What are SPF, DKIM and DMARC, and why they matter in getting emails to your customers

These three acronyms might make no sense yet, but we will show how they work side by-side to improve your email security and reliability. They are essential tools to prevent spamming and preserve your email reputation. 

First let’s explain what each of them is and how they work: 

SPF 

Sender Policy Framework (SPF) is an email protocol designed to prevent emails being sent fraudulently from domains that the sender does not own. This is known as email spoofing and is commonly used to carry out phishing attacks and other malicious activities. 

Why is SPF Important? 

Prevents Spoofing 

Email was designed without much thought for the risks posed by modern day fraudsters. Without SPF anyone with the technical skills can send emails from any domain, including spoofing yours. This has given rise to the idea of email reputation as email companies maintain spam blacklists that, were your domain listed, can affect your ability to send emails to your customers. For businesses this can damage your reputation and send your carefully crafted emails direct to the Junk folder. 

Prevents Phishing 

Another way your reputation can be damaged is if your domain were used in a ‘phishing campaign’.  These are legitimate looking emails, maybe posing as a colleague or a trusted brand, that attempt to trick a user to either download a virus, share confidential information such as login credentials, or make unauthorised payments. SPF decreases the risk of your domain being used for these sorts of emails. 

Improves Email Delivery rates and brand authenticity 

As well as preventing spoofing and phishing SPF also validates that email from your domain is coming from a legitimate source, giving the email providers confidence to place it in the Inbox not the Junk.  

How SPF Works 

The domain owner publishes a text (TXT) record that contains a list of authorised IP addresses or servers allowed to send emails on behalf of the domain. When an email is received by your customer the server checks the domain's SPF record to see if the sender’s IP address is included. If it's not on the list the email is likely to be sent to Junk, or possibly rejected altogether.  

How to set up SPF  

Please note that this article is for guidance only. If you would like us to configure SPF, DKIM and/or DMARC for you please contact us completing the form below and we will contact you with a quote. 

SPF operates at two layers:

SPF DNS records 

An SPF record is a DNS record which determines who can send emails as your domain, and conversely excluding any others as spam. This record could include the IP addresses of your email servers, but can also include pointers to other records, which is likely if you are using one of the big providers such as Microsoft 365, Google, or AWS.

It is likely that your ISP will provide you with the details you will need to create a SPF record, which might just include one of their records. It is possible that you will have several different providers e.g. Google Workspace for your business email and an email marketing company for your transactional emails, which is fine as multiple providers can be included in a single SPF record.  All of this is included in a TXT record in your domain’s DNS zone. An example of Microsoft’s record for Microsoft 365 customers is: 

v=spf1 include:spf.protection.outlook.com -all 

An example of Microsoft 365 with Amazon Simple Email Service (for bulk mailing) is: 

v=spf1 include:spf.protection.outlook.com include:amazonses.com -all 

All records start with v=spf1 (SPF1 is the only version) and end with either ~all (soft fail) or -all (hard fail). 

It's recommended that you keep all records updated regularly.  

You can check if SPF is working by viewing the email headers. In the example below the receiving email server protection.outlook.com has confirmed that the IP address of the sending server 159.112.244.25 is included in the SPF record for substack.com. The result is a SPF pass. 

Domain alignment

It is common to send marketing emails from a domain (or subdomain) different from the company’s primary domain e.g. send.owta.net or owtaemail.net) It’s important when setting up SPF to align it to the domain used for sending, so called ‘domain alignment’. This is commonly misconfigured and causes a significant number of SPF troubleshooting issues.

DKIM

DomainKeys Identified Mail (DKIM) works in tandem with SPF but on a more advanced level, that of public key cryptography. Cryptography is well beyond the scope of this blog but, in summary, digitally signing each outbound email gives recipients the peace of mind that the email has not been tampered with in transit.

Why is DKIM important?

Verifying the message as original

DKIM uses digital signatures to improve the legitimacy of your emails, thereby making it less likely they are marked as junk.  DKIM ensures that each of your emails has a signature added to the headers automatically by the sending server. This is then verified as authentic by the recipient mail server and therefore ensures the email received is the same as the email sent.

Using ‘public key’ infrastructure to verify the sender

Like its fellow email security protocol SPF, DKIM works towards the goal of verifying the sender. As DKIM works using public and private keys it is thus much harder for spammers to abuse. Each sender publishes their public key via their DNS zone, independently of their email systems, thus requiring multiple systems to be exploited to fraudulently sign an email.

How to set up DKIM

As with SPF records DKIM is published via DNS, but unlike SPF the record isn’t instructions but rather a copy of the public key used for the digital signature. A DKIM record can be either a TXT record, which follows the format:

Host: selector._domainkey.example.com

Value: v=DKIM1; k=rsa; p=yourpublickeystring

The selector is a unique identifier which allows the receiving mail server to identify the correct public key. There can be several selectors for a single domain, and they all exist within the _domainkey subdomain. Your ISP or email provider will supply you with selectors for this purpose.

Where ‘v’ is the version of DKIM (DKIM1 is the only version), ‘k’ is the type of cryptography (in this case RSA) and ‘p’ is followed by the public key (a string of alphanumeric characters) provided by your ISP, or your ISP might give you a CNAME record referencing back to them.

Once you have created your DKIM DNS record you can confirm it exists from a terminal prompt by running the following command:

host -t txt yourselector._domainkey.yourdomain

You can check that the outbound mail server is adding the digital signature by viewing the email headers. The example header below shows the DKIM-Signature header and the digital signature successfully appended, if it’s not applying DKIM the line won’t be there at all.

Recipient mail servers will look up the public key and then perform an algorithmic check that the digital signature in the header matches the public key. If the two match the result is a DKIM pass, as shown in the extract from the header:

Alignment

Similar to SPF alignment DKIM alignment will check if the DKIM Signature domain (d=) used matches the sending domain. The example below shows a DKIM alignment pass.

DMARC

Domain-based Message Authentication, Reporting and Conformance (DMARC) is a  protocol which works in conjunction with SPF and DKIM. Rather than at an individual email level, instead it defines for a domain what should happen to email that fail SPF or DKIM checks. DMARC also includes reporting for domain owners.

Why is DMARC important?

Gives domain owners control

DMARC allows domain owners to determine how emails that fail SPF and DKIM should be handled. This includes allowing the recipient to decide, encouraging the recipient to mark the email as junk, or outright rejecting it.

Gives domain owners visibility

DMARC gives domain owners visibility as to what happens to emails via aggregate email reports sent by receiving email servers. These reports are summaries of the results of SPF and DKIM analyses of your outbound emails and give you the assurance that recipients are interpreting your SPF and DKIM the way that was intended. They are also useful in identifying problems with email delivery.

How to set up DMARC

Similar to SPF and DKIM in your domain’s DNS settings publish a TXT record which follows this format:

Host:  _dmarc.yourdomain

Value: v=DMARC1; rua=mailto: [your email]; p=[none/quarantine/reject]

Where ‘v’ is the version of DMARC (DMARC1 is the only version). ‘rua’ precedes the address to send aggregate reports to. In the example above we have configured dmarc@owta.net to receive aggregate reports.

In cases of SPF and or DKIM failures the (p) policy tag determines what should happen to the email:

• p=none

• p=quarantine

• p=reject

Do you need help setting up SPF/DKIM and/or DMARC? Owtanet can help organise your email authentication and ensure your emails are delivered to your customer's inbox, not junk folder. Get in touch with us today  for a no-obligation quote or learn about our IT consultancy services