How to master email security with SPF, DKIM and DMARC

Fake emails are becoming more difficult to detect from genuine ones. Phishers, as well as spammers and malware senders, often fake the sender's email address to boost their trustworthiness (spoofing). This article explains why DKIM, DMARC and SPF are effective ways to combat phishing.

Phishing emails used to be ugly-looking messages with unbelievable updates, but they now look very real. No more jackpots from obscure overseas lotteries, but just a support email from the Tax Authorities, for example. With the help of spoofing, fake becomes almost undetectable. Well, almost. 

The SPF, DKIM and DMARC standards prevent strangers from spoofing your account. They are used to ensure the integrity (security features, e-mail authentication) of an e-mail. This allows recipients to check whether e-mails actually come from the domain of the supposed sender.

What is SPF

SPF stands for Sender Policy Framework (RFC7208). This is a protocol by which a receiver checks whether the real sender is also allowed to send the message from the named sender. Can this sender, for example, e-mail on behalf of the named company? The receiving mail server, for example, Google, looks for this SPF record in the DNS table. Is the sending mail server not listed here? Then the mail ends up in the spambox.

💡 Please note: If you send emails to a mailing list that is not associated with your domain, the messages will be routed to the spam folder. Typing mistakes can also have serious consequences. So, make sure to double-check the protocol. 

How to implement SPF

The creation of an SPF record is done in the name server configuration of the domain, by creating a TXT record directly under the domain name with the content:

domainname.com TXT “v=spf1 a:mail.domainname.com -all”

Be aware, above is just a basic command. There is a lot to look out for so make sure to do your research first.

What is DKIM

DKIM stands for DomainKeys Identified Mail (RFC6376). Email messages can be authenticated with this encryption method. The receiver would be able to see not only whether the email came from the sender's domain, but also whether it is genuine and has not been altered by third parties.

How does DKIM work?

DKIM adds the DKIM-Signature field to the header of an email. The sending e-mail server calculates a cryptographic check digit based on a private key. The receiving party can look up the public key in the DNS and thereby validate the mail. Phishers do not have the private key, so the e-mails end up in the spam box. Want to know more, make sure to check out the website of DKIM.

What is DMARC

Finally, there is Domain-based Message Authentication, Reporting and Conformance (DMARC). DMARC (RFC7489) is a way of dealing with both SPF and DKIM. As a sender, you can, for example, record in your DNS that an email must be sent to the spam box if the SPF does not work or the DKIM is not correct. DMARC also provides reports. So if, for example, a wrong email is sent around, you will receive an alert and can respond to this accordingly.

How to set up DMARC

Do you want to effectively secure your email domain? Then set a DMARC record. You do this by publishing a DMARC TXT record in DNS. DMARC records are published in DNS with a subdomain label:

 _dmarc

Want to know more about technical topics? Check out our Knowledge Base, where you can find many articles about VPS, cloud services, and how to's.