account, we also support email authentication policies which protect your domain from being spoofed by spammers. These email authentication policies are known as SPF, DKIM and DMARC. While the acronyms might look intimidating at first, we will walk you through the intricacies of each authentication method and why you should add them to your custom domain's DNS configuration settings.

What is DNS?

Domain Name Service, DNS for short, is a cornerstone resource for navigating the internet. DNS is primarily known for translating registered domain names with IP addresses. This service makes our daily perusal of the internet far more enjoyable as we don't need to try and remember lists of IP addresses in order to visit our favorite websites, instead we only need to remember their domain names (like tuta.com).

There are a number of different security features that can be added to strengthen DNS like DANE or DNSSEC. For the case of email, there are three forms of email domain authentication that are crucial for protecting your domain and your reputation, from being abused by spammers and other malicious actors. Tuta has been offering this support since 2019, while Big Tech companies like Google and Yahoo have only began requiring this higher level of security in February of 2024.

Protecting your identity: SPF, DKIM and DMARC

The Sender Policy Framework (SPF) is the first in a series of email authentication strategies used to protect your custom email domains from being impersonated. SPF allows domain owners to designate which sending mail servers are allowed to send emails using their domain name. If you have added a custom domain to your Tuta account, your SPF record will permit only Tuta's secure email servers to send emails using your domain. All other attempts will trigger error messages and the emails will not be correctly delivered. By adding an SPF record to your domain, you are adding an extra layer of protection which will make spam and phishing senders less likely to try and impersonate your domain.

Tuta supports signing of emails sent from your custom domain addresses with DomainKeys Identified Mail (DKIM). DKIM links a signature to the domain name with every outgoing email and the receiving mail servers are instructed to verify this signature to ensure the message's validity. If the email is spoofed, it will not pass this DKIM test and the email will be rejected according to the actions designated by the domain owner. If the signature is correctly verified the email will be delivered and the recipient can trust that the contents of the message have not been tampered with since the email was signed. This ensures the integrity of your data in-transit.

In addition to DKIM and SPF you can also enable DMARC for your custom email domain. DMARC or Domain-based Message Authentication, Reporting, and Conformance can be implemented in order to better protect your domain from being used in email spoofing and other scams. DMARC sets a policy and course of action for the receiving mail server in the event that an email arrives which does not pass SPF and DKIM verification checks. Added as a TXT record in your domain's DNS settings, DMARC will give the option for receiving servers to reject and quarantine emails which are possibly spoofed.

Image showing a spoofed email warning in the Tuta Mail client.

Here is an example of the email spoofing warning which is displayed in Tuta when an incoming email fails to pass an authentication check.

Use Tuta to protect your secure business emails and domain

Your organization's name and reputation can be tarnished if a spammer decides to try and use your domain for sending large amounts of spam. With Tuta you can securely host all emails in full GDPR-compliance on our servers based in Germany, knowing that no one can access your company's encrypted data and that your identity and reputation are kept safe. Protecting your custom domain only takes a few easy clicks. You have enough to do, let us take care of securing your emails.

Beyond protecting your custom domain Tuta offers catch-all support, an unlimited number of email addresses with your own domain, extensive whitelabel options, multi-user support, flexible access via mobile, web and desktop, and a two-level admin console to manage your encrypted Tuta account.

How to configure DNS records for your custom email domain

At Tuta, your security is our utmost priority. That's why we have built intuitive, easy to use clients which allow you to securely add custom domains to your account. In order to add SPF, DKIM and DMARC records for your custom email domain you will have to add new DNS entries for your domain within your Tuta account as well as in the settings menu of your domain provider.

In the Tuta Settings, you can now check and manage the DKIM and DMARC configuration for your own email domain(s) under "Global Settings" -> "Custom email domains".

DKIM domain status in the Tuta email client

We have created a step-by-step guide to configuring all of these DNS settings on our YouTube channel which you can follow for a quick visual tutorial.

Take back your privacy from Big Tech, signup today and create an email account which puts you in control.

Stay safe and happy encrypting!