An introduction to SPF, DKIM, and DMARC

Explaining the basics of email security

You don't want your email domain to be misused for spam and phishing practices, right? Chances are that your domain is not protected well enough to prevent this. Yet. With SPF, DKIM, and DMARC you will actively protect your domain, gain valuable insights on who's trying to misuse it and protect your brand, your customers, and your co-workers from phishing emails on your behalf.

Why is email security so important?

To understand the importance of email security, imagine (or remember) that there were no restrictions, base rules or anything regarding safe email traffic in the early days of email. The email protocol could easily be used to fake an email address or worse, spoof one. Spoofing is the act of email on behalf of someone that is not you, without having to have access to their inbox.

This troubling situation led to active phishing, i.e. emails from banks asking you to return your credit card, that were not really people from the bank itself. While phishing is still alive, countermeasures have been taken. Those who have implemented them for their business, are relatively safe and protected from misuse. Those who have not... Need to implement SPF, DKIM, and DMARC as soon as possible.

The Sender Policy Framework (SPF)

Are you allowed to send this message?

Phishing emails are often sent on behalf of existing and well-known companies. Banks, hosting providers, and telecom companies, for instance, are popular domains in phishing emails. Seeing an email from a known sender gains trust with the receiver, even though the content of the email contains (obvious) phishing purposes.

SPF checks if the person behind the email is allowed to send it on behalf of the domain he is using. As email sending is based on IP, and SPF record contains information on what IPs are allowed to send emails on its behalf. But since the Sender Policy Framework only protects one aspect of the email, implementing only SPF will not protect your domain from phishers. That is where DKIM comes in.

DomainKeys Identified Mail (DKIM)

Are you who you say you are?

Email messages consist of two parts. Similar to regular mail, emails have an 'envelope' as well as a 'letter'. SPF protects the envelope from misuse, but the email envelope is discarded by the receiving email server. This process leads to the sender only seeing what is on the letter. The address on the envelope can differ from the address on the letter.

DKIM protects the address on the letter, but in a different way than SPF. Where SPF is a record that contains authorized IP addresses, DKIM is based on cryptographic keys. These keys (public and private) tell the receiving server that the message was legitimately sent by the named address. With DKIM enabled for your domain, your customers can trust the messages coming from your email domain. But as DKIM, just like SPF, is not enough to prevent spoofing, you should always implement both.

Now that you've set up both authentication methods, most receiving email server can differentiate legit messages from spoofed messages coming from your domain. However, there are specific cases where SPF and/or DKIM causes legit email to end up in spam, and fraudulent emails in the inbox. For the receiving server to truly understand what it needs to do with (possibly) spoofed messages, DMARC is the final authentication method you should implement.

Domain-based Message Authentication, Reporting, and Conformance (DMARC)

What happens if you're not allowed to send this message or are not who you say you are?

With SPF and DKIM you've set up the basics of email authentication. To properly defend your domain and customers from any form of email phishing, DMARC tells the receiving email server its next steps in the delivery process. If the SPF and/or DKIM record or key in a message does not match the ones of the proposed sender, DMARC tells the server to either do nothing, place the message in quarantine or ignore the message. This next step is based on the policy mentioned in the DMARC record. This record contains various elements, i.e. the policy "none", "quarantine" and "reject", and reporting options. These reporting options help you getting started with DMARC, analyzing who's trying to spoof your domain and eliminating these spoofing IPs. Starting with the none-policy (doing nothing with spoofed emails), the best way to get rid of domain spoofing for good is with the reject-policy.

SPF, DKIM, and DMARC in short

SPF: Checking if the sending IP address matches the ones mentioned in the Domain Name System (DNS) 

DKIM: Checking a message's cryptographic key, securing that the proposed sender actually sent the email

DMARC: Making sure that emails that do not pass the SPF and/or DKIM test get eliminated