(3 votes, average: 5.00 out of 5)
Loading...What is DKIM, DMARC and SPF? The Ultimate Guide on Email Authentication Protocols
(3 votes, average: 5.00 out of 5)Loading...
Introduction
Email remains the number one way brands communicate information globally despite the rise of instant messaging tools.
In 2024, people sent over 361.6 billion emails, of which over 3.4 billion were phishing emails. This makes email security or authentication crucial today.
When we talk about email authentication, the aim is to validate its originality, i.e., an email originated from an authorized sender and the message in the email was not modified in transit. To implement this technique of authentication on emails, we have SPF, DKIM, and DMARC email security protocols.
These protocols work together to manage and secure this information and help fortify email processes for security and deliverability. This helps reduce email-based scams like spam, spoofing, and phishing.
In this article, we will learn each protocol and how it works in detail. We will also learn about each protocol’s advantages and disadvantages, how they all work together to ensure our safety, and compare them.
What is a DMARC?
DMARC stands for Domain-based Message Authentication, Reporting, and Conformance and is an email authentication protocol that defines policies, actions, or next steps when emails fail SPF and DKIM verification. This method was first introduced in 2015.
How DMARC Work?
DMARC defines some policies to tell the receiving email server what to do after the emails get verified using SPF and DKIM. When an email fails SPF and DKIM checks, these policies determine whether the email will go to spam, get blocked, or get delivered to the recipient. This policy can look something like this.
“If the email fails DKIM, mark it as blocked”. However, these messages are not human-readable and look like:
v=DMARC1; p=quarantine; adkim=s; aspf=s;
One thing to note here is the “p=quarantine”. DMARC typically has 3 “P” policies which are mentioned below:
- p=none – This means the receiving server did nothing.
- p=reject – This means the receiving server rejects the emails.
- p=quarantine – This means the emails get flagged and go to the spam folders.
v=DMARC1 tells servers that DMARC has its own TXT policy.
- adkim=s – This means that the DKIM checks are strict. (Optional)
- aspf=s – This means that SPF checks are strict. (Optional)
Administrators use DMARC to set up reports that are then sent to a third-party service that helps them to better understand it. These reports are important to adjust DMARC policies.
Also Read: How to Create and Publish a DMARC Record?
What is DKIM?
DKIM stands for DomainKeys Identified Mail and is also an email authentication protocol, mainly used to validate the originality of the email’s content in transit.
DKIM first came into the picture in 2011 in RFC 6376. What makes this protocol different from SPF and DMARC is that it uses cryptographic signatures instead of IP addresses to verify the senders content. It links the messages of the sender’s email to their domain using the digital signature (Public and Private Keys.)
How does DKIM Work?
DKIM authentication mechanism creates two keys, Private and Public Key. A domain that sends the email has access to the private keys. These private keys are used to create a digital signature that usually gets attached to the sender’s email headers. This acts as proof of authentication for the receiving end.
Recipients of the emails use the pubic keys (which are only accessible in the sender’s DNS server) to verify the DKIM signature sent by the sender. If they match, the verification is passed. In case the match fails, DMARC comes into the picture to specify what needs to be done with the mails that failed the DKIM verification.
DKIM acts as a second layer of authentication after SPF and ensures that the messages you receive in the emails are original and were not forged while in transit by spammers.
What is SPF?
SPF stands for (Sender Policy Framework), which is also an email authentication technique. It allows users/domain owners to list which IP addresses are authorized to send emails from their domain. The first version of this protocol came out in RFC 7208 in 2014.
SPF stores IP addresses as DNS TXT. These records provide necessary information to the receiving mail servers on where an email is coming from to prevent scams. If your emails do not have SPF implemented, there is a high chance, your emails might end up in the spam folders.
How does SPF Work?
When a sender sends an email, the receiving end mail server looks for the SPF records in the DNS. The SPF record is a one-line DNS TXT record that contains a range of IP addresses that can look something like this.
“V=spf1 ip4:46.56.185.89 ip4:46.56.185.95 include:mmsend.com -all”
These records tell the inbound mail server about the IP addresses that the domain user has authorized for their emails. When receiving mail server talks to DNS for SPF lookups, it may receive several responses from DNS, like Pass, Fail, None, Neutral, Temporary or Permanent error, and Soft Fail.
If the records are found correct, i.e., PASS, the SPF gives a green flag, and the sender’s originality is verified. If they do not match/fail, we use DMARC, which helps us specify what needs to be done with non-authorized emails. Using SPF can help reduce phishing because the flagged emails can be discarded, and scams can be reduced.
How Does DMARC, DKIM and SPF Work Together?
To establish a robust 360-degree authentication for your email, it is important to implement SPF, DKIM, and DMARC together. SPF and DKIM use DNS to authenticate emails, while DMARC uses DNS to specify how to handle emails that fail the SPF and DKIM authentication.
While implementing SPF, you create and publish a list of authorized IP addresses in a DNS TXT record for your domains. This record specifies which IP addresses are allowed to send emails on behalf of your domain. This way, the SPF server defines how to use the DNS records to verify the sender’s legitimacy, but fails to specify whether the message was modified or not in transit.
This is where DKIM comes into the picture. It uses cryptographic encryption to generate two keys i.e., a public key and a private key. The private key is stored on the sending email server and is used to sign the outgoing emails, whereas the public key is stored/published in the DNS records of your domain.
DKIM uses these keys to verify the authenticity of the email’s content i.e., whether they got tampered with in transit. If both, SPF and DKIM authentications fails, DMARC comes into action.
DMARC creates its own TXT record that outlines the policy for unauthorized emails. These TXT records have all the action plans for emails failing the SPF or DKIM checks and are used to set up a reporting mechanism for you.
Also Read: What is DMARC Fail? How to Know and Fix DMARC Failure?
In simple words, SPF checks whether emails are coming from the right place, DKIM checks if the content present in that email has not tampered and DMARC takes action if something is found suspicious. Together, these protocols ensure that the email you receive is authentic, secure, and trustworthy.
Advantages and Disadvantages
SPF, DKIM, and DMARC have their strengths and limitations, Below are some of the advantages and disadvantages of SPF, DKIM, and DMARC respectively.
Advantages of SPF
- It is easy to implement for your domains as you only need to add a DNS TXT record with a list of authorized IP addresses.
- SPF detects the fake emails sent by your domains and flags them from being sent, saving receivers from phishing attacks.
- SPF enhances the trust of your email providers, which helps boost your domain reputation.
Disadvantages of SPF
- It is difficult to maintain SPF.
- It only allows for 10 DNS lookups.
- Does not work on forwarded emails.
Advantages of DKIM
- Provides you a higher range of security because it uses cryptographic encryption.
- It makes sure that the content you get in your emails is original and secure.
Disadvantages of DKIM
- It is hard to implement as users need an infrastructure to manage the public and private keys.
- Implementing DKIM does not guarantee that the emails will always pass the spam filters that recipient have implemented for their safety.
Advantages of DMARC
- It increases the security of your email and adds an extra layer after SPF and DKIM
- Provides reporting to the admins
- It gives control to the domain owner, like what happens when emails fail SPF and DKIM.
Disadvantages of DMARC
- There is a high chance that legitimate emails can also be flagged.
- It is complex to implement and needs regular policy changes.
Difference between DMARC, DKIM and SPF
The table below compares each protocol on important email authentication features.
| Features | SPF | DKIM | DMARC |
| Purpose | The main purpose of SPF is to define an authorized IP address to send mail on behalf of a domain. | DKIM’s purpose is to use encryption keys and digital signatures to verify the originality of an email. | DMARC’s purpose is to validate emails using SPF and DKIM and give directions on what needs to be done for unauthorized emails. |
| Method of Authentication | SPF matches senders IP with the authorized IP listed in the DNS, | DKIM adds a cryptographic signature in email’s header to check its integrity. | Does not have its own mechanism so DMARC relies on SPF and DKIM for email authentication. |
| Encryption Type | Is not applicable for SPF | DKIM uses encryption to create a pair of keys for signing and verification. | Not applicable for DMARC |
| How Each Handle Forwarded Emails | SPF breaks when emails are forwarded because the sender IP may not match the SPF records. | Works with forwarded emails because it has digital signatures which is the part of the email’s header. | Relies on SPF and DKIM for forwarded email’s legitimacy and creates an action plan on unauthorized found emails. |
| Reporting Techniques | No reporting techniques are available. | No reporting techniques are available for email authentications. | DMARC provide reports both aggregate and forensic to monitor failed email authentication attempts. |
| What Actions are Taken on Failed Emails | No actions are defined for failed authentication. | No actions are defined | Specify policies like none, quarantine, and reject for the unauthorized emails. |
Final Words
Securing outgoing emails is important for the sender’s reputation and for enhancing marketing efforts. To do so you need to implement SPF, DKIM, and DMARC to achieve the desired SLAs in most deals.
However, implementing DMARC, SPF, and DKIM never guarantees that your emails will always pass through and land in the recipient’s inbox. They all have their own set of advantages and disadvantages, but when you use them together, they provide extremely robust protection from email spammers.
