Preventing Email Spoofing using SPF and DMARC records
Email spoofing is a common problem. Scammers use custom brand emails to get sensitive information from users. Since custom brand emails are used, users trust them easily and get scammed. This can be harmful for your users and your brand image. In this blog, I would explain you about SPF, DKIM and DMARC which are TXT type DNS records used for safe and authenticated email delivery.
SPF (Sender Policy Framework)
SPF is used to specify the allowed IPs that can be used to send emails using your domain. SPF record comprises of spf version which is v=spf1 followed by string which contains mechanisms and qualifiers.
Most common mechanisms are:
all: specifies all local and remote IPs basically all IPs available.
ipv4: specifies single ipv4 IP or range of ipv4 IPs.
ipv6: specifies single ipv6 IP or range of ipv6 IPs.
a: specifies all IPs in DNS a records.
mx: specifies all a records of each host’s mx record.
include: specifies authorised domain whose spf records can be used.
All above mechanisms can be combined with qualifiers with following meanings:
“+”: Pass. Means address passes and message can be sent.
“~”: Soft fail. Means address failed but message can be sent.
“-”: Hard fail. Means address failed and bounce or reject the message.
“?”: Neutral. Means address neither failed or passed, do whatever you want.
These can be added before mechanisms and that address will be treated accordingly. If no qualifier is added, + is added by default.
v=spf1 +a +mx +include:_spf.example.com -all;Above is example of SPF record which means allow a records, a records of mx hosts, spf records of _spf.example.com and reject all other IPs.
DKIM (Domain Keys Identified Mail)
DKIM record is used to make sure that message sent by you in email is not tempered in between before reaching receiving server. This record is added as TXT record with public key is added in the record.
DMARC (Domain-based Message Authentication)
DMARC record is based on SPF and DKIM records in a way that it uses SPF and DKIM records to set policy for allowing or rejecting emails. Following are parameters to set DMARC record:
v: version of DMARC (which is DMARC1).
p: DMARC policy.
rua: Mail to which reports will be sent about dmarc activity.
ruf: Mail to which reports of dmarc failure are sent.
pct: Percentage of mails that this policy should be applied on.
sp: DMARC policy for subdomains(specify only if its different from domain policy).
aspf: Sets the policy for how spf policy should be followed.
adkim: Sets the policy for how dkim policy should be followed.
Following are possible dmarc policies(or p/sp values):
- none — Take no action on the message and deliver it to the intended recipient. Log messages in a daily report. The report is sent to the email address specified with the rua option in the record.
- quarantine -Mark the messages as spam and send it to the recipient’s spam folder. Recipients can review spam messages to identify legitimate messages.
- reject -Reject the message. With this option, the receiving server usually sends a bounce message to the sending server.
v=DMARC1;p=reject;adkim=s;aspf=s;pct=100;rua=mailto:dmarc_report@example.comAbove is example of DMARC record, which means that reject(p=reject) 100%(pct=100) of messages which does not follow spf and dkim records strictly(aspf=s, adkim=s) and send dmarc reports to dmarc_report@example.com(rua=mailto:dmarc_report@example.com). (Note: mailto is must to be used with rua and ruf and multiple comma seperated mails can be provided).
How does magic of these three prevent email spoofing?
When you send mail, receiving server checks dns records of domain and looks for spf records. It will verify whether the IP of server which sent mail is included in spf records. If its included, it will pass the mail, but if its not, its upto receiving server as to whether to pass it or reject it.
DKIM is used to encrypt every outgoing mail using private key, which is stored on server side. This encryption is decrypted using public key which is available in DKIM record in dns records. This verifies that whether email is tempered in between or not.
DMARC record is used in conjuction with SPF and DKIM records to implement policy i.e. what should be done if SPF or DKIM checks are failed by mail. It helps to specify how to treat the mails which do not pass these checks and where to send reports of these implementations.
So, if someone tries to use your custom domain emails for email spoofing, it will require to pass SPF and DKIM checks i.e., server IP should be included in SPF records, which is highly unlikely for scam IPs and if failure occurs, DMARC policy will come into action and reject the mails(or do whatever action specified by you in the policy).
Some tips to implement these policies
Never use +all because this means that all the IPs are allowed and this record is practically useless.
If you are trying to implement these policies for first time and you SPF record have wild card IP entries, try to gradually increase strength of your DMARC policy i.e. start with low pct value, maybe 10, and start with p=none and analyse your reports to know whether legitimate mails are passing or failing.
Always add trusted domains with include mechanism.
So, this is all that you need to do in order to secure your mail server from being used by fraudsters. If you found this blog useful, share it with others and give a clap. Will be back with some other interesting blog. Until then, happy learning!
