email-deliverability

What are SPF, DKIM, & DMARC?

Paul Middleton

2 min read
What are SPF, DKIM, & DMARC?
Photo by Danylo Suprun / Unsplash

Here are five key facts about SPF, DKIM, and DMARC:

1. SPF (Sender Policy Framework)

  • Purpose: SPF is designed to detect email spoofing by allowing the owner of a domain to specify which mail servers are authorised to send email on its behalf.
  • How it Works: SPF uses DNS records to publish a list of IP addresses or domains that are authorised to send emails for the domain.
  • Structure: An SPF record is a DNS TXT record starting with v=spf1, followed by a list of IP addresses or domain names that are permitted to send email.
  • Limitations: SPF only checks the envelope sender (MAIL FROM) address, not the visible "From" address, which means it can still be bypassed in certain phishing scenarios.
  • Failure Handling: When SPF fails, recipient servers can choose to mark or reject the message based on the SPF policy.

2. DKIM (DomainKeys Identified Mail)

  • Purpose: DKIM helps ensure the integrity and authenticity of an email by attaching a digital signature that verifies the email’s source domain.
  • How it Works: DKIM adds a digital signature in the email header, generated from a private key, which the receiving server can verify using the sender's public key stored in DNS.
  • Signature Validation: The DKIM signature ensures that the email content has not been tampered with in transit and verifies the legitimacy of the sender's domain.
  • Requirements: To set up DKIM, a domain owner needs to publish a DKIM record in DNS (another TXT record) and configure their mail server to sign outgoing messages.
  • Limitations: If any part of the signed content changes (e.g., due to forwarding servers altering the message), DKIM verification can fail.

3. DMARC (Domain-based Message Authentication, Reporting, and Conformance)

  • Purpose: DMARC builds on SPF and DKIM, providing an additional layer by specifying actions when an email fails authentication checks and enabling domain owners to receive reports on email performance.
  • How it Works: DMARC requires that an email passes either SPF or DKIM checks (or both) and that the domain in the "From" address (header.from, not smtp.mailfrom) aligns with the domain in the SPF or DKIM checks.
  • Policy Options: DMARC allows domain owners to specify policies (none, quarantine, or reject) that instruct receiving servers on how to handle unauthenticated emails.
  • Reporting: DMARC can send daily aggregate and forensic reports to the domain owner, offering insights into attempted email spoofing and email authentication performance.
  • Domain Alignment: DMARC enforces "domain alignment," ensuring that both SPF and DKIM checks relate to the domain in the email's "From" header (header.from address), reducing the likelihood of successful phishing.

Together, SPF, DKIM, and DMARC work to verify email authenticity and protect against phishing and email spoofing.

Read more