You can't fool me when it comes to SPF, DKIM, and DMARC!
Every day, we send and receive emails, and often, these contain important information that we want delivered securely and for the intended recipient's eyes only. When important things end up in the spam folder, it is a pain… but this is an inconvenience that you can address with a degree of success.Since we are bombarded with fake emails, spam and spoofs trying to trick and do us harm, fighting spam is necessary. If you send emails, there’s a number of tools you can (or should) use to not be classified as spam and show you’re legit: SPF, DKIM and DMARC.
Recent changes that came into force in February will make SPF, DKIM and DMARC essential if you are sending Newsletters and mass mailings, but you should see them as more of a friend than an inconvenience.
Let us dive in and get to grips with what they are and how to set them up.
The Evolution of SPF Records
The development and deployment of Sender Policy Framework (SPF) records represent a significant advancement in the fight against email spoofing and phishing attacks. SPF provides a method for receiving mail servers to verify that incoming email from a domain is sent from a host authorised by that domain's administrators. Now, we will unpack that and explore the history, use, and implementation of SPF records, offering insights into their critical role in enhancing email security.
Historical Context
The inception of SPF can be traced back to the early 2000s, a period when email was rapidly becoming an essential tool for communication in both personal and professional contexts. However, the increasing reliance on email also attracted malicious actors who began exploiting the system's vulnerabilities to conduct spoofing and phishing attacks. Email spoofing, where the sender's address is forged to masquerade as someone else, became a prevalent method for attackers to deceive recipients.
Paul Vixie and Meng Weng Wong proposed the SPF project in 2003 to combat these issues. The initiative aimed to create a simple email-validation system designed to detect and prevent email spoofing. The fundamental principle behind SPF is to allow domain owners to specify which email servers are permitted to send emails on behalf of their domains. This information is published in DNS records, making it accessible for email servers to verify the authenticity of the incoming emails.
Use and Benefits
SPF records are used primarily to prevent email spoofing. By validating the sending server, SPF helps to ensure that the email originates from an authorised source, thereby reducing the likelihood of spam and phishing attacks. This verification process is crucial for maintaining the integrity of email communication and protecting users from potential harm.
The benefits of implementing SPF records are manifold. Firstly, it significantly reduces the chance of an organisation's domain being used for malicious spoofing and phishing campaigns. Additionally, it improves the deliverability of legitimate emails, as messages that pass SPF checks are less likely to be marked as spam by receiving email systems. This enhancement in email reputation can lead to better engagement rates and more effective communication.
Implementation
Implementing SPF requires the creation of a specific type of DNS record called an SPF record. This record contains a list of IP addresses that are authorised to send emails on behalf of the domain. The format of an SPF record begins with "v=spf1", indicating the version of SPF used, followed by mechanisms that specify the allowed senders.
Mechanisms:
- all: Matches any IP address. It's usually used at the end of an SPF record to specify a policy for IP addresses that have not matched any previous mechanisms.
- a: Matches if the domain has an A record (IPv4) or AAAA record (IPv6) that resolves to the sending server's IP address.
- mx: Matches if the domain's MX records resolve to the sending server's IP address. It's used when the domain's mail servers are allowed to send email on behalf of the domain.
- ip4: Specifies an IPv4 address or range that is authorised to send emails.
- ip6: Specifies an IPv6 address or range that is authorised to send emails.
- include: Includes the SPF record of another domain. This is useful for allowing third-party vendors to send emails on behalf of your domain.
- exists: Matches if a specified domain name resolves to any IP address.
- ptr: Deprecated due to slow performance and potential for abuse. It was used to match if the domain's PTR record resolves to the sending server's domain name.
Qualifiers:
- + (Pass): The default qualifier if none is specified. Indicates that the IP address is authorised to send mail.
- - (Fail): Indicates that the IP address is not authorised to send mail, leading to rejection of the message.
- ~ (SoftFail): Suggests that the IP address is not authorised, but the message should be accepted and may be marked as suspicious.
- ? (Neutral): Indicates that the sender makes no assertion about the IP address's authorisation.
Modifiers:
- redirect: Specifies a domain to which the SPF evaluation should be redirected. If present, it overrides the all mechanism but not the other mechanisms.
- exp: Used to provide an explanation for mail that fails the SPF check. It specifies a domain that contains a TXT record with an explanation string.
For example, an SPF record might look like this:
v=spf1 ip4:192.0.2.0/24 ip4:198.51.100.0/24 include:example.com -all
This record authorises emails sent from the IP ranges 192.0.2.0/24 and 198.51.100.0/24, allows emails from servers specified by example.com's SPF record, and rejects emails from any other sources ("-all").
The implementation process involves several steps:
- Planning: Identify all the servers and services that send emails on behalf of the domain.
- Record Creation: Construct an SPF record that includes all authorised sending IP addresses or domains.
- DNS Update: Publish the SPF record in the domain's DNS settings.
- Testing and Validation: Use SPF validation tools to test and ensure the SPF record is correctly configured and functioning as intended.
Challenges for SPF
While SPF provides a robust mechanism against email spoofing, it is not without challenges. One notable limitation is that SPF only checks the envelope sender address, not the header from the address displayed to users, which can still be forged. Additionally, incorrect SPF setup can lead to legitimate emails being marked as spam or rejected, underscoring the importance of careful configuration and regular maintenance.
SPF Record Generation Tools
- MXToolbox (https://mxtoolbox.com/SPFRecordGenerator.aspx): Provides a straightforward SPF record generator tool, alongside other DNS and domain analysis tools.
- SPF Wizard (https://www.spfwizard.net/): A simple interface to generate SPF records by specifying the domains and IP addresses that are authorised to send emails.
The Next Evolutionary Step, DKIM Records
DomainKeys Identified Mail (DKIM) represents a significant leap forward in ensuring the authenticity and integrity of email communications. By allowing email senders to associate their domain name with an email message, DKIM provides a mechanism for the validation of an email's origin and its content integrity. This article delves into the history, use, and implementation of DKIM records, highlighting their importance in the contemporary landscape of email security.
Historical Context
The development of DKIM can be traced back to efforts to combat email spam and phishing, which saw a significant rise in the early 2000s. Two separate initiatives, DomainKeys by Yahoo and Identified Internet Mail by Cisco, aimed to address these issues by verifying the domain of an email sender and the message integrity. These efforts culminated in the merging of the two standards into DomainKeys Identified Mail (DKIM), which was published as an IETF standard in 2007.
The core idea behind DKIM is to provide a cryptographic signature that can be verified by the recipient, ensuring that emails are not tampered with during transit and that they originate from the stated domain. This technology emerged as a crucial tool in the ongoing battle against email-based threats, offering a layer of verification that was previously unavailable.
Use and Benefits
DKIM allows senders to take responsibility for their emails by attaching a digital signature to each message. This signature is linked to the sender's domain, and its validity can be checked by retrieving the corresponding DKIM public key from the domain's DNS records.
The primary uses and benefits of DKIM include:
- Email Authentication: DKIM verifies that the email was indeed sent by the owner of the domain it claims to be from, helping to prevent email spoofing and phishing attacks.
- Message Integrity: By verifying the digital signature, recipients can be assured that the content of the email has not been altered in transit, ensuring the message's integrity.
- Improved Deliverability: Emails validated by DKIM are less likely to be flagged as spam, improving deliverability rates and ensuring that legitimate messages reach their intended recipients.
Implementation
Implementing DKIM involves several key steps, including the generation of a public-private key pair, the publication of the public key in the domain's DNS records, and the configuration of the email system to sign outgoing emails with the private key.
A brief overview of the DKIM implementation process:
- Key Generation: Generate a public-private key pair to be used for signing emails. The private key is kept secure and used by the outgoing mail server, while the public key is made publicly available via DNS.
- Publishing the Public Key: The public key is published in the domain's DNS records in a TXT record under the selector specified during the key generation. This allows receiving mail servers to retrieve the key to verify the DKIM signature.
- Configuring Email Signing: Configure the outgoing mail server to automatically sign all outgoing emails with the DKIM signature using the private key. This usually involves adjusting settings in the mail server software or email sending service.
- Testing and Verification: After configuration, it's crucial to test the setup to ensure that emails are correctly signed and that the signatures can be verified using the published public key.
DKIM Record Structure
A DKIM record is published in the DNS as a TXT record. It contains several tagged values, which are essentially the qualifiers and configuration flags you're asking about. Each tagged value (or flag) consists of a tag (a letter or a few letters) followed by an equals sign (=) and a value. The basic structure of a DKIM record might look like this:
"v=DKIM1; h=sha256; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQD..."
Here are some of the key qualifiers and configuration flags:
- v= (version): Identifies the DKIM version, usually "DKIM1".
- h= (hashing algorithms): Specifies the hash algorithms that can be used to generate the message's signature. Common values include sha1 and sha256.
- k= (key type): Specifies the type of key used. The most common value is rsa.
- p= (public key): The public key that will be used to verify the DKIM signature. This is encoded in Base64.
- s= (service type): Optional. Specifies the service types to which the record applies. Common value is *, indicating all services.
- t= (flags): Optional. Specifies any flags, which can modify the behavior of the DKIM verification process. Possible values include:
- y: Indicates the domain is testing DKIM.
- s: Indicates the DKIM record is strictly for email and should not be used for other services.
Advanced Configuration Flags
Other configuration flags, though less commonly used, include:
- g= (granularity): Specifies who can send mail for the domain. The default is *, meaning anyone.
- n= (notes): Allows the domain owner to note information about the state of the DKIM record, which is not interpreted by the validator.
- o=~ or o=- (DKIM Quarantine/Reject): Indicates how strictly the domain's emails should be treated by receivers. o=~ suggests a soft fail (quarantine), and o=- suggests a hard fail (reject).
Suggestions for Configuration
When configuring DKIM for your domain, ensure that:
- You choose the appropriate hash algorithm (preferably sha256) for your security needs.
- Your public key (p=) is correctly placed and encoded in your DNS records.
- If you are in a testing phase, use the t=y flag to indicate this to recipients, reducing the risk of legitimate emails being rejected.
Lastly, always keep your DKIM records and associated cryptographic keys secure, rotating them periodically to enhance security.
So DKIM Sorts all the Issues?
While DKIM significantly enhances email security, its implementation and maintenance require careful consideration. One challenge is ensuring the security of the private key; if compromised, attackers could sign emails as if they were the domain owner. Furthermore, DKIM alone does not solve all email security issues, such as direct domain impersonation or determining the sender's policy on handling emails that fail DKIM checks.
DKIM Record Generation Tools
- DKIMCore (http://dkimcore.org/tools/): Offers tools for creating DKIM records, including a key generator that helps in setting up DKIM signatures.
- EasyDMARC (https://easydmarc.com/tools/dkim-generator): Provides a DKIM generator tool to create a DKIM record easily by specifying your domain and selecting a key length.
The Final Step In Evolution? DMARC Records
Domain-based Message Authentication, Reporting, and Conformance (DMARC) is a pivotal standard in the domain of email authentication, designed to give email domain owners the ability to protect their domain from unauthorised use, commonly known as email spoofing. The advent of DMARC represents a significant milestone in the ongoing battle against phishing and spam, building upon and uniting the foundational frameworks of SPF and DKIM.
Historical Context
The conceptualisation of DMARC began in response to the limitations of SPF and DKIM. While both SPF and DKIM were effective in their respective domains, they did not provide a standardised way for receivers to report back to senders about messages that failed authentication. This gap meant that domain owners had limited insight into the misuse of their domains for email spoofing or phishing attacks.
DMARC, formally introduced in 2012, emerged as a solution to this problem. It was developed by a group of leading technology companies, including Google, Microsoft, Yahoo, and PayPal, with the aim of creating a more secure email ecosystem. DMARC enables domain owners to publish policies in their DNS records that dictate how receiving email systems should handle messages that fail SPF or DKIM checks. Moreover, it provides a mechanism for receiving email systems to report back to the senders about these messages, offering visibility into authentication failures and potential security issues.
Use and Benefits
The primary use of DMARC is to prevent unauthorised use of a domain in email communications. This is achieved through the specification of policies that instruct email receivers on how to deal with messages that fail to authenticate under SPF and DKIM.
The benefits of implementing DMARC include:
- Enhanced Email Security: By allowing domain owners to define clear policies on handling unauthenticated emails, DMARC significantly reduces the risk of phishing and spoofing attacks.
- Improved Visibility: DMARC reports give domain owners insight into how their domains are being used in email, including attempts at unauthorised use, helping them to identify and mitigate security threats.
- Increased Email Deliverability: Legitimate emails from domains with a DMARC policy are more likely to be delivered to recipients' inboxes, as DMARC helps to establish the authenticity of the sending domain.
Implementation
The implementation of DMARC involves several key steps, starting from the formulation of a policy to its publication in the DNS and the analysis of reports generated by this policy.
Here is a simplified overview of the process:
- Policy Creation: The first step is to create a DMARC policy. This policy specifies how receiving mail servers should handle emails that fail SPF and DKIM checks. The policy options include "none" (monitor only), "quarantine" (treat as suspicious), and "reject" (block the email).
- DNS Record Publication: The DMARC policy is published in the DNS as a TXT record under the _dmarc subdomain of the domain being secured. This record makes the policy available to email servers receiving messages from the domain.
- Monitor and Analyze Reports: Initially, it's advisable to start with a policy of "none" to monitor the impact without affecting email delivery. Receiving mail servers that support DMARC will send reports to the email addresses specified in the DMARC record, providing details on messages that pass or fail SPF and DKIM checks.
- Adjust Policy Based on Findings: After analysing the reports and ensuring that legitimate emails are correctly authenticated, the domain owner can adjust the DMARC policy to a more restrictive setting if desired.
A DMARC policy is defined by several qualifiers and configuration flags within its DNS TXT record. Here are the key components of a DMARC record:
Qualifiers
- p (Policy): Specifies the policy to be applied by the receiving server to email that fails the DMARC check. Possible values are:
- none: Treat the mail the same as if no DMARC policy were in place (log only; no action).
- quarantine: Mark the mail as suspicious. Depending on the receiver's policies, this typically means diverting it to the spam or junk folder.
- reject: Block the mail. This tells the receiving server to reject messages that fail DMARC.
- sp (Subdomain Policy): Specifies the policy for subdomains of the main domain. It can take the same values as the p tag (none, quarantine, reject). If not specified, the policy specified by the p tag is applied to subdomains.
Configuration Flags
- rua (Reporting URI of Aggregate Reports): Specifies where the aggregate reports of DMARC failures should be sent. This is typically an email address formatted as a mailto: URI.
- ruf (Reporting URI for Forensic Reports): Specifies where forensic reports of individual DMARC failures should be sent. This is also typically an email address formatted as a mailto: URI.
- pct (Percentage): Specifies the percentage of messages to which the DMARC policy is applied. This allows domain owners to gradually implement DMARC by ramping up from a smaller percentage of their traffic.
- adkim (Alignment Mode for DKIM): Specifies the alignment mode for DKIM (DomainKeys Identified Mail). Values can be r for relaxed or s for strict. Relaxed alignment allows the Organizational Domain part of the DKIM signing domain (d=) and the From domain to be different but still have some shared domain components. Strict alignment requires an exact match.
- aspf (Alignment Mode for SPF): Specifies the alignment mode for SPF (Sender Policy Framework). Like adkim, the values can be r for relaxed or s for strict. This controls how closely the domain in the From header must match the domain in the Return-Path header for SPF alignment.
Example DMARC Record
Here's an example of a DMARC TXT record with various flags and qualifiers:
v=DMARC1; p=reject; sp=quarantine; rua=mailto:
This record specifies:
- a reject policy for the main domain,
- a quarantine policy for subdomains,
- sends aggregate reports and forensic reports to specified email addresses,
- applies the policy to 100% of mail,
- and specifies relaxed alignment for both DKIM and SPF.
Are There Any Catches With DMARC?
While DMARC is a powerful tool for enhancing email security, its implementation is not without potential pitfalls.
Proper configuration of SPF and DKIM records is a prerequisite for effective DMARC operation. Misconfiguration can lead to legitimate emails being quarantined or rejected, potentially disrupting email communication. Therefore, a cautious, phased approach to implementing DMARC, beginning with monitoring mode, is crucial to identify and rectify any issues before enforcing a more stringent policy.
Additionally, the analysis of DMARC reports requires a degree of technical expertise and can be resource-intensive for organisations receiving large volumes of email. Automated tools and services can help manage this complexity by processing and interpreting DMARC reports, offering actionable insights for improving email security.
Dmarc Record Generation Tools
- DMARCIAN (https://dmarcian.com/dmarc-record-wizard/): Offers a DMARC Record Wizard to create DMARC records by answering a few simple questions.
- Global Cyber Alliance DMARC Setup Guide (https://dmarc.globalcyberalliance.org/): Provides a step-by-step guide to generate DMARC records, alongside tools for SPF and DKIM.
Comparative Effectiveness in Stopping Spam and Spoofing
While SPF and DKIM individually contribute to mitigating email spoofing and ensuring message integrity, neither alone is fully effective at stopping all forms of spam and spoofing. SPF can be circumvented if the attacker finds an authorised server vulnerable to abuse, and DKIM alone does not prevent domain spoofing in the “From” header. DMARC significantly enhances security by leveraging the strengths of both SPF and DKIM and addressing their limitations through policy enforcement and reporting, making it more effective at combating spoofing and phishing attacks when properly implemented.
Potential Successors and Evolutions
The continuous evolution of email threats necessitates ongoing development in authentication technologies. BIMI (Brand Indicators for Message Identification) is one emerging standard that works alongside DMARC. It allows organisations to display their brand logo in supported email clients, providing an additional layer of trust for authenticated emails. Future developments may focus on enhancing identity verification, improving the ease of configuration and management of these protocols, and increasing adoption and enforcement across the email ecosystem.
Advanced cryptographic methods, enhanced DNS security features, and machine learning-based authentication mechanisms may also emerge as successors or complements to SPF, DKIM, and DMARC, aiming to further secure email communication against evolving threats.
While SPF, DKIM, and DMARC each play a vital role in email security, the combination of these technologies, supported by ongoing advancements and complementary standards like BIMI, represents the most effective strategy for combating spam and spoofing. The future of email authentication will likely involve a layered approach, integrating advancements in cryptography, domain security, and machine learning to adapt to the ever-changing landscape of cyber threats.
Some articles published on the Joomla Community Magazine represent the personal opinion or experience of the Author on the specific topic and might not be aligned to the official position of the Joomla Project
By accepting you will be accessing a service provided by a third-party external to https://magazine.joomla.org/
Comments 3
If you are interested in email security and delivery, this is a great article to read to bring you up to date with the various technologies. I also like how Philip has got to the trouble to explain all the flags for each of the technologies.
The history for each of the technologies helps you to understand why and how they work.
This is a great article and can be used by people as a reference document.
Thanks Philip
That's very kind, and it was indeed as a reference document that I had the idea, I've even been lazy and pointed my own customers to it!
This is a great article that goes a little more in-depth than others, outlining how to use SPF, DKIM and DMARC, without having to delve too much into the RFCs to understand all the options or tags.
I note the link to the EasyDMARC DKIM generator is no longer valid. Please consider adding a link to one of the generators supporting the newer Ed25519 signing mechanism as well.