{"id":31118,"date":"2022-11-16T13:39:20","date_gmt":"2022-11-16T13:39:20","guid":{"rendered":"https:\/\/easydmarc.com\/blog\/?p=31118"},"modified":"2026-03-18T04:13:42","modified_gmt":"2026-03-18T04:13:42","slug":"dmarc-dkim-and-spf-three-musketeers-of-email-authentication","status":"publish","type":"post","link":"https:\/\/easydmarc.com\/blog\/dmarc-dkim-and-spf-three-musketeers-of-email-authentication\/","title":{"rendered":"DMARC, DKIM, and SPF: Three Musketeers of Email Authentication"},"content":{"rendered":"

Email is the oldest online communication method, with 57 years of history.<\/span><\/p>\n

When inventing the first version of email in 1965, researchers from the Massachusetts Institute of Technology couldn’t have imagined it would become so essential in human and technological progress.<\/span><\/p>\n

But as email has evolved, it has become the most common target for cyberattacks.\u00a0<\/span><\/p>\n

Today, organizations continue to experience phishing attacks costing millions of dollars in damages each year.\u00a0<\/span><\/p>\n

That’s why email security plays a crucial role in today’s business communications. At its core, <\/span>DMARC<\/span><\/a>, <\/span>DKIM<\/span><\/a>, and <\/span>SPF<\/span><\/a> are the three musketeers that save the day.<\/span><\/p>\n

These email authentication protocols are inventions of different periods but work together to prove that an email comes from a legitimate owner. This, in turn, prevents the delivery of fraudulent phishing, spam, and spoofed emails. Let’s dive deeper into what SPF, DKIM, and DMARC are and how they work.<\/span><\/p>\n

What is SPF or Sender Policy Framework?<\/b><\/h2>\n

SPF was the first of these three modern email authentication standards to be created.\u00a0<\/span><\/p>\n

In 2002, <\/span>the first attempt at an SPF-like specification<\/span><\/a> was presented to the Internet Engineering Task Force\u2019s (IETF) “namedroppers” mailing list.<\/span><\/p>\n

In the past, SPF was called ‘Sender Permitted From’ and SMTP+SPF. In February 2004, the name was changed to Sender Policy Framework when the IETF formed a working group to develop email authentication standards (called MARID).<\/span><\/p>\n

The Internet Engineering Steering Group (IESG), as an IETF experiment, approved this version of the specification in July 2005 and invited the community to observe SPF during the two years after publication.<\/span><\/p>\n

The SPF RFC was published as experimental RFC 4408 on April 28, 2006. By 2014, the IETF published SPF in RFC 7208 as a \u201cproposed standard.\u201d<\/span><\/p>\n

SPF is an email authentication protocol<\/span><\/a> that prevents <\/span>email spoofing<\/span><\/a> and phishing by creating a process that instructs email service providers (ESPs) to only accept emails from servers authorized by the sending domain’s administrators.<\/span><\/p>\n

Thus, mail recipient servers can use SPF to ensure incoming messages <\/span>claiming<\/span><\/i> to come from a particular domain <\/span>do<\/span><\/i>. This helps legitimate emails land in a recipient’s inbox and prevents them from ending up in spam\u2014all while blocking emails from unauthorized sources.<\/span><\/p>\n

From a configuration standpoint, SPF is implemented via a TXT record published in a domain\u2019s DNS. It allows an organization to define authorized sources, including IP addresses and domains. To establish this email authentication, you need to <\/span>generate an SPF record<\/span><\/a>.<\/span><\/p>\n

What is DKIM or DomainKeys Identified Mail?<\/b><\/h2>\n

DKIM or DomainKeys Identified Mail was created in 200<\/span><\/a>7<\/span> by merging two specifications: DomainKeys from Yahoo! and Identified Internet Mail from CISCO.<\/span><\/p>\n

By 2011, DKIM developed into a new, widely adopted authentication technique registered as RFC 6376 by the IETF. Nowadays, all top ISPs like Google, Microsoft, and Yahoo! check incoming mail for DKIM signatures.<\/span><\/p>\n

DKIM<\/span><\/a> allows domain\/organization owners to send digitally signed emails so the receiver can validate that the message is authentic and wasn\u2019t altered in transit. This verification is possible through cryptographic authentication.<\/span><\/p>\n

Public cryptography is an encryption method involving a key pair of distinct alphanumeric strings. The private key is kept secret. It\u2019s used to add an encrypted signature to an outgoing email\u2019s headers. The public key is available to servers and must be published in the DNS, <\/span>via the DKIM record<\/span><\/a>.\u00a0<\/span><\/p>\n

When a mail server receives an incoming email, it retrieves the sender\u2019s public key to decrypt the signature, and if the values match, the email is authenticated.<\/span><\/p>\n

What is DMARC or Domain-Based Message Authentication, Reporting & Conformance?<\/b><\/h2>\n

SPF and DKIM are vital email authentication standards but they\u2019re only partial solutions, each with their own exploitable shortfalls. Here’s where you’ll need DMARC. It leverages SPF and DKIM tools to give your organization\u2019s email infrastructure extra protection from phishing and spoofing.<\/span><\/p>\n

PayPal, Google, Microsoft, Yahoo!, and other leading organizations worked together to <\/span>create the DMARC specification<\/span><\/a>, first published on January 30, 2012.<\/span><\/p>\n

DMARC<\/span><\/a> is designed to blend into any mailing process with minimal effort and helps determine if the message fits what the recipient knows about the sender.<\/span><\/p>\n

It uses SPF to ensure that the domain in the “Header From” matches the one in the “Return-Path.\u201d<\/span><\/p>\n

Secondly, it ensures that the domain in the DKIM signature, known as the”d=domain name” \u00a0 matches the “Header From” address.\u00a0<\/span><\/p>\n

With full SPF, DKIM, and <\/span>DMARC implementation<\/span><\/a> and compliance, you\u2019re essentially telling recipient servers that all emails claiming to originate from your domain or organization must:<\/span><\/p>\n