DMARC, DKIM, and SPF: Three Musketeers of Email Authentication
Email is the oldest online communication method, with 57 years of history.
When inventing the first version of email in 1965, researchers from the Massachusetts Institute of Technology couldn’t have imagined it would become so essential in human and technological progress.
But as email has evolved, it has become the most common target for cyberattacks.
Today, organizations continue to experience phishing attacks costing millions of dollars in damages each year.
These email authentication protocols are inventions of different periods but work together to prove that an email comes from a legitimate owner. This, in turn, prevents the delivery of fraudulent phishing, spam, and spoofed emails. Let’s dive deeper into what SPF, DKIM, and DMARC are and how they work.
What is SPF or Sender Policy Framework?
SPF was the first of these three modern email authentication standards to be created.
In 2002, the first attempt at an SPF-like specification was presented to the Internet Engineering Task Force’s (IETF) “namedroppers” mailing list.
In the past, SPF was called ‘Sender Permitted From’ and SMTP+SPF. In February 2004, the name was changed to Sender Policy Framework when the IETF formed a working group to develop email authentication standards (called MARID).
The Internet Engineering Steering Group (IESG), as an IETF experiment, approved this version of the specification in July 2005 and invited the community to observe SPF during the two years after publication.
The SPF RFC was published as experimental RFC 4408 on April 28, 2006. By 2014, the IETF published SPF in RFC 7208 as a “proposed standard.”
SPF is an email authentication protocol that prevents email spoofing and phishing by creating a process that instructs email service providers (ESPs) to only accept emails from servers authorized by the sending domain’s administrators.
Thus, mail recipient servers can use SPF to ensure incoming messages claiming to come from a particular domain do. This helps legitimate emails land in a recipient’s inbox and prevents them from ending up in spam—all while blocking emails from unauthorized sources.
From a configuration standpoint, SPF is implemented via a TXT record published in a domain’s DNS. It allows an organization to define authorized sources, including IP addresses and domains. To establish this email authentication, you need to create an SPF record.
What is DKIM or DomainKeys Identified Mail ?
DKIM or DomainKeys Identified Mail was created in 2007 by merging two specifications: DomainKeys from Yahoo! and Identified Internet Mail from CISCO.
By 2011, DKIM developed into a new, widely adopted authentication technique registered as RFC 6376 by the IETF. Nowadays, all top ISPs like Google, Microsoft, and Yahoo! check incoming mail for DKIM signatures.
DKIM allows domain/organization owners to send digitally signed emails so the receiver can validate that the message is authentic and wasn’t altered in transit. This verification is possible through cryptographic authentication.
Public cryptography is an encryption method involving a key pair of distinct alphanumeric strings. The private key is kept secret. It’s used to add an encrypted signature to an outgoing email’s headers. The public key is available to servers and must be published in the DNS, via the DKIM record.
When a mail server receives an incoming email, it retrieves the sender’s public key to decrypt the signature, and if the values match, the email is authenticated.
What is DMARC or Domain-Based Message Authentication, Reporting & Conformance?
SPF and DKIM are vital email authentication standards but they’re only partial solutions, each with their own exploitable shortfalls. Here’s where you’ll need DMARC. It leverages SPF and DKIM tools to give your organization’s email infrastructure extra protection from phishing and spoofing.
PayPal, Google, Microsoft, Yahoo!, and other leading organizations worked together to create the DMARC specification, first published on January 30, 2012.
DMARC is designed to blend into any mailing process with minimal effort and helps determine if the message fits what the recipient knows about the sender.
It uses SPF to ensure that the domain in the “Header From” matches the one in the “Return-Path.”
Secondly, it ensures that the domain in the DKIM signature, known as the”d=domain name” matches the “Header From” address.
With full SPF, DKIM, and DMARC implementation and compliance, you’re essentially telling recipient servers that all emails claiming to originate from your domain or organization must:
- Pass SPF authentication (indicating the sender is authorized according to your domain’s SPF record).
- Pass DKIM authentication (indicating the DKIM signature and public key in the DKIM record match).
Pass at least one alignment (SPF and/or DKIM alignment indicating the ‘return-path’ and/or DKIM signature matches the ‘header from’ address).
This way, your legitimate emails have better deliverability rates and any failed or unauthorized messages don’t make it to the recipient’s inbox. Of course, you need to implement a strict DMARC policy, which tells receiving email providers how to handle all emails claiming to come from your domain (legitimate and otherwise)..
There are three options:
- Accept all emails, whether DMARC authentication passes or fails (policy “none”)
- Send failed emails to spam (“quarantine” policy)
- Reject failed emails entirely (“reject” policy)
DMARC’s reporting mechanism also provides greater visibility of your email channel to monitor, detect, and prevent emails that claim to be authentic or authorized when they’re not.
How to Get Started With SPF, DKIM, and DMARC
EasyDMARC is all about email authentication with a platform providing a great all-in-one solution. We have a range of advanced SPF, DKIM, and DMARC checker and generator tools to make implementation EASY.
Our platform can help you:
- Create, generate, and set up SPF, DKIM, and DMARC records
- Investigate email issues
- Check phishing URLs
- Detect possible problems
- Implement BIMI
- Receive DMARC reporting
- Get executive-level support.
Check our toolbox, sign up for a 14-day free trial, and make your DMARC journey simple with EasyDMARC!