Email is the preferred means of communication for businesses and individuals worldwide. Avoiding phishing and spam is becoming a priority when it comes to protecting digital communications. A user who clicks on a potentially harmful link or attachment can compromise the company by opening up the network to ransomware, email spoofing and many other dangers.
This article explains what the SPF, DKIM and DMARC authentication protocols are, and how they can help improve your organization's email security.
SPF's role in email security
What is SPF?
As you probably know, spammers are able to falsify the origin of emails. They modify the address to give the impression that they are sending emails from an email address on your domain. This is known as identity theft. The account owner may then receive replies to emails they never sent.
The SPF (Sender Policy Framework) protocol optimizes email security by mitigating this inconvenience. It identifies the mail servers authorized to send emails on behalf of your domain. SPF is a TXT record set up in your DNS zone file to prevent spammers from sending messages with false addresses from your domain. This is particularly relevant in the age of digital customer service.
How does it work?
The sender, for instance your web agency, publishes SPF records in DNS. These TXT records list the IP addresses authorized to send email under the domain name. When incoming mail servers receive messages from your domain name, they compare the SPF record with the information on the outgoing mail server.
If the information doesn't match, and the IP address sending the email is not listed in the SPF record, the message will be filtered as spam or rejected for security reasons.
What does a SPF record look like?
Here's an example of an SPF record retrieved by entering the command "dig TXT globalia.ca" in a Linux terminal:
globalia.ca. 0 IN TXT "v=spf1 a mx ip4:107.161.12.186 include:_spf.globalserveur.com include:_spf.google.com include:mail.zendesk.com ~all" |
We see the IP address and domains authorized to send emails on behalf of globalia.ca. A record always ends with "all". This parameter determines the rule to be applied to other emails received that do not meet the requirements mentioned in the record. In the case of globalia.ca, this is a "soft fail". This means that emails from unlisted IP addresses are accepted, but must be marked as spam.
A useful tool
The dmarcian.com website can be used to display the contents of an SPF record. It shows a detailed list of authorized IP addresses, including those listed under "include". To do this, simply go to dmarcian.com/spf-survey/ and type your domain name, for example "globalia.ca" in the search box.
How to create a SPF record
- Collect information on your IP addresses, DNS server and the list of services or servers (Outlook 365, Google Workspace, MailChimp, etc.) you wish to authorize to send your emails.
- Connect to your DNS management platform.
- Create a new TXT record with the desired SPF values.
- Inform your web agency.
Below is a diagram showing the process with SPF:
Adding an SPF record can reduce impersonation attempts to your domain, but it's not an absolute guarantee against all spam. There's another element that will make your emails even more secure: the DKIM protocol.
How DKIM improves your email security
What is DKIM?
DomainKeys Identified Mail (DKIM) is a protocol that enables an organization to assume responsibility for the transmission of a message. This verification is made possible by cryptographic authentication.
How does it work?
DKIM is designed to provide email signatures to verify the sender.
A digital signature is added to the message using a private key. Once the email has been sent, the recipient's mail server becomes aware of the existence of a "domain/selector" combination that has signed the encryption process.
The server then performs a DNS query to find the public key associated with this combination. It will use the public key to decrypt the DKIM signature received and, consequently, verify the authenticity of the sender and the content of the email for the security of your organization.
What does a DKIM record look like?
If you go to dmarcian.com/dkim-inspector/, you can see the public key as it appears in a TXT record.
How to create a DKIM record
- Create a list of services and domains authorized to send emails on your behalf.
- Generate a key pair using DKIM generation tools or through the service provider (e.g. MailChimp).
- Use a TXT file to publish your public key to DNS.
- Register the private key on the sending mail server.
Below is a diagram showing the DKIM process:
The SPF and DKIM protocols are generally sufficient to ensure email security. However, if you want to go one step further, consider adding the DMARC protocol.
DMARC makes emails even more secure
What is DMARC?
DMARC (Domain-based Message Authentication, Reporting & Conformance) is designed to tell email servers what to do when emails appear to come from your domains, but have not been validated by SPF or DKIM. DMARC also provides reports on email flows according to previously established SPF and DKIM policies.
How does it work?
Like the other two protocols, this involves creating a TXT record in DNS. Specific parameters are entered here to determine the fate of invalidated emails. To help you understand, here's an example.
What does a DMARC record look like?
At dmarcian.com/dmarc-inspector/, you can see the value of the TXT record _dmarc.
In this example, we see the parameters that define the rule.
v |
Current version of DMARC. |
p |
Action to be taken on invalidated messages. In this case, all emails can reach the recipient, even those that failed authentication. |
rua |
Where reports should be sent. |
ruf |
Where failure reports should be sent. |
pct |
Percentage of emails subject to DMARC policy (in this case: 100%). |
rf |
Default value is "afrf". Saves report formats. |
fo |
Defines the circumstances under which a report is generated. Value 1 requests a report in the event of SPF or DKIM failure. |
ri |
Waiting time in seconds between reports. |
adkim |
DMARC severity; two possible modes: strict and relax. |
aspf |
SPF severity; two possible modes: strict and relax. |
How to implement DMARC
- Check that DKIM and/or SPF records are correctly configured.
- Choose an email account for receiving DKIM records.
- Generate the DMARC record using a tool (e.g. OpenDKIM).
- Add the DMARC record to your domain's DNS.
Below is a diagram showing how DMARC works:
Keep email security top of mind
SPF, DMARC and DKIM are authentication protocols that work together seamlessly to provide the best possible email security.
- SPF presents authorized email sending domains.
- DKIM adds digital signatures to emails for verification purposes.
- DMARC indicates how to handle emails that fail SPF or DKIM.
These three email standards provide a solid defence against spam, identity theft, phishing and malicious threats.
You're concerned about the security of your website and your employees, but don't forget email security. For more information, don't hesitate to contact us. We'll be happy to help you realize your projects.