Email Security; SPF, DKIM and DMARC

Email Security SPF, DKIM and DMARC - social definition

Before we begin this article, let’s clear up its purpose – it is not a complete ‘How To’ guide to securing your email. It does not give you a ‘cut-and-paste’ solution to email security. There are many hundreds, if not many thousands (possibly more) of service providers out there and many will have different ways of applying the methods we go into detail about below. Many will have simple methods to apply security measures through their platforms, many won’t.

What this article does is inform you of the measures that you can take to secure your email, what to expect from each method and how it should be applied. Most service providers will be all to happy to help, but for those who have less than helpful service providers. this article will inform you as to what to ask for if you need some help and how to tackle things if you do want to go-it-alone.

 

Email Security Solutions Demystified: The Power of SPF, DKIM, and DMARC

Security is a critical aspect of modern communication, especially given the widespread use of email for both personal and business purposes. Cyber threats and phishing attacks are becoming increasingly sophisticated, so it’s essential to understand and implement robust security measures to protect sensitive information and maintain trust in online communication.

The Email Guardians

Three fundamental components of email security that play a pivotal role in safeguarding your emails are SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting, and Conformance). Let’s explore each of these in more detail:

1. Sender Policy Framework (SPF):

  • Sender Policy Framework is an email authentication protocol designed to combat email spoofing. Email spoofing is a technique used by malicious actors to send emails that appear to come from a trusted source, but in reality, they are not. SPF allows the owner of a domain to specify which mail servers are authorised to send email on behalf of that domain. This is achieved by publishing a DNS record that lists the authorised email servers. When an email is received, the recipient’s mail server can check this SPF record to verify whether the sender is authorised to send emails from the claimed domain. If the check fails, the email may be flagged as suspicious or rejected, helping to protect against spoofed emails.

2. DomainKeys Identified Mail (DKIM):

  • DKIM is another email authentication method that helps verify the authenticity of email messages. It works by adding a digital signature to outgoing emails. This signature is generated using a private key held by the sending domain’s email server. The recipient’s email server can then use a public key, published in the sending domain’s DNS records, to verify the signature. If the signature is valid, it confirms that the email has not been tampered with during transit and that it indeed originated from the claimed sender. DKIM provides a layer of security that ensures the integrity and authenticity of email messages.

3. Domain-based Message Authentication, Reporting, and Conformance (DMARC):

  • DMARC is a policy framework that builds upon SPF and DKIM to provide a comprehensive email authentication solution. DMARC allows domain owners to specify how email servers should handle messages that fail SPF and DKIM checks. It provides options for policies such as “none” (do not take any action), “quarantine” (mark as spam or quarantine the email), or “reject” (completely reject the email). Additionally, DMARC enables domain owners to receive reports on email authentication failures, giving them valuable insights into potential email spoofing attempts and the overall health of their email authentication setup. DMARC empowers organisations to take control of their security and protect their brand from phishing attacks.

So; SPF, DKIM, and DMARC are crucial components of email security that work together to combat email spoofing, phishing attacks, and other email-related threats. Implementing these protocols helps ensure that your emails are legitimate and trusted by recipients, reducing the risk of falling victim to cyberattacks and maintaining the integrity of your online communication. In the following sections of your article, you can delve deeper into each of these protocols, explaining how they work, their benefits, and best practices for their implementation.

 

Who Should Implement These 3 Security Measures to Your Email and Where?

Now we know about these 3 security measures, let’s delve into who should apply SPF, DKIM, and DMARC to their email, as well as where these measures should be implemented.

1. SPF (Sender Policy Framework):

  • Who Should Apply SPF: Every organisation or individual that sends email from a specific domain should consider implementing SPF. This includes businesses, government entities, non-profits, and personal email domains. SPF is particularly crucial for organisations that want to protect their brand reputation and prevent email spoofing.
  • Where to Implement SPF: SPF records are typically added to the DNS (Domain Name System) settings of your domain. You can create and manage SPF records through your domain hosting provider or DNS hosting service. Many domain hosting providers offer easy-to-use interfaces for adding SPF records, making it accessible for most users.

2. DKIM (DomainKeys Identified Mail):

  • Who Should Apply DKIM: Similar to SPF, DKIM is important for anyone who wants to enhance the security and authenticity of their email messages. It is especially vital for organisations that rely on email for critical communication, as it helps prevent email tampering and phishing.
  • Where to Implement DKIM: DKIM involves cryptographic signatures added to email headers. To implement DKIM, you’ll need to generate DKIM keys and publish the public key in your domain’s DNS records. This is typically done through your email service provider or your mail server software. Many popular email service providers offer built-in support for DKIM key generation and management, simplifying the process for their users.

3. DMARC (Domain-based Message Authentication, Reporting, and Conformance):

  • Who Should Apply DMARC: DMARC is recommended for organisations of all sizes, especially those concerned about email fraud, phishing, and brand protection. It is a comprehensive email authentication policy that combines SPF and DKIM with reporting capabilities.
  • Where to Implement DMARC: DMARC policies are also published in your domain’s DNS records. To implement DMARC, you’ll need to specify the policy and designate an email address to receive DMARC reports. Many domain hosting providers and email service providers offer tools and interfaces for configuring DMARC policies. However, DMARC implementation may require more careful planning and testing than SPF and DKIM, as it involves policy decisions such as monitoring, quarantining, or rejecting emails that fail authentication.

So; SPF, DKIM, and DMARC should be applied by organisations and individuals who want to enhance the security and trustworthiness of their email communications. While SPF and DKIM primarily involve adding DNS entries, DMARC encompasses policy decisions that are also specified in DNS records. Most domain hosting providers and email service providers offer support for configuring SPF, DKIM, and DMARC, making it accessible to a wide range of users. It’s important to note that implementing these security measures is a proactive step toward protecting your email domain and building trust with your recipients.

 

What is DNS?

We’ve mentioned DNS and we know from experience that the majority of domain owners have no idea what this refers to, how to access it or even what it does. Let’s spread some light on DNS;

DNS, or the Domain Name System, is a hierarchical and distributed naming system that translates human-readable domain names, such as www.example.com, into IP (Internet Protocol) addresses, like 192.0.2.1. This system plays a crucial role in the functioning of the internet by allowing users to access websites and other online services using easy-to-remember domain names, while computers and servers communicate using numerical IP addresses.

 

How to Access and Manage DNS Settings:

As a domain owner, you should have control over your domain’s DNS settings, which allows you to manage various aspects of your online presence.

Here’s how you can typically access and manage DNS settings:

1. Domain Registrar Control Panel:

  • If you purchased your domain through a domain registrar (e.g., GoDaddy, Namecheap, Google Domains or similar), you can access your DNS settings through the control panel provided by your registrar.
  • To access your DNS settings, log in to your account with the domain registrar and locate your domain name in the list of domains you own. There should be an option to manage DNS, DNS records, or DNS settings.
  • From there, you can add, edit, or delete DNS records, including SPF, DKIM, and DMARC records, as well as other records like A, CNAME, and MX records.
  • CAUTION: Do not under any circumstances change any settings in here unless you are sure of what you are changing – You could loose access your website, email or both.

2. DNS Hosting Provider Control Panel:

  • Some domain owners choose to use a separate DNS hosting provider for more advanced DNS management and flexibility. Popular DNS hosting providers include Amazon Route 53, Cloudflare, and DNS Made Easy.
  • If you’re using a DNS hosting provider, you’ll typically access and manage your DNS settings through their control panel or dashboard.
  • Log in to your DNS hosting provider’s website, locate your domain, and navigate to the DNS settings section. Here, you can configure DNS records and make changes as needed.
  • CAUTION: If you are using this kind of service you’ll possibly have more experience than those with the above control panel, but still proceed with caution if unsure, you could still loose access to your website, email or both.

3. Requesting Assistance from Your IT Provider or Webmaster:

  • If you have an IT provider or webmaster managing your domain and DNS settings on your behalf, you can request their assistance.
  • Clearly communicate your requirements, such as adding SPF, DKIM, or DMARC records, and specify the desired values for DMARC. Provide any relevant information or documentation you have received from your email service provider (if not the same people) regarding these records.
  • Your IT provider or webmaster should have the necessary expertise to configure these records correctly for you.

DNS Important Considerations:

  • When making changes to DNS settings, especially when adding SPF, DKIM, or DMARC records, it’s crucial to follow the instructions provided by your email service provider or security guidelines to ensure proper configuration.
  • DNS changes can take some time to propagate across the internet (up to 48 hours), so be patient, and allow for the changes to take effect.
  • Keep your DNS records up to date, and periodically review them to ensure they accurately reflect your current needs and services.

DNS is a fundamental part of managing your online presence, and as a domain owner, you have the responsibility and control to configure DNS settings to meet your specific requirements. Whether you access DNS settings through your domain registrar, a DNS hosting provider, or via an IT provider, it’s essential to maintain accurate and secure DNS records for the smooth operation of your online services and email security.

 

Now for the Technical Bit

You knew it was coming, but it can’t be avoided (unless you get your provider to help out), the technical bit.

Even if you’re not doing this yourself and have someone making the changes for you, it’s still handy to know what’s going on, so let’s explain what needs to be added to DNS for SPF, DKIM, and DMARC, along with examples of what these DNS records generally look like:

1. SPF (Sender Policy Framework):

What to Add to DNS: SPF involves adding a TXT (text) record to your DNS settings. This TXT record contains information about the mail servers authorised to send emails on behalf of your domain.

Example SPF Record: v=spf1 include:_spf.example.com ~all

What does this mean?

v=spf1: This indicates the version of SPF being used.

include:_spf.example.com: This part specifies that the mail servers listed in the SPF record of “_spf.example.com” are allowed to send emails for your domain.

~all: This part defines the SPF policy. In this example, it uses “~all,” which means “soft fail.” It allows for some flexibility if a sender is not in the list but suggests that the email may be marked as suspicious rather than completely rejected.

2. DKIM (DomainKeys Identified Mail):

What to Add to DNS: DKIM involves adding a TXT record to DNS, which includes a public key used to verify the cryptographic signature applied to outgoing emails.

Example DKIM Record: v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCxg3z2bK5PbsZcPeEch3K3uU8fY7BGEwPc/68TQFt+M6sAAIzB4zDOyyj

What does this mean?

v=DKIM1: Indicates the version of DKIM being used.

k=rsa: Specifies the key type (RSA).

p=: Contains the DKIM public key. This key is significantly longer and is generated by your email service provider or email server software.

3. DMARC (Domain-based Message Authentication, Reporting, and Conformance):

What to Add to DNS: DMARC involves adding a TXT record to DNS, which sets the policy for how receivers should handle emails that fail SPF or DKIM checks, and it also designates an email address to receive DMARC reports.

Example DMARC Record: v=DMARC1; p=none; rua=mailto:dmarc@example.com; ruf=mailto:dmarc@example.com; fo=1

What does this mean?

v=DMARC1: Indicates the version of DMARC being used.

p=none: Sets the DMARC policy. In this example, it’s set to “none,” which means no specific action is taken when SPF and DKIM checks fail.

rua=mailto:dmarc@example.com: Specifies an email address (in this case, “dmarc@example.com”) to receive aggregate DMARC reports.

ruf=mailto:dmarc@example.com: Specifies an email address to receive forensic DMARC reports.

fo=1: Defines the format for forensic reporting. “1” indicates that reports should be generated and sent in AFRF (Authenticated Failure Reporting Format).

These example records are simplified for illustration purposes. In practice, the specific values in your SPF, DKIM, and DMARC records will depend on the guidelines provided by your email service provider or the configuration of your email infrastructure. It’s crucial to follow their instructions carefully to ensure proper email authentication and security.

 

Let’s close with a summary and important reminders for you:

In an era of increasing cyber threats, email security is paramount. Implementing email authentication protocols like SPF, DKIM, and DMARC plays a pivotal role in safeguarding your online communication. These protocols help prevent email spoofing, phishing attacks, and unauthorised use of your domain name.

  • SPF (Sender Policy Framework): Authorises mail servers to send emails on your domain’s behalf.
  • DKIM (DomainKeys Identified Mail): Adds digital signatures to emails to verify their authenticity and integrity.
  • DMARC (Domain-based Message Authentication, Reporting, and Conformance): Combines SPF and DKIM, allowing you to set policies for handling email authentication failures.

Accessing and managing DNS settings is essential when configuring these security measures, and you can typically do this through your domain registrar or DNS hosting provider. However, if you’re unsure about making changes or need assistance, don’t hesitate to seek help from your IT provider or webmaster.

 

Important Reminder:

Seek Professional Assistance: If you’re not comfortable making changes to your DNS settings or if you have someone managing your domain, such as an IT provider, it’s advisable to consult with them before making any adjustments.

 

Useful Tools:

  • DMARC Record Generator: For those looking to add DMARC records, you can use free online tools like EasyDMARC to generate the required DMARC code. EasyDMARC also offers email monitoring services – both free and paid.
  • Email Security Check: To check if your domain’s emails are already covered by DMARC and to monitor your domain’s health, you can utilise MXtoolbox. MXtoolbox offers free and paid services for email security checks and domain monitoring.

By taking these steps to enhance your security, you’ll not only protect your organisation or personal email, but you’ll also contribute to the overall trust and integrity of online communication.

Even with these measures in place, remember that email security is an ongoing process, and staying vigilant is key to mitigating the risks associated with cyber threats and phishing attacks.

Privacy Preference Center

Consent Management

Privacy Policy

Required
You have read and agreed to our Privacy Policy.

Analytics

Google Analytics is a web analytics service provided by Google, Inc. (‘Google’), to help us see how our website is used. Please see Google for more details.

Cookies Used

_ga, _gat, _gid

Pin It on Pinterest