SPF, DKIM and dMarc brief explanation and best practices
Posted by Dag Frode Aasnes on 28 January 2016 09:45 AM
Spam email has been a plague since the Internet's origins, and they continued to increase in scope, the more the number of units and people who connect to the Internet increases. Despite numerous attempts at establishing anti-spam tools, it is still a pretty high number of unwanted messages sent every day.
Fortunately it seems that lately something is changing with the adoption of three (relatively) new tools that are beginning to be widely used: SPF, DKIM and dMarc.
What is SPF, DKIM and dMarc
SPF (Sender Policy Framework) is a DNS entry of text that displays a list of servers that are allowed to send mail for a particular domain. Incidentally the fact that SPF is a DNS entry can also be considered as a way to enforce that list is authoritative for the domain, since the owners / managers are the only people allowed to add / change the domain zone file.
DKIM (DomainKeys Identified Mail) should instead be considered as a method to verify that email messages are credible, which means that they were not changed from the moment the message was leaving the original mail server. This extra layer of security is achieved by a public / private key signing. Again, owners of domain add a DNS entry with the public DKIM key that will be used by recipients to verify that the message DKIM signature is right, while on the sender's side verify email messages with the corresponding private key.
Dmarc (Domain-based Message Authenticationt) Enforces SPF and DKIM by declaring a clear policy that must be used on both the aforementioned tools and makes it possible to set an address that can be used to send reports on mail statistics collected by receivers Specific domain
How do they work?
SPF: Upon receipt of HELLO message and the return address will be retrieved by the recipient's e-mail server running a TXT DNS query against the domain's SPF record. SPF entry is then used to verify the sender's server. If the check fails sent a rejection message to sender server.
DKIM: When sending an outgoing message, the last server within the domain infrastructure verify against its internal settings for the domain used in the "From:" header is included in his "signing rutinener". If the process does not stop here, a new header, called "DKIM-Signature", be added to the mail message using the private portion of the key * Now can not be changed * longer otherwise DKIM header not match upon receipt recipient server which will make a TXT DNS query to retrieve the key to the DKIM-Signature field. DKIM header checks score to determine whether a message is fraudulent or credible.
Dmarc: If the recipient's e-mail server is checked if there are any existing dMarc regulations published in the domain used by the SPF and / or DKIM. Here check if * one or both * SPF and DKIM exist, successful simultaneous control routines to be * adjusted * with policy set by dMarc as deemed consignment successful, otherwise it is set as failed if control procedures fail, based on the action published by dMarc policy.
What is the message behind all this? Should I use these tools or not?
Run a test to see if your email messages using the SPF, DKIM and dMarc.
Copy email to the address from the test page eg web-x7pCDB@mail-tester.com