Email is a crucial communication tool for businesses and individuals alike. However, with the rise of phishing attacks and email fraud, the security and authenticity of email messages have been a growing concern for many. This is where email authentication protocols such as DKIM, SPF, and DMARC come into play. These protocols work together to prevent a wide range of malicious email attacks. In this blog, we will explore how DKIM, SPF, and DMARC work, and provide a guide on setting them up to boost the security of your emails.
What are DKIM, SPF, and DMARC?
Understanding DMARC Records
DMARC, which stands for Domain-based Message Authentication, Reporting, and Conformance, is a DNS TXT record that is added to your domain's DNS database. It specifies how receiving mail servers should handle email messages that do not align with SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail). This protocol helps combat email spoofing and phishing attacks. Enabling DMARC specifies how to treat unauthenticated messages and reduces the chances of spam emails reaching recipients.
Monitoring and reporting are important components of DMARC records. When you set up DMARC for your business you can receive reports on email authentication failures. This is great for providing insight into the sources of unauthorised emails. This can help you fine-tune your email authentication practices and stay ahead of cyber threats. It’s best practice to regularly review these reports as it allows you to take proactive steps to protect your business.
Understanding DKIM Records
DKIM (DomainKeys Identified Mail) is another email authentication method that verifies an email message is sent from an approved server for the domain it claims to be from. It works by adding a digital signature to the email message’s header, which can be verified by your recipient's email server using a public key. This is a great way to prevent malicious attacks as it provides you with a way to prove that the email is legitimate.
When you send an email from a domain that has a DKIM record, your server adds a digital signature to the email header using a private key. The recipient's server uses the public key from your DKIM record to verify the signature. If the signature is valid, the email is considered authentic; if not, it may be flagged as suspicious or sent to spam.
Understanding SPF Records
SPF (Sender Policy Framework) records are another type of DNS record that specify which IP addresses or domains are authorised to send emails on behalf of your domain. This prevents suspicious sources from sending emails with your domain name.
When you send an email from your domain, the recipient’s mail server checks your SPF Record in the DNS settings. It will check if the sending server is authorised. If the server isn’t listed in your SPF Record, the system might mark the email as spam or reject it.
Adding SPF records to your domain improves email deliverability and your domain’s overall reputation. It also helps prevent your domain from being blacklisted for sending spam or phishing emails.
Benefits of DKIM, SPF, and DMARC Records
There are many benefits of adding DKIM, SPF, and DMARC records to your email domain. Here are just a few:
DKIM records ensure that emails haven’t been tampered with and confirm their sender by using a cryptographic signature that recipient servers can verify. This signature proves your email is real and from the right sender, protecting against financial losses and reputational damage. Plus, using DKIM builds trust with your recipients and improves the success rate of your email delivery.
SPF stops email spoofing by listing which senders are allowed to send emails on behalf of your domain. By setting up this list, you protect your domain from misuse and prevent malicious hackers from impersonating your brand.
DMARC combines the benefits of DKIM and SPF to provide a comprehensive email authentication solution. Publishing a DMARC record lets you set rules for what happens if your emails don’t pass authentication checks. This helps monitor and enforce strict email policies as well as receive reports on failed authentication.
How to Set up SPF Records
Step 1: To set up SPF records, you first need to access your domain host or DNS provider’s control panel. Look for the option to manage your DNS and find the section where you can add or modify the SPF records. This is usually a TXT record.
Step 2: Add the IP addresses or hostnames of mail servers authorized to send emails for your domain. SPF records must follow a specific format. For example, they should start with “v=spf1” followed by specific mechanisms. You can use mechanisms like “mx” (which includes all MX records), “a” (which includes all A records), or “include” (to specify additional domains that are allowed to send emails). Make sure that the SPF record doesn't exceed the DNS lookup limit (10 lookups) and is formatted properly.
Step 3: Once you have created and saved your SPF records, it may take some time for the changes to propagate across the internet. It typically takes up to 48 hours for the changes to become live. It’s important to review and test it to make sure they match your email setup. You can do this by using SPF record checkers or DNS lookup tools.
Checking if an Email Has Passed SPF Authentication
When an email passes SPF authentication, it means the sender is allowed to send emails for the claimed domain. If an email fails SPF authentication, it doesn’t automatically mean the email is malicious. It could be due to misconfigured SPF records or legitimate email forwarding services.
How to Set up DKIM Records
Step 1: The first step in setting up DKIM records is to generate a DKIM key pair. This includes a public key, which you’ll add to your domain’s DNS records, and a private key, that is stored on your email server. The private key creates the digital signature for outgoing emails, while the public key lets the recipient’s email server verify that signature. Generating the public key can differ depending on your email provider. Here are step-by-step instructions based on your domain hosts:
Step 2: After generating the DKIM key pair, add the public key to your DNS records. You can do this by creating a new TXT record in your domain’s DNS and adding the values provided by your DKIM tool. This TXT record should include the DKIM selector (a unique identifier between multiple keys) and the public key.
Step 3: Once you’ve added the DKIM public key, it’s time to test it out. There are various DKIM lookup tools online that help you verify your records and fix any issues. When you've properly configured the DKIM records, you'll find that your emails are more likely to reach your recipient's inbox, rather than being marked as spam.
Checking if an Email Has Passed DKIM Authentication
Checking if an email has passed DKIM authentication is an important step in your email security.
One way to check DKIM authentication is to look at the email headers. You’ll find the DKIM signature in the header, marked by a DKIM signature domain and selector. These fields help you see if the email has a valid DKIM signature from the sending domain.
You can also use online tools to verify DKIM signatures. Simply paste the email headers and body into these tools, and they’ll check if the DKIM signature is valid. This method is a quick way to confirm DKIM authentication.
How to Set up DMARC Records
Step 1: The first step to setting up your DMARC records is to create a DMARC TXT record in your domain’s DNS settings. This record will specify how email receivers should handle emails that fail authentication.
Step 2: After creating the DMARC record, monitor and analyse the DMARC reports you receive. These reports show how your domain’s emails authenticate and highlight any that fail authentication. Reviewing these reports helps you spot issues with your email authentication and make necessary adjustments.
Step 3: It’s important to regularly update your DMARC policy based on the feedback from these reports. You might need to adjust your policies to prevent legitimate emails from being marked as spam or tighten security if frequent phishing attacks occur.
Key tip: Customise your DMARC policies based on your domain’s specific needs and email traffic. For example, you might start with “p=none” to monitor and gradually move to “p=quarantine” or “p=reject” as you gain confidence in the configuration.
Checking if an Email Has Passed DMARC Authentication
To check if an email has passed DMARC authentication, you can check the SPF and DKIM authentication to see if they’ve passed. You can also review the DMARC policy action in the DMARC record of the sending domain to see if the email meets the specified criteria.
Troubleshooting Common DKIM, SPF, and DMARC Record Errors:
If you stumble upon issues after configuring your records, here are some common reasons why:
- DKIM: DKIM issues usually occur from misconfigured DNS records or mismatched keys. A common problem is an invalid DKIM signature, which usually happens when the public key in the DNS record doesn’t match the private key used to sign the email. To fix this, make sure the DKIM selector and the public key in the DNS match the keys used by your mail server. Also, check for typos or syntax errors in the DKIM DNS record.
- SPF: If you’re having issues with the SPF records, it’s usually due to their structure. A frequent issue is exceeding the SPF record's limit of ten DNS lookups. This can occur if you include too many third-party services. To resolve this, simplify your SPF record by condensing mechanisms or using subdomains.
- DMARC: DMARC Issues are often due to misconfigurations in the DMARC policy or alignment problems. Common issues include incorrectly formatted DMARC TXT records, which can result from missing semicolons, incorrect tags, or syntax errors. Review the DMARC record carefully to ensure it follows the correct format. Another frequent issue is misalignment between the 'From' domain and the domains specified in DKIM and SPF policies.
How do DKIM, SPF, and DMARC Work Together?
While DKIM, SPF, and DMARC, each have their own purpose, they collectively work together to secure your emails. Each method plays a unique role, but they work best when used together. Each authentication method complements the others to provide a comprehensive email security system.
The SPF records are the first layer of security which lists who’s allowed to send emails for a domain. When an email arrives, the recipient’s mail server checks this SPF record to ensure the sender’s IP address is authorised.
DKIM adds another layer of security by letting a domain sign its emails with a cryptographic signature. The sender’s server creates this signature using a private key and adds it to the email’s headers. The recipient’s server then uses the corresponding public key (published in the DNS) to verify that the email hasn’t been tampered with during transit. This confirms the email’s integrity and authenticity.
DMARC builds on SPF and DKIM by letting domain owners specify how to handle emails that fail authentication. The DMARC policy, published in DNS, instructs receiving servers whether to reject, quarantine, or accept emails that don’t pass SPF or DKIM checks. DMARC also provides reports on email authentication results, helping domain owners detect potential misuse and refine their email security strategies.
In summary, SPF verifies the sender’s IP address, DKIM ensures the email’s content is intact and authentic through cryptographic signatures, and DMARC combines these methods by defining policies for handling authentication failures and offering feedback. Together, these technologies create a strong defence against email-based threats, making email communication more secure and trustworthy.
