Today, email spam is one of the most common cyberattacks conducted by people with malicious intent intending to steal your passwords and personal credentials, leading users to phishing sites to steal bank account details, identity theft and so on.
Because of this, ISPs and email providers such as Gmail and Office 365 are taking anti-spam measures by enforcing stricter protocols in the type of emails that they receive, so it's good to implement those protocols and ensure that your email gets delivered and not delayed or worse, rejected by the mail servers.
So, what are those protocols?
SPF, DKIM and DMARC are the three main secure protocols used to authenticate your mail server and this will prove the ISPs and other mail service providers that the mail being sent is legitimate and authorized.
It's an acronym for Sender Policy Framework. SPF is nothing but a DNS TXT record that specifies the server(s) and IP addresses that are allowed to send email from a specific domain.
Assuming you are the sender, just think of sending a postcard to your friend in which you add your address as well, so that your friend knows who the recipient is and he/she would most likely open it because they trust it.
But in technical terms, the actual recipient is not the user but rather the mail server that receives the mail.
Create an SPF record
An SPF record is a very simple string and it can be easily created. However, there are a few parts to it:
- Version of SPF used.
- IP addresses that are authorized to send emails.
- Third party domain(s) that are authorized to send emails.
- An ending tag named "all" which tells the receiving server on what policy to apply if the sending server is not a part of the SPF record.
So, let's what does it look like and what each part of it does:
v=spf1 ip4:18.104.22.168 include:example-domain.com -all
v=spf1 states the SPF version being implemented. Currently, there's no any other version at this point. So, it should always stay as this version until another version is released.
ip4:22.214.171.124 is the IP address of the mail server/domain that's authorized to send emails for that domain. You can use multiple IP addresses and can be listed individually like this
ip4:126.96.36.199 ip4:188.8.131.52 or through a CIDR like
ip4:184.108.40.206/20. If both IPv4 and IPv6 addresses are being used by mail server, make sure that both of those addresses are being listed.
include:example-domain.com is a secondary domain that's authorized to send emails on behalf of the primary mail domain(s) listed. Just like the previous rule above, you can add multiple secondary domains but bear in mind that only a maximum of 10 domains are allowed for any sending domain.
-all is a tag that instructs the receiving server on how to handle messages from a domain that isn't a part of the SPF record. There are some options and they are all dictated by a single character that precedes the
all keyword. The options are:
-allmeans hard fail. The receiving server should reject the email if the sender domain is not authorized.
~allmeans soft fail. The receiving server can flag it as a possible spam if the sender domain is not authorized.
+allmeans authorized. The receiving server allows the email even if the sender domain is not authorized. Now, this is not recommended and please do not use this option.
It's an acronym for DomainKeys Identified Mail a.k.a Email signing. Just like SPF, DKIM is also a simple DNS TXT record that tells the receiving server that the mail is certified which allows to build a trust between both the sending and receiving servers.
To handle this trust, DKIM makes uses of an RSA cryptographic algorithm to create a pair of public and private encryption keys. The private key will remain on the server (i.e. the mail server) whereas the public key is placed in your DNS records.
How to create a DKIM record?
Depending on your mail provider, it can be easily generated by tools provided by them and once generated, it can be copy-pasted to the DNS records.
This is how a typical DKIM record would look like:
v=DKIM1; k=rsa; p=iHeFQ+7rCiSQs3DPjR2eUSZSv4i/Kp+sipRfVH7BGf+SxcwOkX7X8R1RVObMQsFcbIxnrq7Ba2QCf0YZlL9iqJf32V+baDI8IykuDztuoNUF2Kk0pawZkbSPNHYRtLxV2CTOtc+x4eIeSeYptaiu7g7GupekLZ2DE1ODHhuP4I=
Regardless of how it's being generated, this is what each part of the header means:
v=DKIM1 is the DKIM protocol version used.
p= is the Base64 encoded public key generated.
k= is the mechanism used to decode the DKIM signature. The encryption key is usually based on
rsa-sha256 signing algorithm.
You can use DMARC analyzer's DKIM checker to check if your DKIM record is valid.
It's an acronym for Domain-based Message Authentication, Reporting and Conformance. This protocol is built around SPF and DKIM and it ensures the following:
- Verifies that the sender's email is protected by SPF and DKIM protocols.
- Instructs the receiving mail server on what to do if the authentication fails.
- Provides a way for the receiving server to send a report to the sender about the DMARC evaluation i.e. whether it passed or failed.
How to create a DMARC record?
Once you have both SPF and DKIM records in place, then it's easy to create your DMARC record. There are many sites and I would recommend you to try MXToolbox's DMARC Record Generator.
This is how a DMARC record would look like:
v=DMARC1; p=none; fo=1; rua=mailto:firstname.lastname@example.org;
And here's what each part of the header translates to:
v is the version tag, similar to the SPF record. It should always be
DMARC1 in the record.
p is the policy tag.
none means to not do anything to the email,
quarantine means to flag it as spam and
reject means to reject the email.
fo is the tag that lets the receiving servers know that failed messages must be returned to the sender or not. There are four values for this tag:
0: Generate a report if both DKIM and SPF produce a "Pass" result.
1: Generate a report if both DKIM and SPF produce a result other than "Pass".
d: Generate a report if the email had failed the DKIM evaluation.
s: Generate a report if the email had failed the SPF evaluation.
It's actually recommended to use
fo=1 which can help you look for any email delivery issues.
rua tells the receiving server on where to send the aggregate reports. This could provide insights into the health of the email server and can help identify any malicious activities.
There are many optional tags that can be used but these are the tags are most commonly used by default.
With the increase in spam emails, it's good to take such preventive measures to ensure that you are following best practices and doing your part to prevent malicious emails and other security related issues.
If you want to read more about these protocols, you can read the following links recommended below:
- Sender Policy Framework (SPF)
- DomainKeys Identified Mail
- Domain-based Message Authentication, Reporting and Conformance
Hope you liked reading this article! 😄