SPF, DKIM and DMARC: the what, the why and the how

Why you’d want to implement SPF, DKIM and/or DMARC

  • genuine emails from your domain are being marked as spam
  • you’ve become aware of (or want to prevent) emails being sent out, claiming to be from your domain

Background

We’ll need to cover a few basics of how email works before moving on to SPF, DKIM and DMARC.

example.com.  IN  MX  10  aspmx.l.google.com.

The problem of spam

Email is really cheap to send, and that means that a lot of spam email is sent out. Perhaps 45% of emails sent are spam, though estimates vary widely. The emails you see in your Spam folder are just the tip of the iceberg. Most spam emails are blocked without you ever seeing them. Email providers have sophisticated spam filtering processes in place to reduce this to a manageable level, but this isn’t a perfect process.

  • it’ll give me a bad reputation with my users if they see dodgy emails appearing to come from me
  • spam filters from email providers will start to mark emails from example.com — including legitimate ones — as spam
  • when spam senders send out emails, including to invalid addresses, I’ll get ‘bounce back’ emails to my inbox — because the bounce back emails will go to the server listed in my MX record. This is known as ‘backscatter spam’ and will quickly get very annoying.

The problem of identifying senders

It’s fairly easy to get an email to its intended recipient, but it’s much more difficult to identify whether it was sent from who it claims to be.

SPF — Sender Policy Framework

SPF is a mechanism for checking that the ‘envelope sender’ or ‘Return-Path’ email address on an email matches with the server that the email is sent from. It uses another DNS record to list the valid servers that an email should be sent from

Implementing SPF

SPF is the easiest of the three to implement. All you need to do is to add a TXT record at the root of your domain (example.com) which says something like this:

example.com.  IN  TXT  "v=spf1 include:amazonses.com ~all"

DKIM — DomainKeys Identified Mail

DKIM is a much more robust way of validating that an email came from the place it claims to. It uses public key cryptography to do this — I won’t go into detail of what public key cryptography is, but one of the things it allows me to do is to validate, using a ‘public key’ that you publish, that you ‘signed’ a message using a ‘private key’, without me seeing the ‘private key’.

Implementing DKIM

Again for DKIM, you’re going to find the information you need for the DNS records from your email provider. But these will be specific to you, unlike the generic details used for SPF. They also won’t go at the root of your domain but instead at somewhere specified. They’ll look something like this:

w4brt6yt8k4lb7lvevow._domainkey.example.com  IN  CNAME w4brt6yt8k4lb7lvevow.dkim.amazonses.com

DMARC — Domain-based Message Authentication, Reporting and Conformance

While SPF and DKIM will both mean your legitimate emails are less likely to be marked as spam, DMARC allows you to set out a policy with explicit instructions for how you want emails claiming to be from your domain to be treated.

  1. Check DKIM. If DKIM passes, DMARC passes. If DKIM fails or is not present, continue.
  2. Check SPF. If SPF fails, DMARC fails. If SPF passes, continue.
  3. Does the domain of the ‘envelope sender’/’Return-Path’ (the return address in our analogy) matches the domain of the ‘From’ address (the ‘From’ email is what appears in your email inbox)? If it matches, DMARC passes. Otherwise, DMARC fails.

Implementing DMARC

You’ll need to add a TXT record at a subdomain of your domain — if your domain is example.com, you’d add it at _dmarc.example.com. Here’s an example:

_dmarc.example.com  IN  TXT  "v=DMARC1;p=none;pct=100;rua=mailto:dmarcreports@example.com;"

Conclusion

SPF, DKIM and DMARC are great tools in making sure that your emails arrive to their intended recipients and spam emails are stopped in their tracks. They really ought to be a standard part of any responsible sender’s email setup — and nowadays, they’re relatively easy to set up.

Additional resources

DMARCIAN has some great tools for working with SPF, DKIM and DMARC. The SPF Inspector and DMARC Inspector are great ways to look at the policy on your domain and see if it’s doing what you expect.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store