Overview of Email Security - SPF, DMARC, & DKIM

In this post I want to start discussing email security as I intend to transition to Cisco ESA/Email Security studies. This blog will cover a general understanding of Sender Policy Framework (SPF), Domain-based Message Authentication, Reporting, And Conformance (DMARC), & lastly Domain Keys Identified Mail (DKIM).

SPF, DMARC, & DKIM are a set of email authentication methods to prove to Internet Service Providers (ISPs) and mail services that the senders are actually who they are claiming to be, what senders can send from a specific domain, & provide a way to verify all of the above.

Before we dive in on how each method works, from a higher level let's start with the basics of what each method does for us:

  • SPF (Sender Policy Framework): SPF authentication works by strictly specifying the number of allowed domain IPs that can send emails from your domain. While setting up SPF, the domain owner can add a file or record on the server which tells the receiving server what domains are actually allowed to send emails. SPF essentially helps with protecting your domain against spoofing & helps with preventing your outgoing messages from being marked as spam.

  • DKIM (DomainKeys Identified Mail): DKIM authentication is similar to SPF. The DKIM is added as a TXT record by adding it in your domain panel. It makes sure that none of the emails going from server to server is not tampered by anyone in the middle and email can be clearly identified from the other end. DKIM adds an encrypted signature to the header of all outgoing messages. Email servers receiving signed messages then use DKIM to decrypt the message header.

  • DMARC(Domain-based Message Authentication): DMARC builds on SPF and DKIM to validate emails further by matching the validity of SPF and DKIM records. This enables you to set policies and get generated reports in case the DMARC validation fails. DMARC aims to help prevent hackers from spoofing the respective organization and domain.

Also, for clarity purposes, a TXT record is a DNS record that provides text information to sources outside of your domain, that can be used for a number of arbitrary purposes. TXT records are used to verify domain ownership and to implement email security measures such as SPF, DKIM, and DMARC.

Continuing on with each respective feature & further information. SPF relies on DNS in which an administrator of a domain can publish DNS records that specifies which hosts can send email for the domain. Prior to SPF there were no restrictions on what a sending host could use as a MAIL FROM value in a message or even the domain value in the HELO command. The DKIM feature adds additional security which increases the integrity of the email message. DKIM allows us to verify the authenticity of email associated with the respective domain. As alluded to earlier, this works by affixing a digital signature to each outgoing message. This signature is linked to the domain, and the public key is affixed in DNS. DMARC essentially handles how mail servers should and will treat messages that fail SPF, DKIM, or both. Lastly, DMARC also relies on DNS just like the other features.

My next goal is to cover SPF, DMARC, & DKIM at a deeper level in future posts. Cheers!


Recent Posts

See All

In this tidbit I want to cover some high level notes on general trustsec items as well as some good-to-knows. A brief overview of what trustsec is: TrustSec provides scalable access controls by uniqu

"The What?" - In this blog I want to cover a project with Ansible that I created to automate parts of a workflow relating to an SDA edge node (EN) deployment. Now to breakdown the workflow I will be