Understanding SPF, DKIM, and DMARC: Email Security Essentials

Photo by FLY:D on Unsplash

Understanding SPF, DKIM, and DMARC: Email Security Essentials


3 min read

These are email authentication protocols utilized to safeguard email domains from "spoofing" and "phishing" attacks.

SPF (Sender Policy Framework)

The Sender Policy Framework (SPF) is a protocol that enables domain owners to designate authorized servers for sending emails on behalf of their domains. This helps prevent spammers from using spoofed addresses by verifying that the email originated from an authorized server. SPF is configured as a TXT record in the domain's DNS.

DKIM (DomainKeys Identified Mail)

DKIM (DomainKeys Identified Mail) is a protocol that adds a digital signature to an email message. This protocol enables the recipient server to confirm that the message was sent by an authorized server and that it was not tampered with during transmission.

The sent email is signed using a private key, and the public key is published in the DNS records of the sending server's domain.

Upon receiving the signed email, the recipient's email server retrieves the public key from the sender's DNS records and uses it to verify the signature. If the signature is valid, it confirms that the email was not corrupted during transmission and was signed by an authorized sender.

This protocol must be configured in the DNS records and on the sending server.

DMARC (Domain-based Message Authentication, Reporting & Conformance)

This protocol builds on the SPF and DKIM protocols, allowing the domain owner to dictate how email servers should handle emails that fail the SPF or DKIM checks.

DMARC enables the domain owner to receive reports on their domain's email usage and to specify the actions to be taken on messages that fail verification, such as marking them as spam or rejecting them entirely.

DMARC policies are published by the domain owner in the DNS records of the relevant domain.

How does it all work together?

For example: In spoofing attacks, the attacker alters the header of an email or other electronic communication to make it seem as though it originates from a source other than the actual sender. This deception leads the recipient to believe the message is legitimate.

  • SPF: The email server initially examines the sender's DNS records to determine if the IP address of the outgoing mail server has the authorization to send emails on behalf of the domain. If the server lacks authorization, the email will likely be flagged as spam or rejected entirely.

  • DKIM: If the sending mail server passes the SPF record check and is thus authorized to send messages, a DKIM signature check is conducted next. If the signature is valid, it verifies that the email has not been modified during transmission and that the sender is authorized to send emails on behalf of this domain.

  • DMARC: Lastly, the recipient's email server checks the sender's domain DMARC policy to decide what actions to take regarding the received email. If the DMARC policy states that failed SPF/DKIM verification should lead to the email being rejected or marked as spam, the recipient's email server will follow that directive.

What if the sender's DNS does not contain DNS, DKIM and DMARC?

Without an SPF record, email servers find it more challenging to verify the authenticity of emails sent from a given domain, potentially leading to a higher risk of spam and phishing emails being delivered to recipients.

Without a DKIM record, emails sent from a domain will not be signed with a digital signature that can be used to verify their authenticity. This makes it easier for attackers to forge emails and carry out phishing attacks.

Lastly, without a DMARC record, the domain owner cannot determine the policy on how receiving mail servers should handle emails that fail SPF and DKIM checks. This may result in legitimate emails being marked as spam or rejected, or malicious emails being delivered to recipients.

Thanks for reading!