Updated: Oct 23
Email security is a significant concern, with no signs of ever taking the back burner as scams become more sophisticated and prevalent.
Between phishing attacks, spam, and other nasty email tricks, protecting your domain and the integrity of your emails is of the utmost importance.
In this guide, we’ll take a look at
What is SPF?
The Sender Policy Framework (SPF) is an email authentication protocol that helps to identify and block email spoofing. It allows domain owners to specify which mail servers are permitted to send mail on their behalf.
In layman’s terms, SPF is like a VIP list that tells the email world who is allowed to send emails from your domain.
If an email comes from a server that's not on the list, it's more likely to be considered spam or fake.
How does SPF work?
SPF works by publishing a list of authorized IP addresses that are allowed to send mail for a specific domain.
This list is usually a DNS TXT (Domain Name System Text) record published in the domain name system.
When an email message is sent, the receiving mail server performs a DNS lookup to find the SPF record of the sending domain.
Once the SPF record is found, the receiving server checks if the email originates from one of the authorized IP addresses in the SPF record.
If the sending IP address matches, the SPF check passes; otherwise, the email might be marked as spam or rejected altogether.
Here’s a quick breakdown of what happens in simpler terms:
Your domain has a special list (SPF record), telling everyone which IP addresses are allowed to send emails from your domain.
When someone tries to send an email claiming to be from your domain, the receiving mail server looks up this special list.
The receiving server checks if the email actually comes from an IP address that's on your VIP list.
If the IP address is on the list, the email gets the green light to proceed. If not, it could be flagged as spam or even rejected.
Pros and Cons of SPF
SPF is a relatively straightforward and simple process that protects users from suspicious attacks, but there are also some limitations.
Check out these pros and cons to be fully informed.
Email authentication: SPF is an effective method for authenticating emails and identifying malicious sources, making it more difficult for attackers to send phishing or spam emails using your domain.
Improved email reputation: Passing the SPF checks regularly can improve your domain's email reputation, increasing the likelihood of your emails landing in the inbox rather than the spam folder.
Prevents domain spoofing: This protocol helps restrict who can send emails from your domain, which helps in preventing domain spoofing to some extent.
Potential for misidentification: SPF only checks the sending server's IP against the SPF record. It does not validate the content or the sender's address. As a result, it can occasionally misidentify legitimate emails.
Maintenance required: As the IP addresses of your sending servers change, or as you add new servers, you will need to update the SPF record accordingly. Otherwise, legitimate emails could be flagged.
What is DomainKeys Identified Mail (DKIM)?
DomainKeys Identified Mail (DKIM) is another email security protocol that helps authenticate the integrity and origin of an email message.
Unlike SPF, DKIM uses cryptographic techniques for authentication.
How does DKIM work?
DKIM uses public and private keys to sign and verify email messages. The sending mail server uses a private key to generate a digital signature for each outgoing email message. This signature is then included in the email headers.
On the receiving side, the mail server performs a DNS lookup to find the associated public key, stored as a DNS TXT record.
The receiving server uses this public key to verify the email's digital signature. If it matches, the email is authenticated.
Simply put, this is what occurs during the DKIM process:
The sending mail server uses a ‘secret code’ (private key) to add a unique signature to each email it sends out.
This signature is a part of the email that most people don't see, but it's there for verification.
When the email arrives at its destination, the receiving server looks up the ‘public code’ (public key) to match the signature.
This public key is found in the DNS records, the internet's directory of domain information.
The receiving server uses the public key to make sure the signature in the email matches, confirming it's a legitimate email.
In essence, DKIM is like a hidden handshake between sending and receiving mail servers, making sure the email is genuinely from where it claims to be from.
Pros & Cons of DKIM
DKIM is a more complex measure than SPF, and with that complexity comes unique benefits and drawbacks.
Stronger authentication: DKIM provides a higher level of security by using cryptographic signatures, making it more difficult to forge emails.
Content integrity: DKIM verifies that the content of the email has not been tampered with during transit.
Complex setup: Implementing DKIM can be complex due to the requirement of public and private key management.
Doesn’t guarantee deliverability: Having a DKIM signature does not mean your emails will automatically bypass spam filters. Other factors, such as content and sender reputation, also play a role.
What is Domain-based Message Authentication, Reporting & Conformance (DMARC)?
DMARC is an email authentication protocol designed to give domain owners more control over their email.
Essentially, DMARC acts as a policy layer for SPF and DKIM, allowing the domain owner to specify how to handle emails that don't pass SPF or DKIM checks.
DMARC can send reports back to the domain owner, providing insights into how their email is performing, and how it might be abused.
How does DMARC work?
DMARC ( works by adding an additional layer of validation on top of SPF and DKIM. A DMARC policy is published in the domain's DNS records. When the receiving mail server gets an incoming email, it first checks for DMARC policy.
If found, the server then verifies the email against the domain's SPF and DKIM policies. If the email passes, it's delivered to the inbox.
Otherwise, the server follows the action defined in the DMARC policy, which could be to quarantine or reject the email.
Have a look at this simplified explanation:
DMARC checks for extra rules in the domain's DNS records before delivering an email.
The receiving mail server looks for these DMARC rules when an email comes in.
If these rules exist, the server checks the email against both SPF and DKIM policies to see if it's legitimate.
If the email passes these checks, it lands safely in your inbox.
If it fails, the DMARC rules will guide what happens next, usually either sending it to the spam folder or rejecting it entirely.
So, DMARC acts like a final security guard, double-checking that an email really should be delivered to you. It's like a manager confirming a decision made by their team.
Pros & Cons of DMARC
Providing the most security, DMARC combines both SPF and DKIM into one super measure against malicious intent.
Enhanced security: DMARC improves upon the individual strengths of both SPF and DKIM, adding an extra layer of security.
Reporting: DMARC allows for extensive reporting, allowing domain owners to track how their emails are being handled and to identify any fraudulent activity.
Control: It allows the domain owner to specify what happens to emails that don't pass the SPF or DKIM checks, increasing the control over email deliverability and security.
Complexity: DMARC can be difficult to implement correctly and requires ongoing maintenance.
False positives: There's a risk of legitimate emails being flagged if they fail the DMARC checks for any reason.
How to set up SPF, DKIM, and DMARC?
Setting up these protocols can significantly impact your email deliverability and security. Here's a brief on how to set them up:
General SPF setup
SPF involves publishing a list of authorized IP addresses in a DNS TXT record for your domain. You'll need to access your DNS provider and add the TXT record.
This SPF record will list the IP addresses of servers allowed to send emails on behalf of your domain.
The setup generally involves the following steps:
Identify sending mail servers: Make a list of all IP addresses that are authorized to send mail on behalf of your domain.
Create SPF record: An SPF record is a TXT record that is added to your domain's DNS settings. The record specifies which IP addresses and mail servers are authorized to send mail for your domain. A typical SPF record looks like v=spf1 ip4:192.0.2.0/24 ip4:198.51.100.123 a -all.
Update DNS: Add the SPF record to your domain's DNS records through your DNS provider.
Verify: After the DNS update has propagated, use an SPF validator tool to confirm that your SPF record is correct.
Monitor: Constantly update your SPF record when there are changes to your list of sending servers.
Please note that these steps might vary slightly depending on the specific requirements of your domain and email service provider.
It’s always a good idea to check with them for any specific instructions or requirements they might have.
General DKIM setup
For DKIM, you'll need to generate a pair of cryptographic keys: a public key and a private key.
The private key is stored on your sending mail server and is used to sign outgoing email messages. The public key is published in the DNS records of your domain.
Many email service providers offer simple ways to generate and manage these keys.
Generate key pair: Create a public and private key pair. The private key will be used for signing outgoing messages, while the public key will be published in a DNS TXT record.
Configure mail server: Install the private key on your mail server and configure it to sign outgoing messages.
Publish public key: The public key is placed in a DNS TXT record. The name of the record usually follows the format: selector._domainkey.yourdomain.com.
Verify: Use DKIM validation tools to confirm that your DKIM is set up correctly.
General DMARC setup
DMARC (Domain-based Message Authentication, Reporting & Conformance) setup involves creating a DMARC record in your domain's DNS.
This is another TXT record that outlines the DMARC policy for your domain. You can specify the actions for emails failing SPF or DKIM checks and set up reporting options.
Create DMARC record: A DMARC record specifies your policies for what should happen to unauthenticated messages. A sample DMARC record looks like this: v=DMARC1; p=reject; rua=mailto:email@example.com.
Update DNS: Add the DMARC record to your DNS settings, usually under _dmarc.yourdomain.com as a TXT record.
Policy review: DMARC will generate reports that let you review how many messages are passing or failing authentication checks.
Fine-tuning: Based on the reports, fine-tune your DMARC policies and improve your email authentication setup.
DMARC vs DKIM vs SPF: Which to use and when?
Choosing between DMARC, DKIM, and SPF can be confusing, but the reality is that these protocols are often more effective when used in tandem.
Here's how to decide:
SPF (Sender Policy Framework): Best for simple email setups and when you need basic protection against email spoofing. However, it has limitations like the possibility of false positives
DKIM (DomainKeys Identified Mail): Great for businesses that require a more robust email authentication method involving cryptographic signatures. It’s more secure but requires more technical expertise to set up.
DMARC (Domain-based Message Authentication, Reporting & Conformance): Ideally should be implemented alongside SPF and DKIM. It's perfect for organizations looking to gain insights through reporting and take full control over their email deliverability.
How to check if an email has passed SPF, DKIM, and DMARC?
Knowing how to verify the effectiveness of these email security protocols is crucial. Here's how you can do it:
SPF: You can use various online tools to check the SPF record. In the email headers, look for the Received-SPF status. If it says 'pass,' your SPF setup is effective.
DKIM: Similar online tools exist for DKIM as well. In the email headers, you'll find a 'DKIM-Signature' field. If this exists and the status is 'pass,' the DKIM is properly configured.
DMARC: DMARC reports can be sent to the domain owner, providing detailed information about the success or failure of SPF and DKIM, as well as how the emails are handled based on the DMARC policy.
Providing security to your outgoing emails is extremely important for both your sender reputation and your marketing efforts. SPF, DKIM, and DMARC are powerful protocols that help you achieve just that.
Although each comes with its own set of advantages and disadvantages, using them together provides a more secure and controlled email environment.
From protecting against domain spoofing to improving email deliverability, these protocols are valuable tools for any organization that relies on email for communication.
Armed with this information, you can make well-informed decisions about incorporating SPF, DKIM, and DMARC into your organization's email setup.