What are SPF, DKIM, and DMARC?
Email remains the number one communication tool globally, with organizations relying on it heavily despite the rise in popularity of instant messengers and other communication tools. However, while email is familiar to almost every kind of Internet user, the ways in which it protects both senders and recipients from phishing attacks, spam, and other types of email fraud are less well known.
DKIM (DomainKeys Identified Mail), SPF (Sender Policy Framework), and DMARC (Domain-based Message Authentication, Reporting, and Conformance) are three technologies that are commonly used by ISPs (Internet Service Providers) to protect users from cyber threats and email fraud, improving the legitimacy of delivered emails and reducing the risk of in-transit interference.
In this guide, we look at DKIM, SPF, and DMARC in more detail, explore the differences between DMARC vs DKIM vs SPF, why they are important, and provide some information on how to properly set up each of these vital technologies. Read on to learn more and discover how email authentication protects your data behind the scenes.
What is email authentication?
Email authentication is typically achieved using cryptographic techniques, such as digital signatures and encryption, to verify the identity of the sender and to protect the message content from tampering. This process involves the use of several technologies, including DKIM, SPF, and DMARC, which work together to provide a comprehensive email authentication system.
When an email message is authenticated, it gives the recipient a high level of confidence that the message is legitimate and not spam or phishing. It also helps prevent spoofing, where an attacker impersonates a trusted sender, by ensuring the message originated from the claimed domain or IP address.
Why is email authentication important?
With the continuing evolution of cybercrime and a rise in threat actors, email authentication is vital to any organization’s cybersecurity program. However, aside from the high level of protection offered by DKIM, DMARC, and SPF, if incorrectly configured, they can impact a user’s ability to send and receive email, leading to issues such as emails being rejected or intercepted by unauthorized parties or marked as spam. This can result in communication breakdowns, loss of sensitive information, and reputational damage for individuals and organizations.
In addition, the following examples of how email authentication provides protection are highly important:
- Preventing phishing attacks — Phishing attacks are a common type of email fraud where an attacker impersonates a trusted sender to trick the recipient into revealing sensitive information. Email authentication can help to prevent phishing by verifying the identity of the sender and ensuring that the message is legitimate.
- Protecting brand reputation — Email authentication can help to protect the reputation of an organization's brand by preventing cybercriminals from using fake email addresses or domains to send spam or phishing messages that damage the organization's reputation.
- Enhancing email security — Email authentication helps to enhance the overall security of email communications by preventing unauthorized access, tampering, and interception of email messages.
- Compliance with regulations —Some industries and jurisdictions have regulations that require email authentication to be implemented. Compliance with these regulations is important to avoid penalties and legal consequences.
Types of email authentication
DKIM, SPF, and DMARC each contribute to effective email authentication, with the three technologies working together to ensure email is both safe and fully deliverable. Below, we look at SPF, DKIM, and DMARC in more detail:
What is DKIM?
DKIM (DomainKeys Identified Mail) is an email authentication technology that uses cryptographic signatures to verify the authenticity of email messages. When an email message is sent, DKIM adds a digital signature to the message header, which the recipient's email server can verify to ensure that the message has not been tampered with in transit and that it originated from the claimed sender domain.
What is SPF?
SPF (Sender Policy Framework) is an email authentication technology that allows the owner of a domain to specify which IP addresses are authorized to send email on behalf of that domain. When an email message is received, the recipient's email server checks the SPF record for the sender domain to ensure that the message is coming from an authorized IP address. If the SPF check fails, the message may be marked as spam or rejected.
What is DMARC?
DMARC (Domain-based Message Authentication, Reporting, and Conformance) is an email authentication technology that provides policy and reporting mechanisms for DKIM and SPF. DMARC allows the domain owner to specify how email messages that fail DKIM and SPF checks should be handled, and it provides feedback on the results of those checks. DMARC helps to prevent email spoofing and phishing by ensuring that email messages are only accepted if they meet the authentication policies specified by the domain owner.
How do DKIM, SPF, and DMARC differ?
While DKIM, SPF, and DMARC are all email authentication technologies that help prevent email fraud and improve email deliverability, they differ in several ways. Here, we list some of the main differences between DKIM vs SPF vs DMARC -
DKIM
- Uses cryptographic signatures to verify the authenticity of email messages.
- Adds a digital signature to the message header that the recipient's email server can verify.
- Helps prevent email spoofing and phishing attacks by ensuring that the email message has not been tampered with in transit.
- Can be used to verify the integrity of the message content and to authenticate the sender's domain.
SPF
- Uses DNS records to verify which IP addresses are authorized to send emails on behalf of a particular domain.
- Helps prevent email spoofing and phishing attacks by ensuring that the email message comes from an authorized IP address.
- Can help prevent email messages from being marked as spam or rejected by the recipient's email server.
DMARC
- Provides policy and reporting mechanisms for DKIM and SPF.
- Helps ensure that email messages are only accepted if they meet the authentication policies specified by the domain owner.
- Can help prevent email spoofing and phishing attacks by providing feedback on the results of DKIM and SPF checks.
Where are SPF, DKIM, and DMARC records stored?
SPF, DKIM, and DMARC records are all stored in the Domain Name System (DNS), which acts as the internet's directory for translating domain names into IP addresses.
Here's a breakdown of where each type of record is stored -
SPF (Sender Policy Framework) Records
Stored as DNS TXT records, SPF records specify which IP addresses can send emails on behalf of a domain. The recipient’s email server checks these records to verify the sender’s legitimacy.
DKIM (DomainKeys Identified Mail) Records
DKIM records, also stored as DNS TXT records, contain the public key used to verify the DKIM signature in the email header. This ensures the email hasn’t been altered and originates from the claimed domain.
DMARC (Domain-based Message Authentication, Reporting & Conformance) Records
DMARC records, similarly stored as DNS TXT records, define policies for handling emails that fail SPF and DKIM checks. They specify whether to reject, quarantine, or monitor such emails and provide reporting mechanisms for authentication results.By leveraging the DNS, these records enable global email servers to verify email authenticity, protecting against fraud and phishing.
How to Set Up DKIM, SPF, or DMARC
Setting up DKIM, SPF, or DMARC is a technical job best left to the experts. However, it is a crucial step to ensure that your emails are properly authenticated and delivered to your intended recipients. Here's a general overview of how to set up each authentication method so you can run a SPF, DMARC, and DKIM check on your email.
DKIM
- Generate a public/private key pair for your domain.
- Create a DNS TXT record containing the public key.
- Use the private key to add a DKIM signature to your email messages.
- Configure your email server to use DKIM to sign outgoing email messages.
SPF
- Create a DNS TXT record for your domain listing the authorized IP addresses allowed to send email on your behalf.
- Add the "include" mechanism to your SPF record if you are using a third-party email service, such as Mailchimp or Gmail, to send email on your behalf.
- Test your SPF record to make sure it is correctly configured.
- Configure your email server to use SPF to validate incoming email messages.
DMARC
- Create a DMARC policy for your domain, specifying whether to reject, quarantine, or monitor email messages that fail authentication checks.
- Create a DNS TXT record containing your DMARC policy for your domain.
- Monitor your email traffic to identify any issues with your authentication setup.
- Configure your email server to send DMARC reports to your specified email address.
It's important to note that the specific steps for setting up DKIM, SPF, and DMARC may vary depending on your email service provider and other technical details. It's recommended to follow detailed instructions provided by your email provider or consult with an email security expert to ensure your authentication setup is configured correctly.
How to check if DKIM, SPF, and DMARC are configured correctly
To check if an email has passed SPF, DKIM, and DMARC authentication tests, you need to look for a few key indicators:
Checking SPF (Sender Policy Framework): To ensure your emails pass this authentication check, look at the 'Received-SPF' header. If it reads 'pass', your messages pass SPF authentication.
Checking DKIM (DomainKeys Identified Mail): To check if DKIM is passing, look at the 'Authentication-Results' header and search for DKIM. If DKIM is present and passes, it will be indicated in the header.
Checking DMARC (Domain-based Message Authentication, Reporting & Conformance): To check if DMARC is passing, look at the 'Authentication-Results' header, and search for the DKIM and SPF values. If both DKIM and SPF are present and read 'pass', your email has passed DMARC authentication.
It’s important to note that DKIM and SPF authentications are only valid for the current email session, so it’s best practice to check DKIM and SPF authentications regularly. If DKIM, SPF, or DMARC fail authentication tests, then you may need to make adjustments to your domain in order for emails to be delivered successfully.
Choosing the right solution for your business email communications
When choosing the right solution for your business email communications, it's vital to consider several factors, such as the size of your organization, the level of security you require, and the complexity of your email infrastructure. You will likely use a combination of all three technologies; however, below, we run through DKIM vs. SPF vs. DMARC so you can make an informed choice.
DKIM is used for organizations that want to authenticate the integrity of their email messages and verify the sender's domain. It can be particularly useful for organizations that send a large volume of email, such as financial institutions or e-commerce websites, as it can help prevent phishing attacks and other types of email fraud.
SPF helps organizations verify that email messages come from an authorized IP address. It can be beneficial for small to medium-sized businesses that do not have a complex email infrastructure, as it is relatively easy to set up and implement.
DMARC is a good choice for organizations that want to provide policy and reporting mechanisms for DKIM and SPF. It can be particularly useful for larger organizations that want to ensure that email messages are handled appropriately and meet their authentication policies.
Conclusion - DKIM, SPF, DMARC
Ultimately, the best solution for your business will depend on your specific needs and requirements. It may be helpful to consult with an email security expert to evaluate your current email infrastructure and determine which product or solution will provide the greatest benefits for your organization.
For more information on SPF, DKIM, and DMARC, contact a member of the Mimecast team to discuss your specific requirements. Additionally, explore our blog for industry insights into today's cybersecurity landscape.
DKIM, SPF, DMARC FAQs
Does DMARC require both SPF and DKIM?
No, DMARC (Domain-based Message Authentication, Reporting & Conformance) does not require both SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) to pass. DMARC allows domain owners to specify how emails that fail SPF and/or DKIM checks should be handled. This means that for an email to pass DMARC, it only needs to pass one of the underlying authentication checks—either SPF or DKIM—as long as it aligns with the domain in the "From" header.
SPF and DKIM both serve to authenticate emails, but DMARC provides the additional benefit of alignment. When an email passes either SPF or DKIM and aligns with the domain specified in the "From" header, it can pass DMARC. This allows domain owners to enforce their email authentication policies more flexibly and effectively.
Does DKIM work without DMARC?
Yes, DKIM (DomainKeys Identified Mail) can work without DMARC (Domain-based Message Authentication, Reporting & Conformance). DKIM is an email authentication technology that adds a cryptographic signature to the email header. This signature can be verified by the recipient's email server to ensure the message has not been tampered with and that it originated from the claimed sender domain.
While DKIM can function independently to verify the integrity of an email, it is often used in conjunction with DMARC to provide a more comprehensive email authentication solution. DMARC builds on DKIM and SPF (Sender Policy Framework) by specifying how to handle emails that fail these checks and providing reporting mechanisms. However, even without DMARC, DKIM alone can significantly enhance email security by preventing email spoofing and ensuring the authenticity of email messages.
Can DMARC pass with just SPF?
Yes, DMARC (Domain-based Message Authentication, Reporting & Conformance) can pass with just SPF (Sender Policy Framework). For an email to pass DMARC using SPF, the email must successfully pass the SPF check, and the domain in the "Return-Path" must align with the domain in the "From" header. If these conditions are met, the email can pass DMARC even if it does not have a valid DKIM signature.
DMARC provides domain owners with the flexibility to enforce their email authentication policies using either SPF or DKIM. This means that an email can pass DMARC as long as it meets the alignment and authentication criteria specified by the domain owner, making DMARC a powerful tool in the fight against email fraud and phishing attacks.
