# How to trust Signicat mail servers
Page contents
# Introduction
This page explains the options for how you can trust Signicat to send email messages on behalf of your domain using one or a combination of the following methods:
- Sender Policy Framework (SPF)
- DomainKeys Identified Mail (DKIM)
- Domain-based Message Authentication, Reporting, and Conformance (DMARC)
You can find more information on these authentication methods on the Internet Engineering Task Force (IETF) website (opens new window).
# Sender Policy Framework (SPF)
Sender Policy Framework (SPF) records allow domain owners to publish a list of IP addresses or subnets that are authorised to send email messages on their behalf. The goal is to reduce the amount of spam and fraud by making it harder for malicious senders to disguise their identity.
An SPF TXT record is used to verify the validity of a mail server. If a mail server is on the SPF trust list, email sent from that server will have a higher (better) rating and is less likely to end up in a spam folder.
In order to trust Signicat to send email messages on behalf of testdomain.com, you can include the following TXT record in the domain's DNS:
v=spf1 a mx include:_spf.signicat.cloud
Note
Any suffixes or additional SPF mechanics (like -all or ~all) will vary from DNS to DNS.
# Email signing with DKIM
Contact us at support@signicat.com if you would like to use email signing with DomainKeys Identified Mail (DKIM). DKIM increases the trust of outgoing email even further, but needs to be implemented in your domain's DNS.
If you are sending email from someemailaddress@customerx.com as the sender, you must include two TXT records in the domain's DNS as sig-smtp01._domainkey.customerx.com and sig-smtp02._domainkey.customerx.com.
The example below shows how you could implement this in your DNS. Do not copy the example verbatim, as the exact value will be provided to you by Signicat Support.
Note
Email signing with DKIM is only available in production.
# Email signing with DMARC policy
It can be a good idea to add a Domain-based Message Authentication, Reporting, and Conformance (DMARC) policy to your DNS. This ensures that both SPF and DKIM keys are validated by the receiving mail provider.
Given that your company's name is still customerx, as in the example above for email signing with DKIM, you will need to add the following as a DNS txt record to _dmarc.customerx.com:
v=DMARC1; p=none; rua=mailto:administrator@customerx.com
The DMARC policy will apply for your entire domain, so consider starting out with p=none. When you feel confident that all of your own mail servers in addition to Signicat's mail servers are sending signed email, you can consider setting p=quarantine in your DMARC Policy.
Note
Signicat cannot recommend a specific website for validating SPF, DKIM and DMARC setups, but you will be able to find many validation tools online.