What are SPF, DKIM, and DMARC?
Want to stop malicious actors from hijacking your emails? Make sure to set up the trio of email security protocols: SPF, DKIM, & DMARC
SPF, DKIM, and DMARC are email authentication methods that help prevent spammers, phishers, and other unauthorized parties from forging and sending emails from a domain they don’t own.
In most cases, you’ll set these up before you can warm up an inbox and domain.
Domains that don’t have these three email protocols set up correctly may find out:
- Their emails are being marked as spam.
- Their emails aren’t reaching recipients.
- Spammers and other malicious parties are impersonating them.
Any of these outcomes will tank more than just your performance metrics. Your sender reputation and email outreach as a whole are likely to crater.
Here’s a quick look at each method and what it works.
What is SPF?
Sender Policy Framework (SPF) helps prevent email spoofing and phishing attacks by allowing domain owners to specify which mail servers can use their domain to send emails.
It’s similar to a student directory that you can use to confirm whether a student is actually enrolled at a school or university.
Whereas a student directory lists the names and essential info of all students enrolled, an SPF record lists all the IP addresses of servers that are permitted to send emails using the domain. Receiving mail servers can then check an email against its SPF record before forwarding it to the recipient’s inbox.
If an email says it’s from a specific sender, but the server used isn’t listed in the sender’s SPF, chances are high that the email is fake.
What is DKIM?
DomainKeys Identified Mail (DKIM) is another email authentication method. It helps verify the authenticity of an email, as well as detect tampering.
Domain owners can use DKIM to automatically “sign” emails sent from their domain. The DKIM signature is then checked to confirm that an email came from the domain.
This process occurs with the help of public key cryptography. Here’s an overview of what this looks like:
- The sender sends an email and signs the email’s header with the sender’s “private key”.
- A mail server receives the email. The server can then check the DKIM record to obtain the “public key”.
- The mail server uses the public key to verify that the sender’s private key was used and that the email is authentic.
If an email says it’s from a specific sender, but the sender’s DKIM signature isn’t on the email, chances are that the email didn’t come from the sender.
What is DMARC?
Domain-based Message Authentication, Reporting, and Conformance (DMARC) is a third email authentication method whose role is to tell a receiving email server what to do based on the results of an SPF and DKIM check.
A domain’s DMARC policy can be set up to:
- Deliver emails that pass SPF and DKIM
- Reject emails that fail SPF and/or DKIM
- Quarantine emails that fail SPF and/or DKIM
DMARC can also provide guidance on domain administrators can adjust their DMARC policies to prevent legitimate emails from being erroneously marked as spam.
