Learn Email Security (SPF/DKIM/DMARC)
What is SPF?
Sender Policy Framework is used to specify the servers and domains that are authorized to send emails of behalf of your domain.
This is defined by creating a TXT
record on your domain’s public DNS server. A SPF record will look like:
v=spf1 ip4=192.0.2.0 ip4=192.0.2.1 include:examplesender.email -all
-
v=spf1
tells the server that this contains a SPF record. -
ipv4=192.0.2.0 ipv4=192.0.2.1
tells the server which IPs are authorized to send emails on behalf of your domain -
include:examplesender.net
tells the server that exampesender.net is authorized to send emails of behalf of your domain. -
-all
specifies that only the servers listed are permitted to send emails and all others will be rejected.
Source: https://www.cloudflare.com/learning/dns/dns-records/dns-spf-record/
What is DKIM?
Domain Keys Identified Mail is an email authentication method that adds a digital signature to outgoing messages. This allows the receiver to check that an email was sent and authorized by the owner of that domain.
DKIM is created by generating a public/private key pair. Typically 1024 bit RSA is used since TXT record contents can’t store over 255 characters. The public key is then published in the TXT record content.
This is defined by creating a TXT
record on your domain’s public DNS server. A DKIM record will look like:
- Name:
- Consists of
[selector]._domainkey.[domain]
- Selector:
- Issued by email service provider (Google, Office 365, Godaddy, etc)
- Domain Key
- Static text included in all DKIM records
- Domain
- Your domain
- Consists of
- Content
-
vDKIM1
: Indicates this TXT record is a DKIM -
p=
: Public key
-
Source: https://www.cloudflare.com/learning/dns/dns-records/dns-dkim-record/
What is DMARC?
Domain-based Message Authentication Reporting and Conformance tells a receiving email server what to do after checking a domain’s SPF & DKIM records.
A DMARC policy is defined by creating a TXT
record on your domain’s public DNS server. A DMARC record will look like:
-
v=DMARC1
: Indicates this a DMARC policy -
p=quarantine
: Tells the receiving email server to quarantine emails that fail the SPF and DKIM checks. You can also set this toreject
to simply delete the email. -
adkim=r; aspf=r
: Are optional tags that means DKIM and SPF checks are ‘relaxed’. Can also be set tos
for strict. Relaxed allows subdomains to pass the check. -
rua
: Send reporting information to third-party services that give info on what and how many emails are failing DMARC policy.
Source: https://www.cloudflare.com/learning/dns/dns-records/dns-dmarc-record/
Resources
To learn about email security protocols such as SPF, DKIM, and DMARC, see the following links.
- https://www.cloudflare.com/learning/dns/
- Help prevent spoofing and spam with SPF - Google Workspace Admin Help
- https://www.dmarc-academy.com/
- https://www.learndmarc.com/
- DMARC Inspector - dmarcian
- https://easydmarc.com
- DMARC Tags - MxToolbox
- DMARC Check Tool - Domain Message Authentication Reporting & Conformance Lookup - MxToolBox