Even though this could have been a very technical subject, I will refrain from going into the technical details on how to set up DMARC, DKIM, and SPF. The point of this article is to let you know about the different tools you have to secure yourself, what the difference is and what a good and secure set up really looks like.
All of these are standards that you set up at a DNS-level and it’s up to the recipient to adhere to these standards, or not. However, spam filters and modern mail systems usually do listen to these standards and without having a correct setup you might get tagged as spam, or worse have your email blocked from ever getting into that organization’s mail system. Better safe than sorry.
SPF (Sender Policy Framework)
Many don’t know that one can easily spoof the envelope address (the email address that you actually see in your mail client) without much hassle. SPF is helped secure the envelope address by defining what networks your email is allowed to be sent from. This is achieved by adding a DNS record on your domain with your servers address.
This works great in combination with other standards but alone it’s honestly not a foolproof concept. The problem is that if the receiving server doesn’t follow this standard, it’s totally pointless. Some might even allow the SPF to fail but give it a higher spam-score even though you have defined that no one is allowed to send from any other networks than what you’ve defined. Luckily, we have some alternatives.
For more background and the technical stuff, visit OpenSPF.org.
DKIM (DomainKeys Identified Mail)
Now, DKIM is a totally different kind of beast. Instead of referring to the senders’ network, it actually signs the message itself to validate its authenticity. DKIM has it’s own entry in the header of an email and makes use of a public key that is published in the senders DNS to ensure that the email is authentic.
The usage of DKIM doesn’t interfere with SPF or vica versa. However, by combining these two you’ll end up with a pretty good solution for securing your emails. Especially if combined with the last standard on our list, DMARC.
Again, if you’re looking for more technical explanation visit DKIM.org.
DMARC (Domain-based Message Authentication, Reporting & Conformance)
Now, DMARC is what will take what makes SPF and DKIM great and combine them into one security solution. Honestly, this is what every mail-system should strive to be.
While setting up DKIM and SPF, you’ll notice one thing. You can’t really tell if it’s working. Sure you can validate your domain online but when you send an email, will it actually arrive? DMARC builds on top of DKIM and SPF and lets you choose how you want your email to be handled and what the receiver should do if someone tries to spoof your email.
DMARC also gives the receiver a way to contact you if an email fails or passes a check, giving you a good indication that you have set up your domain correctly. You can also choose what happens to the email that fails, like quarantine or reject it.