Email authentication: SPF, DKIM, DMARC explained

By /
Email authentication: SPF, DKIM, DMARC explained

Email Authentication: SPF, DKIM, and DMARC Explained

Email, a cornerstone of modern communication, is unfortunately plagued by spam, phishing, and spoofing. These malicious activities not only clutter inboxes but also pose serious security risks, potentially leading to financial loss, identity theft, and reputational damage. To combat these threats, email authentication methods have been developed, including SPF, DKIM, and DMARC. This article provides a comprehensive explanation of these technologies, empowering users to understand and appreciate their role in securing email communication.

What is Email Authentication?

Email authentication is a set of techniques used to verify the legitimacy of an email sender. It aims to answer the fundamental question: “Is the email truly coming from the purported sender, or is it a forgery?” By validating the sender’s identity, email authentication helps to filter out fraudulent emails and ensure that recipients can trust the messages they receive.

The core problem that email authentication addresses lies in the inherent simplicity of the Simple Mail Transfer Protocol (SMTP), the protocol used to transmit email. SMTP doesn’t inherently verify the sender’s address, making it easy for spammers and phishers to “spoof” the “From” address and impersonate legitimate senders. Email authentication acts as a layer of security on top of SMTP to address this vulnerability.

SPF: Sender Policy Framework

SPF, or Sender Policy Framework, is an email authentication protocol that allows domain owners to specify which mail servers are authorized to send emails on their behalf. It works by publishing a DNS record that lists the authorized IP addresses or hostnames. When a receiving mail server receives an email, it checks the SPF record for the sender’s domain. If the sending server’s IP address is listed in the SPF record, the email is considered legitimate (at least in terms of SPF). If the IP address is not listed, the email is likely to be spoofed.

How SPF Works

Here’s a step-by-step breakdown of how SPF works:

  • The domain owner publishes an SPF record in their DNS zone. This record specifies the authorized sending sources for emails from that domain.
  • When an email is sent, the receiving mail server extracts the “MAIL FROM” address (also known as the “Return-Path” or “Envelope Sender” address) from the email header. This is the address that bounce messages are sent to.
  • The receiving server queries the DNS for the SPF record of the domain in the “MAIL FROM” address.
  • The receiving server compares the IP address of the sending server with the authorized sources listed in the SPF record.
  • Based on the comparison, the receiving server assigns an SPF result to the email. Common SPF results include:
    • Pass: The sending server is authorized to send emails for the domain.
    • Fail: The sending server is not authorized.
    • Softfail: The sending server is not authorized, but the receiving server should still accept the email (with a lower level of trust).
    • Neutral: The domain owner has not specified an SPF policy.
    • None: There is no SPF record for the domain.
    • TempError: A temporary error occurred during the DNS lookup.
    • PermError: A permanent error occurred during the DNS lookup.
  • The receiving server uses the SPF result as part of its spam filtering process.

Creating an SPF Record

An SPF record is a TXT record in the DNS zone. It starts with the version identifier “v=spf1” followed by a series of mechanisms and qualifiers. Mechanisms specify the authorized sending sources, while qualifiers specify how the receiving server should handle emails that don’t match the mechanisms.

Here are some common SPF mechanisms:

  • a: Matches if the sending server’s IP address resolves to the domain specified.
  • mx: Matches if the sending server’s IP address resolves to one of the domain’s mail exchangers (MX records).
  • ip4: Matches if the sending server’s IP address is within the specified IPv4 address range.
  • ip6: Matches if the sending server’s IP address is within the specified IPv6 address range.
  • include: Includes the SPF record of another domain. This is useful for outsourcing email sending to third-party providers.
  • all: Always matches. This should be used as the last mechanism in the record, preceded by a qualifier to specify how to handle non-matching emails.

Here are some common SPF qualifiers:

  • +: Pass (the default if no qualifier is specified).
  • -: Fail (hard fail).
  • ~: Softfail.
  • ?: Neutral.

Here are a few examples of SPF records:

  • v=spf1 mx a ip4:192.0.2.0/24 -all: This record allows emails to be sent from the domain’s MX servers, any server whose IP address resolves to the domain, and any server within the IPv4 address range 192.0.2.0/24. Emails from other sources should be rejected.
  • v=spf1 include:_spf.google.com ~all: This record includes the SPF record of Google (used for Google Workspace) and treats emails from other sources as softfails.
  • v=spf1 a mx ~all: This record allows emails to be sent from the domain’s MX servers and any server whose IP address resolves to the domain. Emails from other sources should be treated as softfails.

Limitations of SPF

While SPF is a valuable email authentication tool, it has some limitations:

  • Only authenticates the “MAIL FROM” address: SPF only authenticates the “MAIL FROM” address, not the “From” address that is displayed to the recipient. This means that an attacker can still spoof the “From” address while passing SPF.
  • Breaks with forwarding: When an email is forwarded, the “MAIL FROM” address is often changed, which can cause SPF to fail. This is because the forwarding server is now sending the email, but it’s not authorized in the original sender’s SPF record.
  • Limited to 10 DNS lookups: SPF records are limited to 10 DNS lookups to prevent denial-of-service attacks. This can be a problem for organizations that use multiple third-party email sending services.

DKIM: DomainKeys Identified Mail

DKIM, or DomainKeys Identified Mail, is an email authentication protocol that uses digital signatures to verify the authenticity and integrity of an email. Unlike SPF, which focuses on the sending server, DKIM focuses on the content of the email itself.

How DKIM Works

Here’s a step-by-step breakdown of how DKIM works:

  • The domain owner generates a private key and a corresponding public key. The private key is kept secret, while the public key is published in the DNS zone.
  • When an email is sent, the sending server uses the private key to create a digital signature of the email header and body.
  • The digital signature is added to the email header as a DKIM-Signature field.
  • When the receiving mail server receives the email, it extracts the DKIM-Signature field and uses the public key from the sender’s DNS record to verify the signature.
  • If the signature is valid, it means that the email content has not been tampered with during transit and that the email was sent by an authorized server.

Creating a DKIM Record

A DKIM record is a TXT record in the DNS zone. It contains the public key and other information needed to verify the DKIM signature.

Here’s an example of a DKIM record:

v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDnI62o+6w34l8LgX41E2aW+G111/E8j8f9q5p0V49W34567890abcdefghij1234567890abcdefghij1234567890abcdefghij1234567890abcdefghij1234567890abcdefghijABCDEDFGH1987654321;

Here’s a breakdown of the key-value pairs in the record:

  • v: The DKIM version.
  • k: The key type (usually “rsa”).
  • p: The public key.

Before creating a DKIM record, you will need to generate a public/private key pair. Many tools and services can help you with this process. The selector (a name you choose to identify the key) is also needed for the sending server configuration.

Benefits of DKIM

DKIM offers several advantages over SPF:

  • Authenticates the email content: DKIM verifies that the email content has not been tampered with during transit.
  • Survives forwarding: Because DKIM authenticates the email content, it is not affected by forwarding.
  • Authenticates the “From” address: DKIM can be used to authenticate the “From” address, which is the address that is displayed to the recipient.

Limitations of DKIM

DKIM also has some limitations:

  • Requires key management: DKIM requires the generation and management of cryptographic keys, which can be complex.
  • Relies on DNS: DKIM relies on the DNS for public key distribution, which can be vulnerable to DNS spoofing attacks.
  • Doesn’t define policy: DKIM only verifies the signature; it doesn’t tell the receiving server what to do if the signature is invalid.

DMARC: Domain-based Message Authentication, Reporting & Conformance

DMARC, or Domain-based Message Authentication, Reporting & Conformance, is an email authentication protocol that builds upon SPF and DKIM to provide a comprehensive framework for email authentication and policy enforcement. DMARC allows domain owners to specify how receiving mail servers should handle emails that fail SPF or DKIM checks, and it provides a mechanism for reporting authentication results back to the domain owner.

How DMARC Works

Here’s a step-by-step breakdown of how DMARC works:

  • The domain owner publishes a DMARC record in their DNS zone. This record specifies the DMARC policy for the domain, including how receiving servers should handle emails that fail SPF or DKIM checks.
  • When a receiving mail server receives an email, it performs SPF and DKIM checks.
  • The receiving server then checks the DMARC record for the sender’s domain.
  • The receiving server compares the SPF and DKIM results with the DMARC policy.
  • Based on the DMARC policy, the receiving server takes action on the email. Common actions include:
    • None: No action is taken. The email is delivered as usual.
    • Quarantine: The email is moved to the recipient’s spam folder.
    • Reject: The email is rejected by the receiving server.
  • The receiving server sends a report back to the domain owner with information about the authentication results.

Creating a DMARC Record

A DMARC record is a TXT record in the DNS zone. It must be placed on the `_dmarc` subdomain. It starts with the version identifier “v=DMARC1” followed by a series of tags and values.

Here’s an example of a DMARC record:

v=DMARC1; p=reject; rua=mailto:dmarc-reports@example.com; ruf=mailto:dmarc-forensic@example.com; adkim=r; aspf=r;

Here’s a breakdown of the key tags in the record:

  • v: The DMARC version.
  • p: The policy to apply to emails that fail DMARC authentication. Possible values are “none”, “quarantine”, and “reject”.
  • rua: The email address to which aggregate reports should be sent.
  • ruf: The email address to which forensic reports should be sent.
  • adkim: Alignment mode for DKIM. “r” for relaxed, “s” for strict. Relaxed allows for subdomain variations.
  • aspf: Alignment mode for SPF. “r” for relaxed, “s” for strict. Relaxed allows for subdomain variations.

DMARC Policy Options

The “p” tag in the DMARC record specifies the policy to apply to emails that fail DMARC authentication. There are three possible policy options:

  • None: This policy instructs receiving servers to take no action on emails that fail DMARC authentication. This is typically used for initial testing and monitoring of DMARC implementation.
  • Quarantine: This policy instructs receiving servers to move emails that fail DMARC authentication to the recipient’s spam folder.
  • Reject: This policy instructs receiving servers to reject emails that fail DMARC authentication. This is the strongest policy and provides the best protection against email spoofing.

Alignment

DMARC alignment refers to the degree to which the domain used for SPF and DKIM checks matches the domain in the “From” address. DMARC uses two types of alignment:

  • SPF Alignment: This checks whether the domain used for the SPF check matches the domain in the “From” address. The “aspf” tag in the DMARC record specifies the alignment mode for SPF. The possible values are “r” (relaxed) and “s” (strict).
  • DKIM Alignment: This checks whether the domain used for the DKIM signature matches the domain in the “From” address. The “adkim” tag in the DMARC record specifies the alignment mode for DKIM. The possible values are “r” (relaxed) and “s” (strict).

Benefits of DMARC

DMARC offers several benefits:

  • Prevents email spoofing: DMARC provides a strong defense against email spoofing by allowing domain owners to specify how receiving servers should handle emails that fail authentication.
  • Improves email deliverability: By authenticating emails, DMARC can improve email deliverability by ensuring that legitimate emails are not marked as spam.
  • Provides reporting: DMARC provides reporting on authentication results, allowing domain owners to monitor their email ecosystem and identify potential security threats.

Implementing DMARC

Implementing DMARC involves the following steps:

  • Implement SPF and DKIM: Ensure that SPF and DKIM are properly configured for your domain.
  • Publish a DMARC record with the “none” policy: Start with the “none” policy to monitor your email traffic and identify any potential issues.
  • Analyze DMARC reports: Analyze the DMARC reports to identify any legitimate emails that are failing authentication.
  • Adjust your SPF and DKIM configuration: Adjust your SPF and DKIM configuration to ensure that all legitimate emails pass authentication.
  • Transition to the “quarantine” or “reject” policy: Once you are confident that your email authentication is working correctly, you can transition to the “quarantine” or “reject” policy.

Conclusion

SPF, DKIM, and DMARC are essential email authentication technologies that play a crucial role in protecting users from spam, phishing, and spoofing. By understanding how these technologies work and implementing them correctly, domain owners can significantly improve the security and deliverability of their emails. While each technology has its limitations, when used together, they provide a robust defense against email-based attacks. The adoption of these authentication methods is continuously growing, strengthening the overall email ecosystem and fostering a more secure communication environment for everyone.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top