/ Security

How secure email works - DMARC, DKIM & SPF

Even though this could have been a very technical subject, I will refrain from going into the technical details on how to set up DMARC, DKIM and SPF. The point of this article is to let you know about the different tools you have to secure yourself, what the difference is and what a good and secure set up really looks like.

All of these are standards that you set up at a DNS-level and it's up to the recipient to adhear to these standards, or not. However, spamfilters and modern mailsystems usually do listen to these standards and without having a correct setup you might get tagged as spam, or worse have your email blocked from ever getting into that organisations mailsystem. Better safe than sorry.

SPF (Sender Policy Framework)

Many don't know that one can easily spoof the envelope address (the email address that you actually see in your mail client) without much hassle. SPF is helps secure the envelope address by defining from what networks your email is allowed to be sent from. This is achieved my adding a DNS record on your domain with your servers address.

This works great in combination with other standards but alone it's honestly not a foolproof concept. The problem is that if the receiving server don't follow this standard, it's totally pointless. Some might even allow the SPF to fail but give it a higher spam-score even though you have defined that no one is allowed to send from any other networks than what you've defined. Luckily, we have some alternatives.

For more background and the technical stuff, visit OpenSPF.org.

DKIM (DomainKeys Identified Mail)

Now, DKIM is a total different kind of beast. Instead of referring to the senders network, it actually signs the message itself to validate it's authenticity. DKIM has it's own entry in the header of an email and makes use of a public key that is published in the senders DNS to ensure that the email is authentic.

The usage of DKIM doesn't interfere with SPF, or vica versa. However, by combining these two you'll end up with a pretty good solution for securing your emails. Especially if combined with the last standard on our list, DMARC.

Again, if you're looking for more technical explanation visit DKIM.org.

DMARC (Domain-based Message Authentication, Reporting & Conformance)

Now, DMARC is what will take what makes SPF and DKIM great and combine them into one security solution. Honestly, this is what every mail-system should strive to be.

While setting up DKIM and SPF, you'll notice one thing. You can't really tell if it's working. Sure you can validate your domain online but when you send an email, will it actually arrive? DMARC builds on top of DKIM and SPF and let you choose how you want your email to be handled and what the receiver should do if someone tries to spoof your email.

DMARC also gives the receiver a way to contact you if an email fails or passes a check, giving you an good indication that you have set up your domain correctly. You can also choose what happens to the email that fails, like quarantine or reject it.

How secure email works - DMARC, DKIM & SPF
Share this

Subscribe to destruktive.one