SPF, DKIM and DMARC for email security
Published 28 June 2021
We are discussing the difference between these email security and anti-spoofing protocols, and the recommendations for our clients.
SPF, DKIM and DMARC
SPF, DKIM and DMARC are ways to authenticate your mail server and to prove to Internet providers, mail services and other receiving mail servers that senders are authorised to send email with your domain name. When properly set up, all three prove that the sender is legitimate, that their identity has not been compromised and that they are not sending email on behalf of someone else.
These antispam measures are becoming increasingly important and will one day be required by all mail services and servers. ISPs and mail services, such as Gmail and Office 365, are getting more and more stringent in the types of email they will accept, so having all three checks configured ensures that email gets delivered and is not rejected outright or otherwise delayed.
SPF is an acronym for “Sender Policy Framework”. SPF is a DNS (domain name service) TXT (text) record that specifies which IP addresses and/or servers are allowed to send email “from” that domain. It’s like the return address that’s placed on a letter or postcard and lets the recipient know who sent the communication. The idea is that if they know who sent them the letter, the recipient is more likely to open it. In this example, though, the “recipient” is the receiving mail server, not the actual person being emailed.
DKIM is an acronym for “DomainKeys Identified Mail”. It is also known as “email signing”. Like an SPF record, DKIM is a TXT record that is added to a domain’s DNS. And if SPF is like a return address on a letter, DKIM is like sending that letter via certified mail as it further builds trust between the sending server and receiving server. That is because DKIM’s intent is to prove that the contents of an email message have not been tampered with, that the headers of the message have not changed (e.g., adding in a new “from” address) and that the sender of the email owns the domain that has the DKIM record attached to it. (Or is at least authorised by the owner of the domain to send emails on their behalf.)
Unlike SPF, DKIM uses an encryption algorithm to create a pair of electronic keys -- a public and a private key -- that handles this “trust”. The private key remains on the server it was created on, which is your mail server. The public key is what is placed in the DNS TXT record. Because of this relation, DKIM records generally need to be created and managed by domain administrators. And while the private key is kept private, the public key is generated by a tool on the mail server and can easily be copied and pasted into a TXT record with that domain’s DNS provider (e.g., GoDaddy, eNom, DynDNS, etc.). Domain administrators have control over all DKIM settings for a domain, and these can be changed and edited as needed. The new record simply needs to be re-added to a domain’s DNS.
DMARC is an acronym for “Domain-based Message Authentication, Reporting and Conformance”. It is an email authentication, policy and reporting protocol that is built around both SPF and DKIM. It has three basic purposes:
· It verifies that a sender’s email messages are protected by both SPF and DKIM,
· it tells the receiving mail server what to do if neither of those authentication methods passes, and
· it provides a way for the receiving server to report back to the sender about messages that pass and/or fail the DMARC evaluation.
Since DMARC uses both SPF and DKIM, you may wonder why it’s even necessary. Well, it’s simple: DMARC basically builds on SPF and DKIM to ensure that, when an email is received, the information contained in both records matches the “friendly from” domain (e.g., email@example.com) that the user actually sees and the from address that’s contained in the message’s header. This is what the folks at Dmarcian, a company founded by one of the primary authors of the DMARC specification, call “Identifier Alignment.”
SPF provides excellent protection. For clients who have experienced email spoofing or who may be at more risk of email spoofing due to their business or sector, Maple is also carefully setting DKIM and DMARC records on their email services.