The Three Pillars of Email Authentication: SPF, DKIM, and DMARC
As an email sender, you’ve always been told that it’s important to follow email best practices in order to get the best results from your email program. One of these best practices is to ensure that you’re properly authenticating your email messages. But the three pillars of email authentication, or SPF, DKIM, and DMARC, can be hard to understand (especially when there are already so many email acronyms!). Let’s look into these components of email authentication and why they’re so important. Authenticate your email with SPF, DKIM, and DMARC three pillars of email authentication. In this whitepaper, get a full understanding of what these tools do and how to set them up. You’ll learn real-world examples of why these tools are so important and the steps you can take to help prevent phishing attacks. Email authentication tools like SPF, DKIM, and DMARC are the three pillars of email security. SPF and DKIM handle authentication between two individual domains, while DMARC handles the entire spectrum of spoofing and phishing threats on top of those two. These tools can and should be used together to create a comprehensive and effective anti-spoofing and anti-phishing framework for your company’s email systems. Email authentication is becoming increasingly vital as other forms of online communication and transaction increase. Many messaging service providers and organizations now offer email authentication as part of their suite of tools ensuring that your brand's bounce backs and forgeries are properly provisioned and authenticated by the receiving party. Authentication, or verifying that an email message is from who it claims to come from and hasn't been tampered with during delivery, is the cornerstone of any mailbox. SPF, DKIM and Dmarc Record Generator provide a set of instructions for receiving mail servers on how to handle email messages. SPF, DKIM, and DMARC are the Three Pillars of Email Authentication.
This White Paper describes why you need these three protocols, how they work together, what you need to consider when implementing them, and what is required to implement them correctly. Now that you have an overview of these three valuable email authentication tools, let’s dive into how each component works What Is Sender Policy Framework (SPF)? Sender Policy Framework (SPF) is an authentication protocol that lists IP addresses in a DNS TXT record that are authorized to send email on behalf of domains. A typical SPF record looks like this: “v=spf1 ip4:64.34.183.84 ip4:64.34.183.88 include:mmsend.com -all” When you send an email message, the receiving system will check to see if there is an SPF record published.
If there is a valid SPF record AND your sending IP is on the list, you PASS. If the IP is NOT on the list, you FAIL the SPF check and could either be rejected or placed in the spam folder.
If you are familiar with SPF, the concept behind DKIM is similar. DKIM creates a digital "signature" for your email by using a cryptographic key pair to sign the message headers and body. A receiving system can use the public key in the message signature header to validate that the message was originally sent from an authorized mail server. DomainKeys Identified Mail (DKIM) is a way to verify that an email message is authentic. It does so by using cryptographic signing to associate the sending domain with the message content. DKIM lets recipients easily verify that your mail was not forged when it was received, and indicates if it has been modified maliciously since it was sent. What is Domainkeys Identified Mail (DKIM)? DomainKeys Identified Mail (DKIM) is an e-mail authentication method that allows an organization to associate a domain name with an e-mail message in such a way that validates the source of the e-mail message to understand how domainkeys identified mail (DKIM) works, think of it as an electronic passport for email. When an email is sent from a sender to a recipient, the sender’s email server uses a DNS TXT record associated with your domain name to attach a “passport” that identifies that the message was sent from an authorized source. This type of authorization is called Domainkeys identified mail (DKIM). With DKIM, the email message signed contains a digital signature that can be validated by any other DKIM-enabled receiving mail server. The receiving server uses the public key stored in the. DKIM uses a pair of keys, one private and one public. Private keys are stored securely on the email servers. The public key is published in DNS records associated with the domain name. When an email is sent, it is digitally signed with the private key. When receiving email servers receive the message over SMTP, they retrieve the public key from DNS and validate that it is paired with the domain name in the message header. If this validation succeeds, then the receiving server knows that the message is authentic coming from its real source. What is Domain-based Message Authentication, Reporting & Conformance (DMARC)? Domain-based Message Authentication, Reporting & Conformance (DMARC) is an email authentication, policy, and reporting protocol. It helps domains address domain spoofing and phishing attacks by preventing
unauthorized use of the domain in the Friendly-From address of email messages. With DMARC, email receivers monitor the domain in the From address for unauthorized or fraudulent use. The sender can also submit a report to the receiver that indicates whether the message passed or failed authentication. With this information, businesses can prevent spoofing attacks and phishing attacks before they cause harm to their customers. DMARC offers comprehensive protection against today's email threats. It prevents email spoofing by rejecting messages that fail authentication checks, and gives you reports that show how your messages are being received. If your business is plagued by phishing attacks, enforcing DMARC can be one of your most important steps in eliminating them. DMARC compliance means your organization is dedicated to protecting its customers, and providing an extra layer of security against email scams. DMARC allows the domain owner to specify how unauthenticated messages should be treated by MBPs. This is accomplished by what is known as a “policy” that is set in the DMARC DNS record. The policy can be set to one of three options: NONE, QUARANTINE, and REJECT.
Policy = (p=none): no action and message delivered as normal Policy = (p=quarantine): places the message to spam/junk/quarantine folder Policy = (p=reject): the message rejected/bounced
How Do You Get Started With SPF, DKIM, and DMARC? If you haven’t already, it’s time to turn your attention to SPF, DKIM, and DMARC! These protocols are the cornerstones of email authentication, although they can be difficult to troubleshoot. To help you sort through the terminology and concepts involved in setting them up, we’re breaking down exactly what the email authentication standards mean for your business. Once your support team has confirmed that you are ready to get started with SPF, DKIM, and DMARC, you will want to check out their documentation for more specifics on how they recommend you enable it on their platform. You will likely have to create a DNS entry for the authentication mechanisms to be set up correctly. Once this is finished, you can enable it on all incoming emails. All three functions help protect your domain from unauthorized use, but none will work properly without the others. Here’s a complete guide that explains how SPF, DKIM, and DMARC all fit together to help you protect your reputation and defend against malicious use of your marketing campaigns’ credibility.