SPF DKIM and DMARC De-mystified

My explanation of what these important but complex controls are over email

TL;DR

• You want any email you send to be delivered to the recipient’s inbox and not into spam..

• You want to make it harder for attackers to spoof or pretend to send email as your company..

• You want your staff to be able to make easier decisions on what email is legitimate.

• SPF, DKIM and DMARC are ways of achieving the above objectives and you really should implement them.

  • SPF - provide the list of IP addresses you or third parties on your behalf will send emails from

  • DKIM - cryptographically sign emails

  • DMARC - a policy that you publish in your DNS that tells recipient email systems what to do if an email fails SPF and/or DKIM

Email Security

I wrote this on why email is not secure despite all the addons:

But people still need to send emails. It is often the lowest common denominator to communicate with your customers, third parties and staff.

You will also have third parties that send email on your behalf.

Therefore it is in your best interests to learn about and implement SPF, DKIM and DMARC.

Sender Policy Framework (SPF)

These are the IP addresses that I will send emails from. If it says it's from me, but comes from somewhere else, it's likely fake.

DomainKeys Identified Mail (DKIM)

This is my cryptographic signature that you can verify by downloading my Public Key from my DNS.

If the email is not signed, or the signature is not valid, it probably did not come from me.

Domain-based Message Authentication Reporting & Conformance

f you get mail that doesn't match the above, here's what I want you to do with it:

1. REJECT - drop the email completely and do not deliver it into the recipients inbox

2. QUARANTINE - deliver it to quarantine

3. NONE - deliver the email regardless

How do I implement this

The hardest step

Work out who is sending email on your behalf. It is likely to be more than you think. Why? The business has likely signed up for a few services on a credit card e.g. sendmail, Amazon Simple Email Service (SES), mailchimp.

You then need to get from these services:

1. Do you support SPF and/or DKIM

2. SPF - what IP addresses are you sending email from?

3. DKIM - can you sign email? Can you provide us your public key.

4. Then do a DNS change to add this information to your DNS records

Eating the elephant

If you are typical company you probably have 40+ email domains.

Implement these controls one domain at a time.

Implement DMARC quarantine first, monitor then move it to reject, one domain at a time.