Introduction to Email Security

Protecting Your Domain from Email Spoofing: The Role of SPF, DKIM, and DMARC.

6 min readApr 8, 2024

Safeguarding Email Communications
Ensuring Security on Receiver Server while receiving Email from sender domain

To fortify defences against email threats such as spoofing, phishing, and various email-based attacks while upholding the integrity of email communication, several key authentication methods play a pivotal role. DMARC, DKIM, and SPF stand as pillars in this domain. Collectively, they serve to thwart spammers, phishers, and unauthorized entities from perpetrating fraudulent or malicious activities under the guise of domains they do not legitimately possess.

Validating incoming emails at the recipient’s server constitutes a critical facet of email security. This process involves meticulous scrutiny to confirm the messages’ authenticity and integrity before they are released for delivery to the intended recipients. By leveraging these authentication mechanisms in tandem, organizations can significantly enhance their email security posture, safeguarding against a spectrum of potential threats and preserving trust in digital communications.

1. Sender Policy Framework (SPF)

Sender Policy Framework(SPF) enables the specification of authorized email servers for a domain. When an email reaches a recipient’s inbox, the recipient’s mail server verifies the SPF record of the sender’s domain. If the sender’s server isn’t authorized to send emails from that domain according to the SPF record, the email gets rejected.

2. Domain-Keys Identified Mail (DKIM)

Domain Keys Identified Mail (DKIM) allows you to sign your emails with a cryptographic signature that can be verified by the recipient’s mail server. This helps to ensure that the email has not been tampered with since it was sent.

3. Domain-based Message Authentication, Reporting and Conformance (DMARC)

DMARC enhances SPF and DKIM by enabling domain owners to define actions for emails failing SPF or DKIM validation.
It offers feedback mechanisms for analysing authentication failures, allowing configurations to either reject or quarantine such emails based on domain policies.
For example, you can configure DMARC to reject all emails that fail SPF or DKIM validation, or you can configure it to quarantine them instead.

SPF

SPF allows the owners of a domain to specify the mail servers authorized to send email on its behalf.
SPF authentication is verified on the domain of the “Return-path” address.
The SPF record is published in the DNS as TXT format.
The record is a list of all the IP addresses that are allowed to send email on behalf of the domain.
Maximum size of SPF Record is 455 characters.

When the server receives an email, It queries the DNS server for the SPF record via a TXT Record.
The receiver then obtains the IP address listed in the SPF record and verifies it with the incoming email address.
This process helps validate the authenticity of the sender’s server and ensures that the email originates from an authorized source.

SPF Record and Syntax

v=spf1 mx a ip4: 10.0.0.1/24 include:spf.protection.outlook.com –all

v: It specifies the SPF version , the value is 1
a: This specifies the authorized IP addresses in the A or AAAA records of the domain.
mx: This specifies the authorized email servers the sender uses to relay messages on behalf of the domain.
Ip4 or Ip6: This specifies the Ip4 or Ip6 address respectively. The IP address range is given in the record and if the sender’s address matches an address in the network range.
include: This specifies third-party IP addresses authorized to relay emails for the domain. This mechanism uses external mail servers’ SPF records to match the sender’s IP address. It returns a permanent error (PermError) if the third-party server has no SPF records
all: This is the last mechanism in an SPF record and it defines how the incoming email server will handle any address that doesn’t match other mechanisms. It uses qualifiers to determine what happens to the email after evaluating the addresses with other mechanisms
+all — (pass) allow all the mails with verification.
?all — (neutral) allow all mail expect allow failed mail with spam mark.
~all — (soft) Reject or mark as spam for some mail.
-all — (hard fail) Reject all failed mail.

DKIM

DMARC allows the domain owner to specify how unauthenticated messages should be treated.
This approach detects spoofed or fake sender email addresses.
When using DKIM, a sender can attach DKIM signatures to an email (header that is added to the message and is secured with encryption), and once the recipient receives the email, they can verify who sent it.
DKIM is also TXT in DNS.
Maximum size of DKIM is 255 characters.

When the server receives an email, it queries the DNS server for the DKIM record via a TXT Record.
The receiver then obtains the public key in the DKIM record and verifies it with the incoming email private address.
This process helps validate the authenticity of the sender’s server and ensures that the email originates from an authorized source.

DKIM Record and Syntax

v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG;

v — version of DKIM
k — type of key
p — public key value.

TXT Format

selector1._domainkey.example.com. IN TXT “v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC… “

Here there are 4 parts presented in DKIM Format
First mention the selector, Second mention the country, Third mention the TXT format and finally the DKIM content

DMARC

DMARC stands for “Domain-based Message Authentication, Reporting, and Conformance”.
It is an email authentication protocol that helps protect email senders and recipients from email spoofing, phishing, and other fraudulent activities.
It works by enabling domain owners to specify policies for email authentication and
Provides feedback mechanisms for reporting and analyzing email authentication failures.

DMARC Record and Syntax

v=DMARC1; p=reject; pct=100; fo=1; rua=mailto:dmarc.alerts@axisbank.com,mailto:rua.axis@progist.in; ruf=mailto:dmarc.genalerts@axisbank.com,mailto:ruf.axis@progist.in

v — version
p — policy

Policy options

None — No action for failed mail from SPF and DMARC
Quarantine — Quarantine the failed mail from SPF and DMARC (Marked as the spam)
Reject — Drop the failed mail from SPF and DMARC. (Does not sent into inbox or spam)
pct — specifies the percentage of messages to which the DMARC policy. [0–100%]
rua — specifies the URI to which aggregate reports should be sent of DMARC activity.
rfa — specifies the URI to which message-specific failure reports should be sent.
sp — Specifies the sub domain policy. [none, quarantine, reject]
adkim — Indicates the DKIM alignment mode, which specifies how DKIM signatures should align with the domain.
aspf — Indicates the SPF alignment mode, which specifies how SPF checks should align with the domain.

Alignment modes

s — (Strict mode) [checks must exactly match the domain in the “From” header]
r — (Relaxed mode) [subdomains or slight variations in the domain name]
fo — specifies the options for handling message failures It determines the reporting behavior

Options of FO

0 — Generate a DMARC failure report if all underlying authentication mechanisms fail to produce a DMARC “pass” result.
1 — Generate a DMARC failure report if any underlying authentication mechanism (either SPF or DKIM) fails to produce a DMARC “pass” result.
d — Generate a DMARC failure report if DKIM signature(s) failed.
s — Generate a DMARC failure report if SPF check(s) failed.

SPF vs DKIM vs DMARC

Records verification

verify whether the SPF, DKIM, and DMARC services are properly configured and presented in your domain.
After completing the configuration, ensure that the records have been successfully added.
https://mxtoolbox.com/SuperTool.aspx
https://easydmarc.com/tools/spf-lookup
https://dnschecker.org/all-dns-records-of-domain.php