Proofpoint Essential SPF and DKIM Configuration: Step by Step Guide

This instructional article will demonstrate the  ProofPoint configuration process of Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM) Signatures to ensure ProofPoint passes the DMARC alignment check and eliminates spam from your domain, and increases security.

The SPF record identifies the mail servers and domains that are allowed to send email on behalf of your domain. The DKIM record, on the other hand, is a specially formatted DNS TXT record that stores the public key the receiving mail server will use to verify a message’s signature. These email authentication methods will be used to prove to ISPs and mail services that senders are truly authorized to send email from a particular domain and are a way of verifying your email-sending server is sending emails through your domain.

The process of setting up the SPF record

To ensure the emails from ProofPoint are sent on behalf of your domain, we need to create or update your existing SPF record by including the following information.

You can easily do this easily by using our SPF Generator Tool and following the steps below:

1. Navigate to SPF Record Generator
2. Add the required include mentioned above in the a:__ section.
3. Choose the Policy (The options are : Fail (Not Compliant will be rejected), SoftFail (Not Compliant will be accepted but marked) and Neutral (Mails will be probably accepted)).
4. When you have made followed the steps, click on the “Generate”
5. Copy the provided SPF record and navigate to your DNS provider (CloudFlare, Godaddy, etc.) and create a TXT Record. We’ll be using CloudFlare for this example.
6. Click on “Save”
7. Wait up to 72 hours to allow your DNS to process the changes

Important Note: Each domain must have only one SPF TXT Record. If you have multiple SPF Records, SPF will return a PermError. 

If you are using multiple IPs, ESPs, Third-Party services for your various email strategies, you should include them in a single SPF Record.
E.g v=spf1 ip4:18.57.156.221 a:dispatch-us.ppe-hosted.com include:thirdpartyservice.com ~all

The process of setting up the DKIM record

To ensure the emails from ProofPoint are sent on behalf of your domain, we need to create a new DKIM record by the following information.

1. Navigate to Administration > Account Management > Domains.
2. Select the domain you want to configure and click the vertical ellipsis on the right-hand side of the Domains table.
3. Click the option labeled Configure DKIM.
4. A drawer will appear on the right side of the screen, listing all the currently configured DKIM keys. If this is your first time configuring DKIM, no keys will be listed. Click Create New DKIM Signing Key.
5. The form will appear asking you to specify a selector. A selector is used to locate the public key in DNS and is not visible to end users. A value is pre-populated, but you can change it if you’d like. Click Create.
6. The resulting screen will give you the hostname and value into your DNS zone. You typically do this on your domain registrar’s website (GoDaddy, Dotster, Namecheap, etc.) 

Important Note: You are also given an opportunity to save the private key to a secure location, in case you need it in the future. This is the only time this value will be displayed.

7. Once you’ve made the addition to your DNS zone, Proofpoint Essentials will need to validate that the record was added correctly. To do so, click the Verify Key button in the key’s context menu.
8. Once the key is successfully verified, outbound DKIM signing is automatically enabled for this domain.

Congratulations, you now successfully authenticated your outgoing mail stream from ProofPoint Essential with SPF and DKIM.