SPF, DKIM, and DMARC: What They Are and Why You Need Them

ByEmily Dolloff

The ease of sending and receiving email makes it an attractive way to run scams like phishing attacks. One telltale mark of a phishing attack is the sender’s address not matching their purported domain; attacks that appear to come from legitimate email addresses are much more likely to fool the victim.

You can protect your organization’s email accounts from being compromised and used in phishing attacks by training your users to identify forged emails and use password managers, which won’t autofill a password on a malicious site. But how do you prevent bad guys from forging email that looks like it comes from inside your organization? You can’t, but you can reduce the chances that other email servers will accept it. In the process, you’ll enhance the deliverability of legitimate email from your domain.

The rest of this article is aimed at two types of readers. The first is the IT professional who needs an overview of email authentication technologies and pointers to helpful tools. For other readers, this article will give you an idea of what’s involved so you can talk more knowledgeably with your IT staff or better appreciate what they manage for you.

Whether your email is hosted at Microsoft 365 or Google Workspace, or managed by your Internet service provider or IT department, if your organization has its own domain for email addresses—yourname@yourcompany.com—you need to know about and set up three authentication technologies: SPF, DKIM, and DMARC:

  • SPF, which stands for Sender Policy Framework, lets you specify which servers and domains are allowed to send email for your organization. It allows receiving mail servers to verify that incoming messages from your organization are actually from you.
  • DKIM, or DomainKeys Internet Mail, adds a digital signature to every message sent from your organization. Receiving mail servers can use your public key to verify that messages actually came from you and were not changed in transit.
  • DMARC, which expands to Domain-based Message Authentication, Reporting, and Conformance, leverages SPF and DKIM to publish policies that tell receiving mail servers what to do with messages that fail authentication: deliver, quarantine, or reject them. A message fails DMARC authentication only if it fails both SPF and DKIM—only one is necessary for the message to pass DMARC’s checks.

These three authentication technologies exist inside DNS (Domain Name System) records. The primary use of DNS is to link your human-usable domain name with the underlying IP addresses of the servers that manage your Internet presence; for example, matching www.yourcompany.com with an IP address like 192.168.1.23. However, DNS can also contain TXT records with additional information about your domain—you configure SPF, DKIM, and DMARC using TXT records.

These TXT records must be carefully constructed to work correctly—an incorrect configuration could cause email failures. You could build them manually, but it’s safer to use a tool that asks you questions and spits out a correctly formatted TXT record for you to add to your DNS configuration. If all that sounds intimidating, work with your ISP or email service provider, or ask us for help. But here are the basics.

Tools abound for creating SPF, DKIM, and DMARC records, but we recommend those from DMARCLY and EasyDMARC. We’ll use DMARCLY for the examples here, and it provides a comprehensive explanation that’s worth reading if you want more depth.

SPF

SPF is the oldest of these technologies. To get started, all you need to do in DMARCLY’s SPF Generator tool is specify the names or IP addresses of servers that are allowed to send email from your domain. The mx (mail exchanger) and a radio buttons automatically add the servers listed in your DNS records, and anything you put in the Includes field will allow email sent from anything allowed by a third party that sends email on your behalf. It’s common to put Google, Amazon SES, SendGrid, or other systems there. The IPv4, IPv6, and Hostnames fields let you specify other allowed servers, but aren’t necessary.

The Policy menu is important—you can choose from Fail, SoftFail, and Neutral. Start with Neutral, which should allow messages to be accepted (it prefixes all in the TXT record with a ?). Then bump up to SoftFail (a tilde ~ prefix) to have messages accepted but marked. When you’re confident everything is working correctly, move to Fail, which uses a - prefix.

DKIM

Because it relies on public key cryptography, DKIM is significantly more complicated. Although DMARCLY’s DKIM Generator tool will generate the necessary public and private keys, that’s not helpful unless you have full control over your email server and know how to install the private key to sign all your outgoing email. It’s much more likely that you’ll use a tool managed by the company that hosts your email to create your keys. That tool will automatically install the private key and give you the necessary details to add to a TXT record in your DNS settings.

DMARC

Where SPF and DKIM are all about authenticating email messages, DMARC lets you say what happens when authentication fails. DMARCLY’s DMARC Generator tool makes it easy to generate your DMARC record. For Policy and Subdomain Policy, you can choose None, Quarantine, or Reject—those specify what will happen to messages that fail both SPF and DKIM authentication. Start with None to see what happens in your reporting, move to Quarantine, and if everything seems OK, end up at Reject.

To set up reporting, enter an email address in the Aggregate Email field, but don’t put a personal address there. DMARC reports are daily XML digests that aren’t human-readable, so they should be sent to a service that will parse them and provide you with a dashboard for exploring the problems. DMARCLY and EasyDMARC both offer dashboards, as does the Cloudflare service if you use it for DNS or other tasks. To start, you can leave DMARC’s Strict Alignment and Forensic Options blank.

Configuring DNS

Once you’ve generated your SPF, DKIM, and DMARC records, you have to configure them in your DNS settings. How you do that depends on your DNS host; we’ll show what it looks like Cloudflare. Other DNS hosts should be similar.

For each case, you’re creating a TXT record, but what goes in the Name and Content fields varies:

  • SPF: The name for an SPF record should be the @ character, signifying the root level of your domain. Paste the text that the SPF Generator tool created in the Content field. You can have only one SPF record for each domain, although you can set up separate SPF records for subdomains.
  • DKIM: You can have as many DKIM records as services that send email on your behalf, so the first part of the name can vary—we show example below. However, the ._domainkey part is required for each DKIM record. For the content, paste the text given to you by the email-sending service. Note that some email services may require you to create one or more CNAME records instead of a TXT record—just follow their instructions.
  • DMARC: For DMARC, the name must be _dmarc. Once again, you’ll paste the text given to you by the DMARC Generator tool in the Content field.

Reporting and Evaluation

After you set up SPF, DKIM, and DMARC, it’s essential to keep an eye on your email. If you’ve started with SPF in Neutral mode and DMARC in None, nothing should go wrong. You can look through the headers of test messages you send to verify. This DMARCLY article explains what to look for. If you’ve signed up for an aggregate reporting service, you’ll be able to see reports like this one from Cloudflare that show the percentage of email that passes each of the authentication technologies.

If everything looks good and most email passes, change SPF to SoftFail and DMARC to Quarantine. Make sure you can send email to some known personal addresses on Gmail, Yahoo, or iCloud. Also, tell people who send email from your domain to be on the alert if they don’t hear back from someone who typically replies quickly—if a misconfiguration is causing your email to be marked as spam, you want to know about that quickly. If you’re using a DMARC reporting service, look at those reports to see if any email services are sending a lot of messages that fail DMARC.

After you’ve run with those settings for a month or two, bump SPF up to Fail and DMARC to Reject. Continue to monitor your DMARC reporting and pay attention to any complaints from users about the messages they send not arriving.

That’s a lot, we know. Feel free to contact us if you need help with any step of the process.

(Featured image based on an original by iStock.com/Ole_CNX)

Social Media: To ensure phishers don’t forge email from your domain to use in their attacks on your organization and others, you must implement SPF, DKIM, and DMARC. We explain the basics, and we’re happy to help with the setup.

Similar Posts

  • Macbooks and Macbook Air Upgraded

    Apple announced some changes to the 12-inch MacBook and 13-inch MacBook Air this week. Let’s talk about the MacBook Air first. Apple discontinued the 13-inch MacBook Air models that had 4GB of RAM and made them sport 8GB. There were no other changes to this model but the additional RAM comes at no additional cost as Apple doubled the RAM but kept the price the same at $999 for the 128GB SSD unit and $1299 for the 256GB SSD.

    With just this minor update to the MacBook Air we can speculate that perhaps this unit is on its way out within the next year. The MacBook Air does not have the Retina display nor does it support the latest in Intel mobile processors. On the other hand, it is Apple’s best selling laptop.

    The changes to the MacBook were more significant. They added a Rose Gold (er…pink) color which might actually be a nice option for some. More importantly, Apple went to the new sixth-generation dual-core Intel Core M processors which run at clock speeds up to 1.3 gigahertz, with Turbo Boost up to 3.1 gigahertz. The revamped notebooks also feature faster 1866 megahertz memory.

    This new processor yields increases in performance from 15-20% in initial testing. With the Intel HD Graphics 515, the new MacBook has about 25 percent faster graphics performance. Speed has also been enhance with new, faster PCIe-based flash storage.

    The lower power requirements and a slightly larger battery has also improved battery life, with the Apple claiming the new MacBook offers up to 10 hours of wireless surfing and up to 11 hours of movie watching.

    While some were expecting additional ports or an improved FaceTime camera, these features did not make the cut.

    We should have all the models in stock next week as well as some great deals on the newly discontinued models.

  • My daughter Autumn and her husband Ismael are coming to visit next week which should be fun. Then we pack up and head back to Vermont. Hopefully the weather will cooperate but it seems like warmer weather is in the forecast for the Green Mountains.

    Thank you so much for reading this issue of Kibbles & Bytes!

    Your Kibbles & Bytes Team,

    _Don, Emily, Hadley & Amy_

  • The Little Guy(s)

    You know I am a rabid Boston Celtics fan, and I have been since I was a child listening to games on my transistor radio, searching for the gravely voice of Johnny Most. These days our All-Star and team leader is Isiah Thomas who NBA hall of famer, Tommy Heinsohn, always refers to as the “little guy”. We have been thinking of changing our dog, Max’s name to the little guy as a result.

    It was little iPhone and little iPad Pro day at the Apple event. Apple introduced the 4-inch iPhone SE and the iPad Pro 9.7-inch tablet. In other hardware announcements, there were new watch bands for the Apple Watch and a new Lightning to USB 3 camera adapter. The original iPad Air is now discontinued and the iPad Air 2 with a more limited selection becomes the entry-level 9.7-inch iPad.

    I have gotten used to the size of my iPhone 6 but there are many people that want a smaller iPhone. Having a big iPhone 6 or 6+ sticking out of your back pocket is an invitation to theft and they do get a big bulky in the front pocket of your jeans. The iPhone SE uses the iPhone 5 form factor, with a 4-inch screen and aluminum case. The iPhone SE is not crimping on power though, as it meets almost all of the specifications of the iPhone 6s. It fails to match up to the current iPhone lineup only in the lack of the 3D Touch technology, the Taptic Engine that provides feedback you can feel, and slower wireless networking. It’s either $399 or $499, with 16 GB or 64 GB of storage, and comes in the same four colors, Silver, Space Gray, Gold and Rose Gold. We have found that most cases for the iPhone 5 should work with the iPhone SE. These are shipping on March 31.

    p{text-align: center;}. !http://blog.smalldog.com/images/4692.png!

    The 12.9-inch iPad Pro, introduced last year with the Apple Pencil and Smart Keyboard, has enjoyed some moderate acceptance as a productivity device. I can see how for some, it might be their only device. And for artists, architects and others the iPad Pro is a digital drawing board like no other. But it is 12.9 inches and that is just a bit large for some. Apple introduced the 9.7-inch iPad Pro to meet this need, which meets or exceeds many of the larger model’s specs.

    For instance, the smaller model’s screen can display more colors and adjusts its white balance to match the ambient light in the room. Its cameras are notably better — the rear camera is 12 megapixels instead of 8 and has a True Tone flash, while the front camera is 5 megapixels instead of 1.2 and can use the screen as a flash. Plus, the new iPad Pro can record 4K video instead of just 1080p. I assume we will see these upgrades to the 12.9 inch iPad Pro in the future but the smaller version is a powerhouse.

    The 9.7-inch iPad Pro’s A9X chip is somewhat slower, it has half the RAM, and its Lightning port transfers data at only USB 2 speeds. But if the size is right for you, prices start at $599 for 32 GB of storage and go up to $899 for 256 GB. It will be shipping on March 31 in four colors: silver, gold, space gray, and rose gold. Cases and accessories designed to fit the iPad Air 2 should work with the 9.7-inch iPad Pro. We have our orders in with Apple and should have stock by the launch date. I think this new iPad Pro is going to be the iPad of choice for a lot of people.

    p{text-align: center;}. !http://blog.smalldog.com/images/4689.png!

    Apple also introduced the $39 Lightning to USB3 camera adapter. It is much more than a camera adapter though and opens the Lightning port to a lot of USB devices. With the Lightning to USB 3 Camera Adapter, it’s easy to transfer photos and videos from your high-resolution digital camera to your iPad Pro.
    If you connect with a USB Power Adapter, you can connect USB peripherals like hubs, ethernet adapters, audio/MIDI interfaces, and card readers for CompactFlash, SD, microSD, and more. This is a new and important step by Apple in making the Lightning port much more versatile.

  • Choosing the Best AI Chatbot for Your Needs

    Questions about AI from our clients keep coming in, with many asking which tools to choose. It’s understandable confusion—the number of AI chatbots…