Introduction: What are DKIM, DMARC, and SPF?
Email authentication is critical for protecting your email from spoofing and phishing attacks. DKIM, DMARC, and SPF are three primary email authentication technologies.
DKIM (DomainKeys Identified Mail) is a technology that uses public-key cryptography to verify the sender’s identity of an email message. The recipient’s mail server verifies the signature on the email message against the sending domain’s public key.
SPF (Sender Policy Framework) is a policy that defines which domains are allowed to send an email on behalf of your domain. SPF identifies the IP/Mailserver that is permitted to send an email to your domain, and it’s usually a requirement for any organization that wants to send email through your domain (including customers).
DMARC (Domain-based Message Authentication, Reporting, and Conformance) is a technology that builds on top of SPF and DKIM to provide more comprehensive protection against email spoofing and phishing attacks. DMARC allows senders to specify what should happen if an email message fails DKIM verification or if the recipient’s mail server reports that the message fails DMARC verification. For example, the sender could specify that the message is rejected or returned to the sender with an error.
Using DKIM, DMARC, and SPF is currently considered a best practice in email security. Many email providers have now enforced these technologies, and without them, your email deliverability will have issues.
How do DKIM, DMARC, and SPF work?
Email authentication is verifying that an email is legitimate and not spam. There are three primary email authentication protocols: DKIM, DMARC, and SPF.
DKIM uses a public-private key system to verify the sender of an email. The public key is published on your domain’s TXT or CNAME record, and the sender uses his private key to sign an email. The hash of the signed email is added to the header. This creates a digital signature that is verified against the public key published on the DNS record of sending domain. It is important to note that a domain can have multiple DKIM records for different purposes. That’s why the email header also contains information about which DKIM key the email has to be validated against. It is designed to deal with phishing and manipulation attacks during forwarding to ensure the email content has not been modified from the time it has left the sending server until its recipient.
SPF records verify that the domain sending email is authorized to send an email on behalf of this domain and are required if the sending domain is a mailing list or another type of “virtual” organization. This is implemented using DNS TXT records. SPF records can include terms like a, include, ip4, ip6, MX, etc. Depending on the various requirement, a combination of some or all are used. To validate the SPF record, a DNS lookup is performed by the recipient email server. It ensures the IP of the email server that sent the email is authorized to send on behalf of sending domain.
Remember: There can only be one SPF record in a domain’s DNS records.
DMARC is the policy that tells the recipient server what action to take when it receives an email that does not meet the requirements for email authentication. DMARC is usually implemented using DNS TXT record “_dmarc”. It can tell a recipient’s server to reject the email outright, quarantine it, or mark it as being from an unverified source.
Why is email authentication necessary?
Email authentication is a critical security measure to protect email communications from spoofing or tampered with.
Imagine if your client received an email from you, which you never sent, regarding a bill payment with a payment link. SMTP (Simple Mail Transfer Protocol) that’s used to send emails under the hood by itself is an insecure protocol, requiring no authentication itself. That means anyone can send emails on behalf of any domain if email authentication for a domain has not been set up.
This gives a malicious attacker a vast ground to attack/phish on your clients, carrying over your domain’s reputation and eventually destroying your credibility. Email authentication with SPF, DKIM, and DMARC is a way to solve this problem. It’s an open standard that anyone can implement.
Email authentication is essential for both personal and business users. For individual users, it helps protect against phishing attacks. Scammers attempt to steal your personal information by sending you fake emails purporting to be from legitimate businesses or organizations.
What are the benefits of email authentication?
Email authentication is the process of verifying that email messages are actually from the senders they claim to be from. Email authentication is critical for three reasons. First, it helps prevent spam and phishing attacks. Spammers often use forged email addresses to send spam messages, and phishers use spoofed email addresses to trick people into revealing their personal information. Email authentication can help prevent these attacks by verifying that the email messages are actually from the senders they claim to be from.
Second, email authentication can help protect your organization’s reputation. Suppose you use a domain name that is not covered by email authentication. In that case, it can be easy for spammers or phishers to send fake emails that appear to be from your organization. This can damage your organization’s reputation and make it more difficult for people to trust your emails.
Third, issues of authentication are resolved. Your emails enjoy better deliverability, increasing the likelihood of your emails going to your recipient’s inbox. After all, what’s the use of sending 100 emails a day if they are not landing in your client’s inbox.
How can you set up DKIM, DMARC, and SPF for your domain?
To set up DKIM, DMARC, and SPF for your organization, you’ll need to create DNS records for each protocol.
- Navigate to your DNS settings (e.g., Namecheap, Cloudflare, Bluehost, or another provider) and add a new record.
- Select the TXT record and type “@” in the “Name” field.
- Paste “v=spf1 include:portal.cliffmail.com ~all” in “Value” and then save.
SPF can have multiple tags, and each carries a different meaning,
- “v=” denotes the SPF version used to define the record.
- a: define the IP matching DNS ‘A’ record of the domain.
- include: define the IP matching DNS ‘A’ record of the record.
- MX: define the IP matching one of the MX records of the domain.
- “~/-“: define the soft fail and reject accordingly.
Unfortunately, the DKIM setup requires dependency on your sending service to use the generated private key. That part is out of scope for this article.
However, the public key is entered into your domain as a ‘TXT’ record, along with the selector your sending service is using.
For example, Mutant Mail uses the selectors as “default._domainkey”, “dkim1._domainkey” and “dkim2._domainkey” as selectors for our DKIM records.
Fortunately, DMARC is another one-line DNS entry setup.
- Go to your DNS service provider or Domain registrar and create a new record.
- Choose the type as TXT record and type “_dmarc” in the “Name” field.
- Paste “v=DMARC1; p=quarantine; adkim=s
Like SPF, DMARC has a set of tags that carry a different usage.
- “v=” denotes the DMARC version used to define the record.
- p denotes the policy type, as none, quarantine, or reject. To take action none, soft fail or reject accordingly.
- adkim denotes the Alignment mode. Indicates whether the recipient mail server should use strict or relaxed DKIM alignment mode.
- Apart from these, more tags like rua, ruf, fo, and others can be used to set up DMARC records.
In conclusion, email authentication is critical for both organizations and individual users. DKIM, DMARC, and SPF, email can improve the deliverability of their messages and reduce the chances of them being marked as spam. In addition, email authentication can help protect users from phishing attacks and other malicious activity. If you’re not using email authentication, I encourage you to start using it today. It’s a quick and easy way to improve the security of your email communications.