This article discusses DKIM, SPF and DMARC which are DNS based techniques for helping reduce spam and other fraudulent email.

DKIM – Domain Keys Identified Mail

DKIM is a standard that uses public key cryptography to verify the validity of an email and could be considered a form of email authentication.  It was designed to help prevent the delivery of harmful email by validating messages have not been altered in transit.  DKIM is not part of the SMTP standard but works on top of the protocol.

In order for DKIM to work, a specially formatted TXT record needs to be created by the DNS administrator for the domain that sits alongside regular DNS entries for a domain.

When a message is sent by an outbound mail server, a unique DKIM signature is added to the message header.

When an inbound server receives the message, it looks up the public DKIM signature for the domain in DNS which is can then use to decrypt the signature and compare it to one it has computed itself based on the received email.

If the two signatures match, the receiving mail server knows the email is authentic and has not been altered.

SPF – Sender Policy Framework

SPF is another standard that is implemented to help combat unwanted email and spam messages.  As with DKIM, a specially formatted DNS record is required in for implementation. This record is still in the TXT formal but is known as an SPF record and contains information about the IP addresses mail servers that are allowed to originate email for the domain.

When an attempt is made to deliver a message, the receiving mail server looks for an SPF record associated with the sending domain and then looks to see that the IP address of the sending mail server is included in the authorised list.

If the sending mail server is not in the list provided by the domain’s SPF record, the receiving server can take a number of actions including rejecting, quarantining or simply accepting the message.

An example SPF record can be seen below:

activereach.net.        333     IN      TXT     "v=spf1" "include:_spf.google.com" "~all"

This effectively says that email purporting to be from activereach.net will only genuinely originate from the list of email servers listed under the domain record _spf.google.com.

DMARC – Domain-based Message Authentication, Reporting and Conformance

DMARC is not an email authentication mechanism in its own right but instead unifies the functionality of DKIM and SPF.  It allows a domain administrator to publish a policy in DNS that can be used to suggest actions to be taken by mail hosts when incoming messages fail validity checks by either having a broken DKIM signature or are received from a host not included in the list of authorised senders.

DMARC also enables reporting of actions taken against mail claiming to be from the administrator’s domain.

The following record is an example of a DMARC record and will advise the receiving mail server to reject 100% of mail that fails the DKIM or SPF check along with sending aggregate reports to mail@activereach.net

_dmarc.activereach.net   text = "v=DMARC1; p=reject; pct=100; rua=mailto:mail@activereach.net"

Setting up DKIM, SPF and DMARC is relatively simple and can help prevent spoofing, spam and phishing emails purporting to originate from your domain.  While it is not a “mandatory” standard, if you have a domain name and email associated with your domain, it’s well worth configuring for extra peace of mind.