Email Authentication With SPF, DKIM, and DMARC

The time when you could send an email to a mailing list through the magic “send” button and assume that your message had instantly delivered to the inbox of all the recipients is so far away.

Over the years, it has become clear that email is a powerful communication tool that, if properly used, can not only help but even become the main income source tool for a company. This means everyone wants to get their hands on email marketing – even the bad guys.

The increase in global email traffic, globalization, cybercrime and, who knows, maybe even global warming (it seems to be responsible for everything), have made it necessary to introduce regulations and tools to raise the IT security level. The email world can be a dangerous place and your communications deserve to be protected.

SPF, DKIM, and DMARC are three acronyms with which email marketers will have to get more familiar in order to prevent hackers from using your brand to spam or domain spoof, as well as being informed about phishing attempts through alert notifications.

How do SPF, DKIM, and DMARC work?Instead of drowning in jargon (which we will do later), let’s visit an analogy to explain the concepts of SPF, DKIM, and DMARC. The SPF record is a “document” that contains the name of the only authorized “virtual postman” – let’s call him Pat – who is in charge of delivering your email to the recipient. If done this way, the recipient will accept the message without batting an eye.

Sometimes Pat is sick at home and has to delegate the message delivery to his colleague, Jess. Most recipients will be suspicious of Jess, as they don’t know her. In this case, a forwarded email will lose the SPF features of the initial sender. However, with the help of the DKIM, Jess will also be able to deliver the message, because it will be properly signed by the original sender.

The DMARC dog, thanks to his good sense of smell, knows if the postman and his mail are fraudulent. He will start barking in order to alert the recipient about the upcoming scam danger. However, this smart DMARC dog can be also trained to let the postman pass through safely or, on the flipside, be trained to eat his mail.

This trio of SPF, DKIM and DMARC has now become a global standard, which means that your message can be properely delivered into the highly-coveted email inbox. Almost all providers accept this type of safety measure.

In the remainder of this post, I will dive into the technical specifics, including the utility, application, and functioning of these indispensable email authentication tools.

1. SPF = Sender Policy Framework

SPF is a protocol that authorizes an IP address to deliver to a recipient, put in place to counter phising attempts. This information is added to the DNS area of ​​the control panel sending domain.

When the recipient’s server receives the email, it compares the sender’s IP and the IP in the DNS and, if both are the same, it accepts the message and delivers it to the inbox. Otherwise, it returns a message by stating “Error 550 – Message rejected because SPF check failed” or delivers the message to the junk folder.

Since the SPF record is public data, it is possible to verify its propagation process through a DNS request via web or through some tools available online, such as: http://www.kitterman.com/spf/validate.html.

2. DKIM = DomainKeys Identified Mail

DKIM is usually a 1024 or 2048 bit encrypted key that has to be coupled with the sender domain, used to fight email spoofing. Upon receiving the email from the recipient’s server, it verifies whether the key, published in the email header, belongs to the one related to the sender domain. If not, they assume that the email has been intercepted by third parties and modified.

As for the SPF, DKIM implementation requires publication in the DNS area with the public key and signature visible in the message header.

To reiterate, the possible results of the record check can be:

• Pass: the signature received matches with the public key
• Fail: the signature received is not related to the public key of the sending domain, which means that the message has been modified somehow.

Further possible errors could be Softfail,Neutral, None, Permerrorand Temperror. Obviously, only the Pass status is to be considered as a record correctly entered. To verify the correct add and propagation of the DKIM key, use this tool: https://dkimcore.org/tools/keycheck.html.

3. DMARC = Domain-Based Message Authentication, Reporting & Conformance
By publishing a DNS record, you will receive an alert whenever a domain that is not properly configured (doesn’t pass the SPF and DKIM validation) is used as sender. This way you know when, who, and how, your identity is used on the web.

The DMARC record published on your domain will have a similar syntax:

v = DMARC1; p = none; rua = mailto: alias@mydomain.com; ruf = mailto: dk @ bounce.apple.com, mailto: alias@mydomain.com

To check if the DMARC record has been correctly applied to your domain, use this tool: https://dmarcian.com/dmarc-inspector/.

Currently, DMARC is the most effective solution to fight domain spoofing, even if the war to keep the bad guys away from our emails is not completely won. The question that still remains hard to answer is how to be sure that a domain with a valid DMARC signature really belongs to the brand it pretends to. The solution lies with BIMI (Brand Indicator for Message Identification) – read about all about it in our latest blog!

In terms of information technology security, using SPF, DKIM and DMARC is the best response to email spoofing. Mapp uses SPF and DKIM as a default. If you’d like to be supported with DMARC, please contact us, we’re happy to help.

p.s.: No postmen were harmed in the making of this blog post!