What Are DMARC, DKIM, and SPF?

By Katie Sillari

Published on 3 Nov, 2021

DMARC, DKIM, and SPF represent more than technical email setup. If ignored or incorrectly configured, they negatively impact inbox placement and cost organizations revenue.  

In short, all three methods are ways Internet Service Providers (ISPs) authenticate email. Is the sender really who they say they are? 

Many types of transactions require authentication: a patient needing treatment, a driver needing a license, a customer paying with a credit card, a passenger boarding an airplane. In order to proceed, you must prove your identity with a passport, a Social Security card, proof of health insurance, or some other form of identification. Not sure if you have either? Tools are available online for DMARC, SPF, and DKIM checks.

The world of deliverability works the same. In order to get through the gates of ISP filters, you need to prove that you are a legitimate sender. How do you prove you are not sending on behalf of someone else and that your identity has not been compromised? By utilizing SPF, DKIM, and DMARC.

DMARC, DKIM, and SPF Email Authentication

SPF, DKIM, and DMARC are acronyms for text records that specifically prove and protect a sender’s authentication. Let’s break them down.

What is SPF?

SPF, or Sender Policy Framework, is an email validation protocol designed to detect and block email spoofing. It allows mail exchangers to verify that incoming mail from a specific domain comes from an IP Address authorized by that domain’s administrators. An SPF record is a TXT record found in the DNS (Domain Name System) record that specifies which IP addresses and/or servers are allowed to send mail “from” that domain. It is akin to a return address on a postcard: Most people are much more likely to open a letter if the letter has a reliable and recognizable return address.

After an email message is sent, ISPs check the message’s Return-Path domain. They then compare the IP address that sent the email to the IP address listed in the Return-Path domain’s SPF record to see if it aligns. If it does, the ISPs confirm the SPF authentication and deliver the message.

Why is SPF important?

SPF is a “proposed standard” that helps protect email users from potential spammers. Email spam and phishing often use forged “from” addresses and domains. Therefore most consider publishing and checking SPF records as one of the most reliable and simple to use anti-spam techniques. If you have a good sending reputation, a spammer might attempt to send an email from your domain in order to piggyback off your good sender reputation with ISPs. But properly set up SPF authentication shows the receiving ISP that even though the domain may be yours, the sending server has not been authorized to send mail for your domain.

An SPF record in a top domain (i.e., collegedata.com) will automatically authenticate any subdomains (i.e., mail.collegedata.com), even when it may not contain its own SPF record.

For more information on how to create an SPF record, click here.

What is DKIM?

What does DKIM stand for? It stands for DomainKeys Identified Mail, which lets an organization (or handler of the message) take responsibility for a message in transit. DKIM attaches a new domain name identifier to a message and uses cryptographic techniques to validate authorization for its presence. The identifier acts independently of any other identifier in the message, such as the author’s From: field. DKIM, a TXT record signature, also builds trust between the sender and the receiver. A digital signature is double-checked with every email sent using DKIM, meaning that you’ll be able to be sure you’re not being impersonated. DKIM email security is designed using encryption keys.

Why is DKIM important?

DKIM proves three things:

  1. The content of an email has not been tampered with.
  2. The headers in the email have not changed since the original sender sent and there is no new “from” domain.
  3. The sender of the email owns the DKIM domain, or is authorized by the owner of that domain.

What does DKIM do, exactly? DKIM uses an encryption algorithm to create a pair of electronic keys — a public key and a private key. Your ESP should create these keys for you.

The private key remains on the computer on which it was created. The first key’s encryption can only be decrypted by the other key. A sender will post the “public” key in the DNS record and list its location in the DKIM signature with the “d=” domain and the “s=” selector. The owner of the DNS keeps the private key secret and stores it in the sending email server. If the information in the decrypted signature matches the information it received in the unencrypted header, it knows the header has not been tampered with during transmission and reception.

In other words, DKIM creates a way to ‘sign’ an email with a digitally-encrypted signature. This signature is a header in an email message. See this example of a DKIM signature:

DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; t=1476054397;

s=m1; d=e.rentpath.com; i=@e.rentpath.com;

h=Date:From:To:Subject:MIME-Version:Content-Type;

bh=Rm+zVdTj9mQiUHxMpu+O9d9OuV3cOTuaNWHONtEXYo0=;

b=oGVqGJKcS8KZ+YR8+AKzGKg2t1qpwKFXpg6jO3eU/a0eCLnkL5BC7L1g=

To understand the inner workings of DKIM requires strong knowledge on modern cryptography. For our purposes, DKIM is a technical practice that builds trust between a sending and a receiving email server.

For more information on DKIM, click here.

What is DMARC?

DMARC, or Domain-Based Message Authentication Reporting and Conformance, is an added authentication method that uses both SPF and DKIM to verify whether or not an email was actually sent by the owner of the “Friendly-From” domain that the user sees. In order for DMARC to pass, both SPF and DKIM must pass and at least one of them must be aligned. In short, there is no DMARC without DKIM or SPF. DMARC checks for a DKIM pass and a SPF pass before authorizing mail, meaning you’re doubly secured.

  • Both authentications passing indicates that the email is coming from an authorized server and that the header information has not been tampered with to falsify alignment.
  • At least one authentication aligning proves that the sender owns the DNS space of the “Friendly-From” and is therefore who they say that they are.

For SPF to align, the message’s From-domain and its Return-Path domain must match. For DKIM to align, the message’s From domain and its DKIM d= domain must match.

Why is DMARC important?

Any message that does not align is treated as phishing and is not delivered. Phishing is the fraudulent practice of sending malicious emails pretending to be someone else in an attempt to steal a user’s credit card information or other personal information. Therefore, with DMARC, you are protecting yourself. In March 2017, the Federal Trade Commission published a study on DMARC usage by businesses[10]. The study found that about 10% of 569 businesses with a significant online presence publish strict DMARC policies.

SPF vs DKIM

Now that you know what is SPF and DKIM, let’s talk about the differences. SPF identifies IP addresses in order to determine which senders are permitted to send mail to a domain. DKIM instead identifies senders using an encryption key with a digital signature to ensure that mail is safe. DKIM or SPF both have their own pros and cons.

When implementing a DMARC record, you have 3 policy options. These policies inform the recipient server how to treat mail sent from you that is not DMARC compliant. Please note that the recipient server is not required to treat mail as requested.

  1. None: Treat all mail sent from your domain as it would be without any DMARC validation.
  2. Quarantine: The recipient server may accept the mail but should place it somewhere other than the recipient’s inbox (usually, the spam folder).
  3. Reject: Completely reject the message.

A successful DMARC implementation would slowly ramp up from different percentages of quarantine to ultimately fully reject. A successful practice also requires the sender to monitor DMARC reports regularly. These reports would inform of any phishing attempts to your domain, or if your own mail is being rejected for failing DKIM or SPF.

Is DMARC necessary? Let’s just say Google recommends the use of DMARC for bulk email senders, and we also highly suggest it. It proves to ISPs that you are a serious sender and are willing to take precautionary measures to protect your identity and reputation. Plus, Gmail and Microsoft are quickly adopting DMARC into their filtering methods.

As with every authentication method mentioned, it’s better to be safe than sorry!

For more information on DMARC, you can visit dmarcian.com

Shift Paradigm is an experienced full-service team that makes a perfect partner for every business. Our B2B and B2C knowledge and a blend of capabilities ensure the strategic and technical know-how to drive growth. If you need assistance with SPF, DKIM or DMARC implementation, contact us today!

Written By Katie Sillari

Email Icon