Email is the preferred means of communication for businesses and individuals worldwide. Avoiding phishing and spam is becoming a priority when it comes to protecting digital communications. A user who clicks on a potentially harmful link or attachment can compromise the company by opening up the network to ransomware, email spoofing and many other dangers.
This article explains what the SPF, DKIM and DMARC authentication protocols are, and how they can help improve your organization's email security.
As you probably know, spammers are able to falsify the origin of emails. They modify the address to give the impression that they are sending emails from an email address on your domain. This is known as identity theft. The account owner may then receive replies to emails they never sent.
The SPF (Sender Policy Framework) protocol optimizes email security by mitigating this inconvenience. It identifies the mail servers authorized to send emails on behalf of your domain. SPF is a TXT record set up in your DNS zone file to prevent spammers from sending messages with false addresses from your domain. This is particularly relevant in the age of digital customer service.
The sender, for instance your web agency, publishes SPF records in DNS. These TXT records list the IP addresses authorized to send email under the domain name. When incoming mail servers receive messages from your domain name, they compare the SPF record with the information on the outgoing mail server.
If the information doesn't match, and the IP address sending the email is not listed in the SPF record, the message will be filtered as spam or rejected for security reasons.
Here's an example of an SPF record retrieved by entering the command "dig TXT globalia.ca" in a Linux terminal:
| globalia.ca. 0 IN TXT "v=spf1 a mx ip4:107.161.12.186 include:_spf.globalserveur.com include:_spf.google.com include:mail.zendesk.com ~all" |
We see the IP address and domains authorized to send emails on behalf of globalia.ca. A record always ends with "all". This parameter determines the rule to be applied to other emails received that do not meet the requirements mentioned in the record. In the case of globalia.ca, this is a "soft fail". This means that emails from unlisted IP addresses are accepted, but must be marked as spam.
The dmarcian.com website can be used to display the contents of an SPF record. It shows a detailed list of authorized IP addresses, including those listed under "include". To do this, simply go to dmarcian.com/spf-survey/ and type your domain name, for example "globalia.ca" in the search box.
Below is a diagram showing the process with SPF:
Adding an SPF record can reduce impersonation attempts to your domain, but it's not an absolute guarantee against all spam. There's another element that will make your emails even more secure: the DKIM protocol.
DomainKeys Identified Mail (DKIM) is a protocol that enables an organization to assume responsibility for the transmission of a message. This verification is made possible by cryptographic authentication.
DKIM is designed to provide email signatures to verify the sender.
A digital signature is added to the message using a private key. Once the email has been sent, the recipient's mail server becomes aware of the existence of a "domain/selector" combination that has signed the encryption process.
The server then performs a DNS query to find the public key associated with this combination. It will use the public key to decrypt the DKIM signature received and, consequently, verify the authenticity of the sender and the content of the email for the security of your organization.
If you go to dmarcian.com/dkim-inspector/, you can see the public key as it appears in a TXT record.
Below is a diagram showing the DKIM process:
The SPF and DKIM protocols are generally sufficient to ensure email security. However, if you want to go one step further, consider adding the DMARC protocol.
DMARC (Domain-based Message Authentication, Reporting & Conformance) is designed to tell email servers what to do when emails appear to come from your domains, but have not been validated by SPF or DKIM. DMARC also provides reports on email flows according to previously established SPF and DKIM policies.
Like the other two protocols, this involves creating a TXT record in DNS. Specific parameters are entered here to determine the fate of invalidated emails. To help you understand, here's an example.
At dmarcian.com/dmarc-inspector/, you can see the value of the TXT record _dmarc.
In this example, we see the parameters that define the rule.
| v |
Current version of DMARC. |
| p |
Action to be taken on invalidated messages. In this case, all emails can reach the recipient, even those that failed authentication. |
| rua |
Where reports should be sent. |
| ruf |
Where failure reports should be sent. |
| pct |
Percentage of emails subject to DMARC policy (in this case: 100%). |
| rf |
Default value is "afrf". Saves report formats. |
| fo |
Defines the circumstances under which a report is generated. Value 1 requests a report in the event of SPF or DKIM failure. |
| ri |
Waiting time in seconds between reports. |
| adkim |
DMARC severity; two possible modes: strict and relax. |
| aspf |
SPF severity; two possible modes: strict and relax. |
Below is a diagram showing how DMARC works:
SPF, DMARC and DKIM are authentication protocols that work together seamlessly to provide the best possible email security.
These three email standards provide a solid defence against spam, identity theft, phishing and malicious threats.
You're concerned about the security of your website and your employees, but don't forget email security. For more information, don't hesitate to contact us. We'll be happy to help you realize your projects.