How SPF, DKIM, and DMARC Work Together to Secure Your Emails
Email security is critical in the 21st century. Due to the popularity of the medium, emails have unfortunately become a major vector of cybercrime. Things like phishing scams, spoofing, and fraud are quite easy to do via email.
Email security is critical in the 21st century. Due to the popularity of the medium, emails have unfortunately become a major vector of cybercrime. Things like phishing scams, spoofing, and fraud are quite easy to do via email.
People have been known to cause accidental data leaks because they provided sensitive information to a bad actor who was hiding behind a spoofed email address.
The massive data breaches of the 21st century are a testament to the potential of email as a vector for cybercrime. This is why securing your emails is mandatory. Otherwise, you will also become a victim of a cybercrime or, worse, be complicit in it without even knowing.
Today, most of the security is handled by your email service provider, but there are some things only you can do, such as managing your SPF, DKIM, and DMARC records. Let’s take a look at what that entails.
Importance of Email Security
We highlighted the risks of insecure emails, but let’s take a look at some benefits as well.
If you set up the SPF, DKIM, and DMARC records correctly, you will receive the following benefits:
- Enhanced Deliverability
- Does not get flagged as spam
- No Hitches in B2B and B2C Communications
- Protects your clients from others spoofing your email address
You will see how these benefits are received once you understand what SPF, DKIM, and DMARC do.
How Do SPF, DKIM, and DMARC Secure Your Emails
Let’s take a look at each of the DNS records used for securing emails and what they do.
SPF
SPF stands for Sender Policy Framework. This is actually a TXT record. Since TXT records can have any kind of value, modern entities have come up with various standard uses for them. SPF, DKIM, and DMARC are just a few of them.
The specific purpose of the SPF record is to tell a receiving email server which IP addresses and email addresses are allowed to send emails on behalf of a domain.
So, let us say you have a website with a domain called “example.com.” You want to engage in email marketing, so you need to send out tons of emails at once.
To do that, you will hire a 3rd party email service provider (ESP). To tell all receiving ESPs, you will publish an SPF record on the public DNS. The SPF record will essentially state that “X ESP and all its servers are authorized to send emails, for example.com.”
Whenever a receiving email server encounters an email from your domain, it will check that published SPF record to see if the sender is legit or not. If they are legitimate, the email goes to the receiver's inbox. Otherwise, it may be blocked or put in the spam folder.
Here’s what an SPF record looks like:
Here’s what the different colored text means.
- example.com is the domain name for which this record is applicable.
- 12443 is the time to live (TTL) in seconds. This is the amount of time this record is considered valid after publishing. Once the TTL expires, the DNS server needs to obtain a new copy of the record.
- IN is the class of the record. This always has a default value of IN, which stands for “Internet.”
- TXT is the type of record. Since SPF is a TXT record, the type is listed as TXT.
- Everything in the quotation marks is the value of the SPF record. To specify that the TXT record is an SPF record, the value includes the “v=spf1.” This shows that this is an SPF record.
The “include:_” parameter shows that the servers and IP addresses after this are authorized to send emails for example.com. The value “spf.mx.cloudflare.net” stipulates that the SPF record at this URL needs to be used to determine which servers/IP addresses can send emails. This is a neat way of delegating authority to your ESP (in this case, Cloudflare). The ESP can add their own IP addresses to their SPF record, which your SPF record will reference.
The final part of this value, “~all,” indicates to the receiving ESP that any email for this domain not from the IP addresses in this record should be marked as spam but not outright rejected. “~” This symbol signifies “soft fail.” “-” is the sign for a hard fail, i.e., reject any emails not from a listed IP address.
So, you can see how SPF records make it difficult for bad actors to spoof your domain and emails. Of course, needless to say, when you are done publishing your SPF records, you should do an SPF record lookup to ensure that they are published correctly.
DKIM
DKIM stands for Domain Keys Identified Mail. Once again, this is a public DNS record that anyone can look up. For example, you could go right now and check out Google’s DKIM records with a DKIM lookup tool.
So, what does a DKIM record do? Essentially, it just lets recipients check whether their email was received uncompromised or compromised. It does so by using public and private key cryptography.
Your email server has the private key. It signs the emails with that key. When a recipient is about to receive your email, their ESP will check the published DKIM record for the public key. The public key is used to verify the signature.
If the signatures match, it means the email has not been altered in any way. If they don’t, it means somebody tampered with the email. Tampered emails are automatically rejected.
Here’s what a DKIM record can look like.
- example.com is the domain name.
- 12443 is the TTL
- The value, as you can see, is a string of alphanumeric characters. This is the public key.
DMARC
DMARC stands for Domain-Based Message Authentication and Reporting. Unlike SPF and DKIM, this record does not authorize or check for anything. It merely outlines how recipient ESPs should deal with emails should they fail the prior SPF and DKIM checks.
With DMARC, you get more control over how your emails are handled. You can use DMARC to set a policy that dictates whether recipients should quarantine, reject, or accept emails that fail the SPF and DKIM checks.
Without a DMARC policy, recipients are free to do whatever they want with emails that fail the SPF and DKIM checks. This can lead them to drop those emails. This hurts your sender's reputation and worsens your deliverability.
However, the most important aspect of DMARC is the reporting feature. Whatever the recipient ultimately does with your emails that fail the checks, you will be informed about it through the DMARC reporting feature.
These reports enable domain admins to take necessary measures to improve their email deliverability and secure their email.
Here’s what a DMARC record looks like.
This example record does not have an email address, but usually, there is one at the end. This email address is where the DMARC reports are sent.
How to Configure SPF, DKIM, and DMARC Records
Here’s how you can configure SPF, DKIM, and DMARC records to ensure your outgoing emails are secured.
SPF Configuration
Your ESP will provide you with the SPF record that you need to input in your domain manager. Most domain management tools have similar menus. So, you just need to do the following (generally).
- Login to your domain manager
- Go to domains
- Go to DNS Records
- Find the TXT/SPF records
- Input the SPF record values in the given fields.
- Save your settings and wait for 24-72 hours till their propagation is complete.
You can check whether the propagation is complete by using a DNS propagation checker.
DKIM Configuration
DKIM records are configured with your ESP's help. So, you need to take the following steps to configure them.
- Log in to your ESP
- Go to settings
- Look for DKIM or security settings
- Your provider will give you a unique key.
- Now go to your domain manager
- Open the domains page
- Go to the records page
- Add a new TXT record
- Input your DKIM record values (given by your provider)
- Save the settings.
- Wait for records to publish.
DMARC Configuration
Similar steps are required to set up DMARC records. Just like SPF and DKIM, you have to go to your domain manager and add a new TXT record.
The difference is that when you are entering your domain name in the record, you have to prefix it with “_dmarc.”
You also have to decide which flags you will set. Here’s a rundown of basic DMARC flags and what they do.
- p=none allows you to monitor emails without affecting deliverability.
- p=quarantine will send suspicious emails to spam.
- p=reject will reject emails that fail DMARC checks.
- pct=50 means that the DMARC policy will apply to 50% of the emails only.
- rua=mailto:(email address) is used to set which email address will receive the DMARC reports.
As usual, save the record, wait until propagation is complete, and then do a DMARC lookup to ensure the record is published correctly.
Wrap Up
By setting up SPF, DKIM, and DMARC, you ensure that bad actors cannot spoof, intercept, or tamper with your emails. This protects your clients from getting scammed by people claiming to be you via email. This also improves your email sender's reputation and deliverability. So, always configure these records correctly.