How to Configure SPF & DKIM for AFAS Online – A Guide by AutoSPF

ByBrad Slavin Reading Time: 9 minutes

In today’s email-delivery landscape, ensuring that your outgoing mail is properly authenticated is essential—not just for deliverability, but for protecting your brand, your domain’s reputation, and your customers from impersonation or phishing. At AutoSPF, we believe strongly in doing this right, and in this guide we walk you step-by-step through how to configure SPF (Sender…

AFAS Online

In today’s email-delivery landscape, ensuring that your outgoing mail is properly authenticated is essential—not just for deliverability, but for protecting your brand, your domain’s reputation, and your customers from impersonation or phishing. At AutoSPF, we believe strongly in doing this right, and in this guide we walk you step-by-step through how to configure SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) for your domain when using AFAS Online as your email-stream. While the specifics below reference AFAS Online, many of the principles are broadly applicable. Strong email security is essential for protecting sensitive information and preventing cyberattacks in both personal and business communications.

Why SPF & DKIM matter

What is SPF?

SPF is a DNS-based email authentication protocol. It allows a domain owner to publish a list of mail servers (IP addresses or domains) that are authorized to send email on behalf of that domain. When a receiving mail server gets a message from your domain, it checks the sending IP/domain against your SPF record. If the IP is listed, the check passes; if not, it fails (or is marked as a “soft fail”, “neutral”, etc).

What is DKIM?

DKIM adds a cryptographic signature to your outgoing mail emails. The message is signed by a private key, and the corresponding public key is stored in a DNS record (typically a TXT or CNAME). At the receiving end, the mail server uses the public key to verify that the message was not tampered with and that it was sent by an authorised source. DKIM plays an important role in modern email authentication and alignment.

How they work together (and with DMARC)

When combined, SPF and DKIM help establish trust in your email ecosystem. Moreover, if you publish a DMARC policy (via a DNS TXT record), you’re telling receiving mail servers how to handle mail that fails SPF or DKIM (or both). Properly configured SPF and DKIM are prerequisites for a strong DMARC rollout.

Specifically for AFAS Online, you’ll want to ensure that your domain’s SPF record authorises AFAS Online’s sending servers, and that DKIM is set up so that AFAS-sent mail has a valid signature. Once done, your domain is much better protected, and your deliverability improves.

Email ecosystem

Preparing for AFAS Online-specific setup

Before you dig into record changes, here are some preparatory steps and considerations:

  • Identify your sending domain(s). Are you using your own custom domain (e.g., mail.yourcompany.com or @yourcompany.com)? Or are you using a subdomain? Be clear about what domain you want authenticated.
  • Check other services that send on behalf of your domain. If you also send via other platforms (marketing platforms, CRMs, transactional-mail services), you’ll need to include them in your SPF record and possibly configure separate DKIM keys per service.
  • Ensure DNS-editor access. You’ll need the ability to add or edit DNS records (TXT, CNAME) at your DNS provider.
  • Understand DNS-propagation delays. Changes take time. Most DNS updates propagate quickly, but some take up to 72 hours to be fully visible worldwide.
  • Review existing records. If you already have an SPF record, be careful: you can only have one SPF record per domain (multiple ones cause errors). Likewise check if a DKIM or DMARC record already exists, to avoid duplication or conflicts.

With those steps in mind, let’s walk through the specific configuration for AFAS Online.

Step-by-step: Configuring SPF for AFAS Online

Here’s how to authorise AFAS Online to send mail for your domain:

  1. Log into your DNS zone provider (the platform where your domain’s DNS is managed).
  2. Navigate to the domain or subdomain you want to configure.
  3. Look for the section to add a new TXT record.
  4. For the Name (or Host) field:
    • If you’re configuring at the root of your domain (e.g., yourcompany.com), you may use @.
    • If you’re using a subdomain (e.g., mail.yourcompany.com), you enter that subdomain.

For the Value field (the record content), enter:

v=spf1 include:spf.afas.online ~all

  1.  This tells receivers: “The only authorised senders for this domain include those defined by spf.afas.online; any others should be treated with a soft-fail (~all).”
  2. Save the record.
  3. Wait for DNS propagation (up to 72 hours).
  4. After propagation, it’s wise to check the SPF record with an SPF-checker tool to confirm it resolves correctly and includes the AFAS entry only once.

Important note: You must only have one SPF TXT record per domain. If you previously had a different record (for example, for another sending service), you must merge them. For example:

v=spf1 ip4:18.57.156.221 include:spf.afas.online include:thirdpartyservice.com ~all

SPF Check

If you were to have two separate SPF records, many receivers will treat the domain as misconfigured and might bounce or spam-flag your messages.

Step-by-step: Configuring DKIM for AFAS Online

DKIM setup is slightly more involved because you’ll need to add CNAME records (or TXT records) for the DKIM public key portion. For AFAS Online, the process is:

  1. Log into your DNS zone provider.
  2. Add the first CNAME record:
    • Name (Host): afasonline1.domainkey
    • Value (Target): afasonline1.domainkey.afas.online
  3. Ensure the proxy status is disabled (or set to DNS-only) if you’re using a service like Cloudflare. Proxying the CNAME may interfere with DKIM resolution.
  4. Save the record.
  5. Add the second CNAME record:
    • Name (Host): afasonline2.domainkey
    • Value (Target): afasonline2.domainkey.afas.online
  6. Again, ensure proxy status is “DNS only.”
  7. Save the record.
  8. Wait up to 72 hours for propagation.
  9. Once propagation is complete, use a DKIM-validation tool to check that the signature is publishable and resolves correctly.

With both DKIM selectors (afasonline1 and afasonline2) in place, your outgoing messages from AFAS Online will include a valid DKIM signature aligned with your domain.

After configuration: Verification & best practices

Verifying your setup

  • Use an SPF checker (many free online tools) to verify that your domain’s SPF record is valid, contains the include:spf.afas.online, and that your sending IP is authorised.
  • Use a DKIM checker by sending a test email to a provider that shows header information (e.g., Gmail, Outlook) and look for the DKIM-Signature: header. Confirm the selector corresponds to afasonline1 or afasonline2.
  • If you already have a DMARC record, you can monitor your DMARC reports (if enabled) and ensure mail from your domain passes SPF or DKIM alignment.

Best practices & recommendations

  • Use “~all” (soft fail) as a transition phase. The ~all mechanism means “soft-fail” — it tells receivers that unauthorised senders are likely. Once you’re confident in your setup and all legitimate senders are covered, you can consider changing to -all (hard fail) if appropriate.
  • Keep your SPF include list tidy. Over time, domains accumulate multiple third-party services sending mail. Too many includes or IP addresses may exceed DNS lookup limits (10 lookups). Monitor and prune unused entries.
  • Rotate DKIM keys periodically. Though not strictly mandatory for every setup, rotating DKIM keys (changing selectors or generating new keys) can reduce long-term risk from key compromise.
  • Monitor DMARC reports. If you have a DMARC record (for example: v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com), you’ll start receiving aggregate reports telling you which IPs are sending on your domain, which are authorised, and which are failing. Investigate any failures.
  • Watch for proxying issues. If your DNS provider supports proxy-mode for CNAMEs (common in Cloudflare), make sure DKIM and other records are set to “DNS only.” Proxying can prevent proper resolution of DKIM public keys.
  • Use sub-domains if needed for isolation. If you run many different services (transactional mail, marketing mail, internal mail) and want to isolate reputations, you may use a sub-domain (e.g., m.mail.yourcompany.com) and publish separate SPF/DKIM/DMARC for that sub-domain.
  • Document changes and version your DNS. Keeping track of changes helps when troubleshooting or onboarding new services.
SPF checking tool

Why configure for AFAS Online specifically

If you’re using AFAS Online as your business application suite (for ERP/HR/financials) and sending automated emails (invoices, reports, notifications) from that system, you want to ensure these messages are treated as legitimate by receiving mail systems. Without authentication, your messages can be flagged as spam, blocked, or worse — spoofed by attackers.

By configuring both SPF and DKIM to include AFAS Online’s sending domain (spf.afas.online) and selectors (afasonline1/2.domainkey.afas.online), you assure receiving mail systems that:

  • The mail originates from an authorised send-source (via SPF).
  • The message contents are signed and unaltered (via DKIM).
  • You’re aligned with DMARC (if you publish one) so you can enforce policy and monitor abuse.

In short, this improves deliverability and protects your domain’s reputation.

Common pitfalls & troubleshooting

Here are some issues organizations often encounter — and how to avoid them:

  • Multiple SPF records: If you publish more than one SPF record (two separate TXT records starting with v=spf1), many mail-servers will throw a PermError and may drop or distrust your mail. Solution: merge into a single record with all necessary includes.
  • Too many DNS lookups: Remember: each include: and redirect= counts toward a lookup limit (10 for SPF). If you exceed this, SPF may fail or degrade. Prune unused services.
  • Proxy-enabled CNAMEs for DKIM: If using Cloudflare or similar, avoid proxying DKIM CNAMEs — set to DNS only. Proxying may mask the target and prevent key resolution.
  • Delayed DNS propagation: After you make changes, it may take up to 72 hours for all networks to see it. Don’t assume a record change hasn’t worked until full propagation.
  • Mis-aligned domains: For DKIM to align under DMARC, the signing domain must match (or be a sub-domain) of the “From:” domain. If AFAS Online sends from @yourcompany.com, your DKIM domain should align accordingly.
  • Not monitoring DMARC: Without DMARC aggregate or forensic reports, you’re blind to unauthorised senders or mis-configured services. Enable reporting early on.
Email authentication

Extending your email authentication strategy

Once SPF and DKIM are set for AFAS Online, consider the next steps to strengthen your email domain protection:

Publish a DMARC record, if you haven’t already. A simple policy might look like:

_dmarc.yourcompany.com  TXT  “v=DMARC1; p=none; rua=mailto:dmarc@yourcompany.com; ruf=mailto:dmarc-forensic@yourcompany.com; pct=100”

  •  Over time you can change p=none to p=quarantine or p=reject.
  • Enable BIMI (Brand Indicators for Message Identification) if your brand logo is registered and you meet requirements. This adds a visual logo in supported inboxes — boosting brand trust.
  • Conduct periodic audits. Review which services send on your behalf, verify their SPF/DKIM alignment, remove unused senders, rotate keys, and update records.
  • Educate stakeholders. Make sure marketing teams, IT teams, and whichever departments send mail know about the authentication mechanisms and the need to stay within policy.
  • Use monitoring and reputation tools. Track your domain’s sending reputation, bounce rates, complaint rates, and any failures reported via DMARC.

Final thoughts from AutoSPF

Setting up reliable SPF and DKIM for a service like AFAS Online may seem straightforward, but the devil is in the details. A simple mis-configuration (duplicate SPF records, mis-named DKIM selector, proxy-enabled CNAME) can undermine your whole authentication strategy.

Here at AutoSPF, we recommend the following three key take-aways:

  1. One domain → one SPF record. Merge all includes and IPs into a single record.
  2. Validate and monitor. Use tools to check SPF/DKIM, publish DMARC with reporting, and monitor failures.
  3. Don’t set and forget. Email authentication is not a once-and-done. Environments change, services are added or removed, and best practices evolve.
DNS Error

By following the guidance above—especially tailored for AFAS Online—you’ll significantly improve your email authentication posture, boost deliverability, and protect your brand’s domain from misuse. If you ever need help, audit tools or professional assistance, AutoSPF is here to support you.

Similar Posts