SPF, DKIM, and DMARC are collections of free email authentication methods used to verify that senders are legitimately authorized to send email from a specific domain. Understanding these methods when implementing email features in applications is essential to ensure that your email messages are properly authenticated.
What is SPF?
SPF stands for Sender Policy Framework. It allows you to cache a list of authorized IP addresses that are allowed to send emails to your customers on your behalf.
How does SPF work?
When sending an email, the receiving end would mainly check for a published SPF record. When it detects an SPF record, it searches through the list of authorized addresses for the record. If a valid record exists, the validations are marked as "PASS." Otherwise, the email would be rejected and routed to the spam folder.
Advantages of SPF
- SPF authenticates your email, allowing malicious sources to be identified and flagged as spam as quickly as possible.
- It provides some assurance that the email is secure and trustworthy.
- Having an SPF improves your email's reputation.
However, when used in isolation without DKIM and DMARC, it has some limitations.
Disadvantages of SPF
- Your IP address will not be included on your SPF record if someone else forwards the email sent from your domain. As a result, it can mistakenly identify as spam.
- SPF authentication happens on the specific Return-Path/mailfrom domain, not from the address that most users usually see. So, an attacker could send the email from a domain they control but use a different sender address. An average user wouldn't bother to check the Return-Path/mailfrom, opening themselves up for a phishing attack.
- Domain owners frequently require authorized third-party vendors to send emails from their domain. Unfortunately, this means that SPF records would have to be constantly updated whenever there is a change in IP address or third-party vendor. So maintaining these records can be a bit tedious.
- Each SPF record allows ten DNS lookups. If your SPF record exceeds this limit, receiving servers will fail SPF authentication. However, new tools are available, such as
PowerSPF, which allows you to optimize and simplify your SPF record to stay under the limit.
- Several internal filtering algorithms included with mailbox providers use the SPF and DKIM protocols to determine if an email should be sent to the inbox, spam folder, or rejected. However, SPF doesn't allow domain owners to instruct MBPs how to treat a message if the authentication checks can't be validated.
Since SPF is limited in its ability to prevent domain spoofing on its own, implementing SPF alone does not provide any protection against email fraud. However, it can offer strong anti-spoofing protection when combined with DKIM and DMARC technology.
What is DKIM?
DKIM stands for Domain Keys Identified Mail. DKIM is a stronger authentication method than SPF since it uses public-key cryptography instead of IP addresses.
When using DKIM, a sender can attach DKIM signatures to email headers and validate them using a public cryptographic key found in the company's DNS record. The domain owner publishes the cryptographic key and configures it as a TXT record in its general DNS record.
How does DKIM work?
Both DKIM and SPF can add a TXT record to the DNS. However, we must still generate a public and private key for DKIM protocols.
When a new email is sent through the outgoing mail server, the message header contains a private key for encrypting the email signature. The public key hash is stored in a DNS TXT record. The receiving party (incoming mail servers) then validates the email signature by decoding and comparing the public and private keys. If the values are the same, it won't be considered spam.
Advantages of DKIM
- DKIM is a stronger authentication method than SPF since it uses public-key cryptography instead of IP addresses.
- SPF is a protocol that adds information to the message envelope. Therefore, the forwarding server may remove sections of the message's envelope when you forward a message. However, DKIM works better when forwarding since the digital signature is kept with the email message as part of the email header.
- DKIM is an email tagging system that does not filter or identify spam on its own. However, it can prevent spammers from changing message source addresses.
Disadvantages of DKIM
- Several internal filtering algorithms included in Mailbox Providers use the SPF and DKIM protocols to determine if an email should be sent to the inbox, spam folder, or rejected. However, SPF and DKIM don't allow domain owners to instruct MBPs how to treat a message if the authentication checks can't be validated.
- There can be issues when the relay or filtering program changes the messages.
- A malicious person can write an email from a reputable domain, have it signed with DKIM, and then send it to any mailbox. It can be retrieved as a signed copy of the email and can be forwarded to many recipients without restriction.
What is DMARC?
DMARC (Domain-based Message Authentication, Reporting & Conformance) is an email authentication protocol that uses SPF and DKIM to decide the authenticity of an email.
DMARC is very effective because it validates the sender of an email using both DKIM and SPF records. Furthermore, it assists mail systems in deciding what to do with messages sent from your domain that fails SPF or DKIM checks.
How does DMARC work?
As mentioned, DMARC allows the domain owner to specify how MBPs should handle unauthenticated messages. Some pre-defined policies accomplish this.
- Policy = (p=none): no action is taken, and the message is delivered as usual.
- Policy = (p=quarantine): sends the message to the spam/junk/quarantine folder
- Policy = (p=reject): sends the message back
If you want to use a DMARC record, you must first configure the SPF and DKIM protocols. Then, after a DMRAC test, you can basically cover up the followings.
- Validation of IP addresses in the SPF record.
- DKIM signature verification.
- Check if the message's From domain and Return-Path domain are identical.
If the validation fails, the necessary action is taken based on the policy defined in the DMARC record, and the generated report is sent to the respective email address.
Following the DMARC protocol is always recommended because it shows ISPs that you are an actual sender who is willing to take precautions to protect your identity and reputation. Not all ISPs offer support for all types of email validation. Here is a list of ISPs that support SPF, DKIM, and DMARC.
Advantages of DMARC
- DMARC allows organizations and domain owners to receive reports on the email messages they send over the internet.
- Having control over your stream of email messages increases trust and adds more value to the messages you send.
- Make your email easily identifiable across the network of DMARC-capable receivers.
Disadvantages of DMARC
- Sometimes, legitimate messages can be blocked or marked as spam.
Differences Between SPF, DKIM, and DMARC
SPF vs DKIM
- SPF allows email senders to define which IP addresses can send mail, while DKIM uses an encryption key and digital signature to verify an email.
- SPF doesn't use an encryption algorithm, while DKIM uses an encryption algorithm to create a pair of electronic keys.
- SPF is a protocol that adds information to the message envelope. Therefore, the forwarding server may remove sections of the message's envelope when you forward a message. DKIM works better when forwarding since the digital signature is kept with the email message as a part of the email header.
SPF vs DMARC
- SPF works without DMARC. But it will not be sufficient to rely just on SPF because it may have various flaws.
- DMARC validates the sender of an email using either DKIM or SPF records.
- SPF doesn’t provide domain owners with a mechanism to send reports of failed deliveries.
- DMARC helps specify a reporting mechanism to assist receiving mail systems in determining what to do with messages sent from your domain that fails SPF or DKIM checks.
DMARC vs DKIM
- DMARC works in conjunction with SPF and DKIM Records. So, if you want to implement a DMARC record, you have to set SPF and DKIM records first.
- DKIM does not require DMARC. However, using DKIM with DMARC helps to keep false negatives in DMARC.
- DMARC suggests what to do with mail that isn't legitimate, while DKIM tries to verify whether mail is legitimate or not.
In this article, I introduced SPF, DKIM, and DMARC with their usage and compared them to each other. Understanding these 3 techniques will surely help you to get the most out of your email deliveries while protecting them against attacks.
Frequently Asked Questions
Does SPF work without DMARC?
Yes. But it will not be sufficient to only depend on SPF because it may have various flaws. But when it's paired with DMARC, it becomes more powerful and secure.
Does DKIM require DMARC?
No, DKIM does not require DMARC. However, using them together keeps false negatives in DMARC authentication to a minimum.
Does DMARC require SPF and DKIM?
Yes. The DMARC authentication result is highly dependent on the SPF and DKIM authentication results. When any of the following conditions are met, an email passes DMARC authentication
-When SPF with SPF identifier alignment is passed.
-When DKIM with DKIM identifier alignment is passed.