How do DMARC, SPF, and DKIM Work in Tandem to Provide Email Security?
DMARC, SPF, and DKIM can improve your organization’s email security by authenticating incoming emails. This post discusses how DMARC, SPF, and DKIM work and how to create DMARC, SPF, and DKIM records.
Since the preferred mode of communication for organizations, businesses, and individuals worldwide is email, avoiding phishing and spam becomes the top priority to keep email communications protected. Suppose any user clicks on a phishing link or malicious email attachment.
In that case, they could compromise the business and themselves by opening the network to ransomware, data leaks, privilege escalation exploits, email spoofing, and more. Let us share how DMARC, SPF, and DKIM work together so you can ensure a robust email security posture.
What do DMARC, SPF, and DKIM do?
Each of these makes the tip of a three-pronged approach to email security by covering three essentials.
- SPF: SPF provides the functionality to verify email platforms. SPF checks if the platform is authorized to send emails on behalf of a domain, i.e., authenticating the email source.
- DKIM: DKIM ensures that any email sent has not been tampered with and that the contents received are unaltered and directly from the sender.
- DMARC: DMARC provides the functionality of reporting by building on these two. If any unauthorized emails are discovered, you can specify remedial actions to handle these.
Now that you know what each of these provides, let us see how DMARC, SPF, and DKIM work.
How do DMARC, SPF, and DKIM work?
How does SPF work?
SPF records are DNS (Domain Name System) records containing information on servers authorized to send emails from a domain. The receiving servers verify SPF by using the Return-Path value from the email header. By sending a query, the recipient can check the TXT SPF record containing the list of all approved servers where the mail can originate.
The TXT record is present on the sender’s DNS server, and the SPF check fails if a particular IP (Internet Protocol) address is not found on the list of authorized servers.
SPF consists of mechanisms to describe email senders and four qualifiers, i.e., actions that are applied to the email. These are:
- Pass: Denoted by “+”; pass means the email is accepted and delivered.
- Fail: Denoted by “-“; fail means the email is rejected and is not allowed to be delivered.
- Soft fail: Denoted by “~”; soft fail accepts the email by tagging it. This means the email is not denied but is marked with a tag due as it cannot be passed with 100% authenticity of the sender.
- Neutral: Denoted by “?”; neutral means that the email is allowed even if the authentication is unsure.
How to Create an SPF Record?
You can easily create SPF records by following these steps.
1. Collect information about your hostname, IP, DNS server, and the list of servers you want to authorize to send your emails.
2. Login to the DNS webportal.
3. Create a new TXT record or choose the option to add an SPF-type record.
4. Input the SPF email rule in value and ensure it begins with the version syntax.
5. Publish the SPF record.
You should remember that SPF records can take up to 48 hours to take effect and require each subdomain to be added since they are not automatically included.
How does DKIM work?
DKIM provides email signatures to verify senders. With the digital signature added to the email header, recipient email servers check the signature to ensure the content is unaltered by looking up the sender’s DKIM record in the DNS. This is achieved by encryption and decryption, allowing the sender to publish a public DKIM key using the DKIM selector. The recipient can use the key to decrypt the DKIM signature received and check the sender’s authenticity and email content.
How to Create a DKIM Record?
You can create a DKIM record by:
1. Creating a list of services and domains authorized to send emails on your behalf.
2. Generating key pairs using DKIM generator tools.
3. Use a TXT file to publish your public key on the DNS.
4. Save the private key to the SMTP (Simple Mail Transfer Protocol) server.
How does DMARC work?
DMARC works on SPF and DMARC standards to provide email security. The domain administrator publishes a DMARC policy and lists it as a part of the DNS records. The DMARC policy defines email authentication and provides actions the mail servers should take if any email violates the DMARC policy. The email recipient can check any incoming email by looking up the DMARC for the domain provided in the email’s “FROM” header and evaluates the action based on three factors:
1. Does the email’s DKIM signature validate?
2. Does the email’s SPF record validate?
3. Does the email contain “domain-aligned” headers?
The DMARC policy accepts, rejects, or flags email messages and reports the outcome to the sender domain based on the results.
How to Create a DMARC Record?
You can easily create a DMARC record by:
1. Logging in to the DNS control panel and choose to Create Record.
2. Select TXT as the record type.
3. Add Host Value and “Value” information.
4. Click on Save, and the DMARC record is generated.
DMARC records provide you with three policies to specify email validation checks, including:
- None: Allows all emails to reach the recipient.
- Quarantine: Sends emails failing the DMARC check to spam or junk folders.
- Reject: Does not allow emails failing the DMARC check to get the recipient.
You can set these policies when creating a DMARC record to establish a strict or flexible email security policy.
Final Words
SPF, DMARC, and DKIM seamlessly work together to provide the best email security. With SPF specifying authorized email sending domains, DKIM adding digital signatures to emails for verification, and DMARC specifying how to deal with emails that fail SPF or DKIM, these three email standards provide a robust mechanism to ensure your organization or business is protected against email spams, spoofing, phishing, and malicious threats.
