What is SPF, DKIM and DMARC?
Back to the Learning HubSPF
SPF (Sender Policy Framework) is an email authentication protocol aimed at detecting email spoofing and stopping unauthorized senders from using your domain to send emails. SPF email records maintain a list of verified senders for your domain. These records can be publicly accessed and retrieved by receiving servers to authenticate emails, as specified in RFC 7208.
SPF Meaning in Email
SPF stands for Sender Policy Framework and was introduced in the early 2000s. Initially, SPF stood for Sender Permitted From (also known as SMTP+SPF), but in February 2004, it adopted the name we use today: Sender Policy Framework
SPF (Sender Policy Framework) allows domain owners to publish a list of authorised email servers (IP addresses or hostnames) permitted to send emails on their behalf. Here’s a step-by-step breakdown of how SPF works:
The domain owner publishes an SPF record in their domain’s DNS. This record specifies which email servers are authorised to send emails for that domain.
When an email is sent, it includes information about the sender’s domain. The recipient’s email server extracts the domain from the sender’s email address and performs a DNS lookup to retrieve the SPF record of the sender’s domain.
The SPF record contains a policy defining which servers are allowed to send emails for the domain. The recipient’s email server compares the IP address or hostname of the sending server against the authorised servers listed in the SPF record.
Based on the SPF check, the recipient’s email server determines if the email came from an authorised server. The recipient’s email server then takes action based on the SPF check result, such as accepting the email or marking it as spam.
How to Use SPF in Email
To use the SPF email standard, ensure you understand how it works and check your domain’s and email service provider’s SPF support. Then, create an SPF record, publish it on your DNS, and ideally combine your SPF DNS implementation with DKIM and DMARC to prevent spoofing.
Why is Sender Policy Framework Important for Email?
SPF ensures emails sent from your domain are genuine and not fake lures created by cyber attackers. Key benefits of SPF include reducing email spoofing by verifying the authenticity of the sending server. It improves email deliverability rates as recipient servers are more likely to accept emails from authorised servers. SPF also minimises the likelihood of legitimate emails being marked as spam, building and maintaining a positive sender reputation. Furthermore, it makes it harder for malicious actors to send fraudulent emails, helping to reduce phishing and spam. Many email service providers and organisations require the use of SPF for compliance with email standards.
How to Enable SPF Policy
To create an SPF record, first determine the authorised email servers by identifying the IP addresses or hostnames of the email servers authorised to send emails on behalf of your domain, including your own organisation’s servers or third-party service providers.
Next, define your SPF policy by specifying which servers are allowed to send emails for your domain. You can choose to allow only specific servers or include a range of servers based on IP addresses or hostnames.
Then, determine the SPF format. Publish SPF records as a TXT record in your domain’s DNS, ensuring the record is in the correct format and contains the necessary information. Access your domain’s DNS management system and add a new TXT record with your SPF record, specifying the hostname (usually “@” for the domain itself) and pasting the SPF record in the value field.
SPF Record Example
Here’s an example of an SPF record in your DNS:
v=spf1 ip4:192.168.0.0/16 -all
How to Check SPF
After adding the SPF record, it may take some time for the changes to propagate across the DNS system. Use an SPF record check tool to verify the correctness of your record and ensure it is recognised by the DNS. For complex configurations, consult your system administrator or IT support.
SPF for Third-Party Vendors
To align your third parties with SPF, include IP addresses or SPF-handling domains unique to them in your domain’s record. Avoid multiple SPF records for the same domain. For example, if using SuperEmails.net as your email sender, and their SPF-handling domain is spf.superemails.net, your SPF record might be:
v=spf1 include:spf.superemails.net -all
Limitations of SPF
While SPF protects your domain against spam and forged sender addresses, it has limitations. SPF may fail when emails are forwarded because the forwarding server may not be listed in the SPF record of the sender’s domain. Managing and maintaining SPF records grows complex as the number of authorised email servers and third-party services increases. SPF focuses on verifying the authenticity of the sending server but does not provide encryption or content verification as DKIM does. SPF only validates the sending server’s authenticity, not the specific sender, making pairing SPF with DMARC crucial.
Make SPF Even Better with Powermail
SPF alone is effective, but cybercriminals can bypass the IP address verification phase. Incorporating SPF into DMARC enhances its effectiveness and keeps your email security robust.
DKIM
DKIM stands for DomainKeys Identified Mail. It is an email authentication method that enables senders to prevent email content from being altered during the delivery process.
Based on public key cryptography, DKIM works by adding a digital signature to the message header. When the recipient receives an email with DKIM, they verify the digital signature to ensure its validity. If the signature is valid, they know the message has remained unaltered during the transfer.
How Does DKIM Work?
During the DKIM authentication process, the sender’s domain generates a pair of cryptographic keys. When an email is sent, the sending server adds a DKIM signature to the message header using the private key. The sender’s domain publishes the public key in a DNS record.
Upon receiving the email, the recipient’s server retrieves the DKIM signature, queries the DNS for the public key, and verifies the signature’s integrity by comparing it to a computed hash of the email’s headers and body. If the signature is valid, the email is considered authentic and unaltered, protecting against forgery and tampering.
What is a DKIM Record?
A DKIM record is a set of machine-level instructions added to your DNS settings. It informs the internet that the messages are coming from an authenticated source, allowing mail servers to verify that a message has not been altered en route to its destination.
A DKIM signature is a cryptographic signature added to the header of an email message that verifies its authenticity and ensures it has not been tampered with during transit.
DKIM selector is a unique identifier for a DKIM signing domain. An alphanumeric string value that is defined in the s= tag in your DKIM email header, the selector should be distinguishable and different for every email vendor you use.
For example, in the DKIM record s1._domainkey.domain.com, s1 is your selector.
v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBA…
Why do you need DKIM?
DKIM prevents message alterations
When you ask yourself, what is DKIM doing to prevent email fraud, get this: the digital signature is a failsafe that cannot be decrypted if the email has been intercepted and altered, so the email gets rejected
DKIM minimizes domain spoofing
An email sent by an attacker through your domain won’t have your private signature on it, and it will fail to authenticate, which is yet another insight into what is DKIM protecting your organization against.
DKIM reduces email spam
What is DKIM popularly known for is a reduction in spam emails. Configuring DKIM will greatly reduce the chances of your email ending up in the spam folder, especially with an email marketing campaign.
DKIM boosts email deliverability
Moreover, when you set up DKIM, it improves your reputation as a verified source in the eyes of customers, partners, and other services.
How Does DKIM Prevent Spoofing?
DKIM prevents email spoofing by adding a unique signature to each email, acting like a digital fingerprint. This signature verifies that the email came from the claimed sender and hasn’t been altered during transit. By confirming that the signature matches the email’s contents, DKIM ensures that emails are genuine and not forged by a malicious party pretending to be someone else.
What are the Limitations of DKIM?
While DKIM is crucial for message authentication, it has certain limitations:
- Sender Authentication: DKIM authenticates the sender’s domain name, not the individual sender. If someone has access to your email account, they can still send emails in your name, even with DKIM enabled.
- Public DNS Records: DKIM requires public DNS records for verification. Incorrectly set up public DNS records or mismatches with private DNS records, common in small businesses, can lead to DKIM failures.
- Spam and Phishing: DKIM alone does not prevent spam or phishing attempts. While it makes forgery harder for bots by requiring access to your private keys, it should be paired with DMARC for comprehensive protection.
Pairing DKIM with DMARC
Pairing DKIM with DMARC provides well-rounded protection and ensures smooth email deliverability. Using both protocols reduces the risk of being blacklisted by spam filters, improving the chances of your emails reaching their recipients.
Additionally, this combination helps protect your brand. Spammers often spoof domains they think are less likely to report them as spam, but if those domains have DKIM set up, it becomes harder for spammers to succeed. The beauty of pairing DKIM with DMARC is that they work together seamlessly to provide multiple layers of protection against spoofing attempts while giving senders options on handling their mail if something goes wrong during delivery
What is DMARC?
DMARC (Domain-based Message Authentication, Reporting, and Conformance) is an email authentication protocol that verifies email senders and provides insights for enhanced email security. It allows domain owners to set domain-level policies for mail handling, including preferences for message verification, failure responses, and reporting. DMARC is described under RFC 7489 of the Internet Engineering Task Force (IETF).
DMARC helps combat email fraud and phishing attacks by allowing email recipients to determine the authenticity of a message using SPF and DKIM protocols. Based on the verification results, domain owners can choose to reject, quarantine, or deliver the email. These functions are controlled by DNS-level instructions uploaded by the domain owner.
DMARC Full Form
DMARC stands for “Domain-based Message Authentication, Reporting, and Conformance”. Here’s a breakdown of the components:
Domain-based: DMARC operates at the domain level.
Message Authentication: Domain owners designate authentication protocols to validate incoming emails. SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) are two such protocols.
Reporting: Feedback reports can be enabled within the DMARC configuration. Receiving MTAs send XML reports to a designated email address, containing DMARC aggregate or forensic data.
Conformance: Domain owners use DMARC to describe the actions of receiving mail servers when an email fails the DMARC check.
How Does DMARC Work?
A message is sent from an authorised server to the DMARC-compliant domain’s SPF record and/or DKIM signature, which are stored at the DNS level. If either check passes, the message is marked as “DMARC PASS”; if both fail, the message fails DMARC as it didn’t meet SPF or DKIM requirements. Depending on the configured DMARC policy, the message can be rejected, flagged as spam, quarantined, or delivered as is.
Once DMARC is correctly set up for your domain, you can enable DMARC reports to identify suspicious messages and take swift action to protect your subscribers.
Why is DMARC Important?
DMARC plays a crucial role in enhancing your email security efforts. While email systems have spam filters, these are ineffective against direct-domain spoofing attacks. By impersonating companies, attackers can retrieve login credentials and sensitive information. According to IBM’s Cost of a Data Breach Report, compromised credentials lead to 19% of all data breaches.
DMARC provides visibility through report-based feedback, ensuring email authentication, protecting from domain spoofing and phishing attacks, and complying with standards required by Google, Yahoo, and PCI-DSS. BIMI also requires DMARC enforcement.
Benefits of DMARC
DMARC benefits companies by preventing impersonation attacks and reducing spam and deliverability issues. Major ESPs like Yahoo and Google require DMARC, and emails without it can be rejected. Implementing DMARC is highly recommended for compliance and security.
Email Fraud Prevention: DMARC reports help identify spoofed emails and sources impersonating you.
Improves Brand Reputation: Ensures only legitimate messages reach your recipients, enhancing your brand’s reputation.
Minimises Spam: Reduces spam in customer inboxes by blocking fraudulent messages.
Provides Visibility: Quickly identify unauthorised email senders using detailed reports.
Improves Deliverability: Increases your email’s deliverability rate by 10% over time with correct implementation.
How to Enable DMARC for Your Domain?
Setting up DMARC can be technical. Here are the general steps involved:
Assess Your Email-Sending Infrastructure: Note marketing automation platforms, customer service tools, and email delivery services.
Configure SPF or DKIM Records: Use SPF record and DKIM record generator tools to create these records. Publish the generated records on your DNS with your DNS registrar’s help.
Create a DMARC TXT Record: Sign up with Powermail to create your record using their DMARC record generator tool. Mandatory fields include protocol version “v” (always DMARC1) and policy mode “p” (configured according to your preference).
Select a DMARC Policy: Choose how email receivers should handle messages that fail DMARC checks. Options include “none”, “quarantine”, or “reject”.
Publish Your DMARC Record: Access your DNS management console, enter “_dmarc” in the Host field, and set the resource type as TXT. Keep TTL at 1 hour.
Verify Your DMARC Setup: Use a DMARC checker tool to ensure your record is valid by entering your domain name and clicking “lookup”.
What Do DMARC Records Look Like?
A DMARC record is defined in the DNS (Domain Name System) as a TXT record associated with the domain. It includes several tags specifying the policy mode and reporting options. Here’s an example:
_dmarc.example.com. IN TXT “v=DMARC1; p=reject; rua=mailto:dmarc@example.com; ruf=mailto:forensics@example.com; sp=reject”
In this example:
“_dmarc.example.com.” refers to the specific domain where the DMARC record is set up (in this case, example.com).
“IN TXT” indicates the record type as a text record.
“v=DMARC1” signifies the protocol version.
“p=reject” sets the DMARC policy to reject, instructing receiving email servers to discard emails that fail DMARC.
“rua=mailto:” specifies the email address for aggregate reports.
“ruf=mailto:” designates the email address for forensic reports.
“sp=reject” sets the subdomain policy to reject, applying this DMARC policy to subdomains.
DMARC, SPF, and DKIM – Pillars of Email Authentication
SPF (Sender Policy Framework) authorises legitimate senders by creating SPF records in the domain’s DNS. DKIM allows the sender to digitally sign the message with an encrypted signature, verified against the public key in the sender’s DNS records.
Combining DMARC, SPF, and DKIM Against Email Fraud
Implementing DMARC, SPF, and DKIM together provides robust protection against email spoofing and phishing attacks. This layered approach enhances email deliverability, protects your brand reputation, and improves overall security. DMARC provides valuable reporting insights, helping to identify and address email authentication failures promptly.
Should You Use SPF and DKIM if You Already Have DMARC?
Yes, it is highly recommended to use both SPF and DKIM alongside DMARC. Together, they form a powerful email authentication framework