SPF, DMARC, DKIM and your email

A Basic Understanding of Domain Name Services

DNS Registrars allow individuals and companies alike to purchase and hold domain names. If you own a domain name for your business, you can use it to point at servers on the internet.  For example, Apple Inc. owns the domain name apple.com. Apples web designers have built a website on the web server whose IP address is 17.142.160.59. All servers on the internet have IP (Internet Protocol) addresses, but IP addresses are too complicated to easily remember.  This is where DNS comes in. Apple uses DNS to direct customers to their web site by pointing apple.com to the ip address of their web server, the result of this is that anyone anywhere in the world who wishes to go to Apple’s website can go to apple.com and view Apple’s website without knowing or remembering the ip address of Apples web server. In the same way if you were to send an email to steve@apple.com you would be sending an email to the user “Steve” @ (at) the email server Apple specifies in their DNS records for apple.com, DNS would then route your email message to Steve’s mailbox.  If you are a business owner you might have a web page or a professional email address that uses your domain name if you do, a critical step in making sure your email works correctly and is secure is to make sure you have SPF, DMARC and DKIM DNS records for your domain name.

  • SPF is a record that determines who is allowed to send email from your email address.
  • DMARC tells email servers what you would like them to do with spoofed messages and can alert you if your email address is being spoofed/impersonated.
  • DKIM allows you to stamp the email you send with the digital equivalent of a wax seal, this allows receiving email servers to know the message they received is from you and not a spoof with a greater degree of confidence.

How will I know if SPF, DMARC & DKIM are correctly setup for my domain?

There are some tools you can use for free to help figure out if your setup correctly.

  1. Look at what mxtoolbox super tool has to say about your domain by looking up your domain name at https://mxtoolbox.com/SuperTool.aspxanything with a red X next to it is something you may want to look into.
  2. Check to see if you have SPF, DMARC and DKIM configured correctly by using the tool at globalcyberalliance.org
  3. If you’re not quite sure ask for help by clicking Contact.

The SPF record type

SPF stands for Sender Policy Framework. An SPF record allows you to specify who is allowed to send email from your domain.

The consequences of an incorrectly set up SPF:

  • Email Spoofing, anyone on the internet may be able to send email from your email address. This can pose a security risk in that you may receive phishing messages from people within your domain that look legitimate even though they are not.
  • Email Deliverability issues, when an SPF record is configured incorrectly or not configured at all, email you send may never make it to the people you’re sending it to, this can cause a communication problem.

There are 3 main types of SPF records.

“?all” for neutral result (No policy is applied to revived email messages).  In general, this is a bad configuration a neutral SPF record will allow anyone on the internet to spoof your email address, this is sometimes useful when using DMARC to report failures when migrating to a stricter SPF setting.

“~all” for soft fail, typically the SPF processor will tag the message as failed but still deliver the message (some mail servers will send these messages to spam or junk folders). Not ideal but a common configuration as in general it won’t cause deliverability problems.

“-all” messages will typically be rejected by the receiving mail server if they did not come from the sender listed in the SPF policy. This is the most desirable configuration as it prevents spoofed messages from your email domain.  When combined with DMARC and DKIM Spoofed messages should almost never be delivered and if they are you should get a report about it from DMARC and be able to prove you didn’t send the spoofed message in question.

DMARC

A long acronym that stands for: “Domain-based Message Authentication, Reporting & Conformance”

“A DMARC policy allows a sender to indicate that their messages are protected by SPF and/or DKIM, and tells a receiver what to do if neither of those authentication methods passes – such as junk or reject the message. DMARC removes guesswork from the receiver’s handling of these failed messages, limiting or eliminating the user’s exposure to potentially fraudulent & harmful messages. DMARC also provides a way for the email receiver to report back to the sender about messages that pass and/or fail DMARC evaluation.” – dmarc.org

DMARC is very useful to have. By having a DMARC you can ask email servers to send spoofed messages to spam or even not deliver them at all. The other key thing you can get with DMARC is reporting DMARC gives you the ability to find out if you are being spoofed or if someone on the internet is using email to pretend to be you!  DMARC is useful as both a mitigation and investigative tool that can be immensely helpful especially if you regularly communicate with customers using email.

DKIM

is a way for you to sign outbound messages automatically with a special seal of approval. This is the digital equivalent to a fancy wax seal on a letter.  By doing this you can prove to an email server that the message came from an authorized source. In your DMARC record you can specify what you would like mail servers to do with unsigned messages just like you can with messages that don’t meet SPF.  DKIM exists to provide extra assurance of a messages origin over what SPF can deliver and can reduce the likelihood of a message being marked as spam in some cases but is generally only taken into account if the receiving mail server is using DMARC to vet messages.  Aside from being used in conjunction with DMARC, DKIM can also be used to prove a message was a spoof.  If you have a loose SPF policy and are not using DMARC (which you really should) it may be a good idea to sign email messages using DKIM so that if someone impersonates your email address and sends a malicious email to one of your contacts, you have a way to prove (via your “wax seal”) to that person that you did not send a malicious email.  Damage might have been done but at least if you have DKIM you can point to the fact that you were innocent of sending a malicious message.

If you have now setup SPF, DMARC, and DKIM Congratulations! Your helping the world build a better more secure email communications platform if you would like help setting up a more secure or robust email system you can always contact us at the top of the page or with the contact link.

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s