What is SPF, DKIM and DMARC, and what is it used for?
SPF, DKIM, and DMARC are essential email authentication mechanisms designed to enhance email security, prevent spoofing, and ensure the integrity of email communications. Together, these protocols form a strong defense against common email-based attacks, such as phishing and spamming, by verifying the legitimacy of an email and ensuring its contents have not been tampered with.
SPF - Sender Policy Framework
SPF (Sender Policy Framework) is the first most basic layer of mail security. SPF allows the owner of a domain to specify which mail servers are authorized to send emails on behalf of their domain. It does this by publishing an SPF record in the DNS of the domain. When an email is received, the recipient’s mail server checks the SPF record of the sender domain and checks to see if the mail server that sent the message was defined in the SPF record. If the server isn’t listed in the SPF record, the email is flagged as suspicious. While SPF is effective in verifying server authenticity, it does not validate the contents of the email or protect against email header manipulation.
SPF provides some configuration options, its very important to understand these options to ensure the right settings is used. A typycal SPF record should look something like this:
v=spf1 include:example.com -allThe “-all” option is very important as its what determens the acction for an email not matchin the policy.
- -all Will tell a mail server to reject anything not listed in the SPF record.
- ~all means all emails senders thats not included will soft fail, it means the mail server that recives the message should treat it suspecius not reject it right away.
- +all Allows all email servers also servers that are not defines in SPF (This setting is not recommended in any scenarious)
DKIM - DomainKeys Identified Mail
DMARC - Domain-based Message Authentication, Reporting and Conformance
DMARC (Domain-based Message Authentication, Reporting, and Conformance) binds SPF and DKIM together and provides a policy framework to instruct receiving mail servers on how to handle emails that fail authentication. A DMARC policy is published in the DNS of the domain and can specify actions such as “none” (no action, just monitor), “quarantine” (send suspicious emails to spam), or “reject” (block the email outright). DMARC also offers reporting features, allowing domain owners to receive feedback about the authentication results of their emails. This visibility helps in identifying unauthorized use of the domain and fine-tuning email authentication configurations.
I would recommend setting the DMARC policy to none for arround 30 days, can be more or less depending on the regularity of the emails sent with your domain. in this period you should use a third party provider such as Valimail to generate reports about the email usage of your domain.
After the monitoring period, go through the report to see if all email traffic looks legit, and ensure that all senders that should be a sender of your domain is allowed in the SPF and configured with DKIM. When you have confirmed all your email services is configured correctly you can change the DMARC policy to qurantine which will start to qurantine messages thats not accepted by DMARC. After running the DMARC as qurantine in some time, and you have ensured is not blocking any valid emails, you can set the policy to reject.
SUMMERY
The combined use of SPF, DKIM, and DMARC creates a robust system to that secures your domains aginst email spoofing. By implementing these settings in your organisation you will also achieve a higher trust level on the emails you are sending, which means you likely won’t end up in the recipients spam or qurantine filter.