SPF, DKIM, DMARC - notes
SPF - Sender Policy Framework
Sender Policy Framework (SPF) is a mechanism used to authenticate the sender of an email. With an SPF record in place, Internet Service Providers (ISPs) can verify that a mail server is authorised to send email from a specific domain.
How does it work? You can publish an SPF record, which is a DNS TXT record that contains the IP addresses authorised to send emails on behalf of your domain. The SPF mechanism uses the domain in the return-path address to identify the SPF record. When an email is sent, the receiving server will verify if the sender's IP address is on the DNS TXT record set by the domain. If the IP address is not on the list, the server will continue to process the email but won’t be able to verify the sender. This is because the SPF record may not be up-to-date or accurate. Additionally, legitimate emails may have been forwarded, and therefore, won’t be coming from an address on the SPF record.
The drawback of relying solely on SPF is that it doesn’t survive email forwarding. This limitation leads us to DKIM.
DKIM - Domain Keys Identified Mail
Domain Keys Identified Mail (DKIM) is another method used to authenticate emails. Like SPF, DKIM also relies on DNS records. However, DKIM has the advantage of surviving email forwarding.
How does it work? DKIM TXT records hold a public key that receiving mail servers use to verify a message’s signature. This public key is provided by the organisation’s email provider (e.g., Google for Gmail accounts, Microsoft for Outlook accounts, etc.). DKIM gives each email a signature header, secured with encryption. This header provides all the necessary information for an email server to verify the authenticity of the email. The originating server will have the private DKIM keys, while the receiving server uses the public DKIM key to verify the signature header.
If there is a signature mismatch (for instance, if the "d=" value in the Header From does not match the "d=" value in the DKIM Signature), the email may end up in the spam folder or be blocked entirely. While DKIM is effective, it cannot prevent the spoofing of the domain visible in the header, which is why it is used alongside SPF.
DMARC - Domain-based Message Authentication Reporting and Conformance
Domain-based Message Authentication Reporting and Conformance (DMARC) is a free specification that aligns SPF and DKIM to authenticate email. DMARC helps prevent email compromise for both large and small businesses by defending against phishing and spoofing attacks.
How does it work? DMARC requires a DNS TXT record, known as a DMARC record, which specifies the domain’s policy for email after checking SPF and DKIM. DMARC authenticates if SPF or DKIM, or both, pass. Additionally, a DMARC record can arrange for XML reports to be sent to a reporting email address, providing insight into email traffic and potential issues.
DMARC is crucial in a security environment because it helps prevent compromises due to phishing attacks and social engineering, which are increasingly common methods for unauthorised access to company servers.