Mysterious trio: DKIM, SPF and DMARC

If you haven’t implemented a feature which triggers sending an email to end-user so far the three acronyms may seem meaningless to you. I have and I often catch myself forgetting their meaning and importance. That’s why I decided to create this memo 🙂

They are email authentication methods. Thanks to them, domain owners can protect their domains from unauthorized use (email spoofing). They were created because the core email protocols do not have any authentication mechanism.

1. DKIM

DomainKeys Identifier Mail method allows to connect an email message with a domain.

How does it work?

The method relies on attaching a digital signature, as a message header, to each email sent from a domain. The signature is linked to the domain. When a server receives such a message, it fetches TXT DNS record which should include details how the signature can be verified. If verification passes, the message is accepted.

Example of the signature

DKIM-Signature: v=1; a=rsa-sha256; d=example.net; s=brisbane;
     c=relaxed/simple; q=dns/txt; l=1234; t=1117574938; x=1118006938;
     h=from:to:subject:date:keywords:keywords;
     bh=MTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTI=;
     b=dzdVyOfAKCdLXdJOc9G2q8LoXSlEniSbav+yuU4zGeeruD00lszZ
              VoG4ZHRNiYzR

2. SPF

Sender Policy Framework is a non-commercial project created to secure SMTP (Simple Main Transfer Protocol) servers from receiving messages from forbidden sources.

How does it work?

An owner of an Internet domain specifies which servers are entitled to send mails in that domain using TXT DNS records. A receiving mail server checks in the DNS system if a message comes from the server. The message is rejected otherwise.

Example of SPF record

TXT @ "v=spf1 a include:_spf.google.com ~all"

3.DMARC

Domain-based Message Authentication, Reporting and Conformance extends the SPF and DKIM methods.

How does it work?

The email domain owners add DNS record with instructions which solutions are used to protect outcoming messages (DKIM, SPF or both). In addition, they can specify:

  • what the receiver of a message should so when the protection mechanisms failed (e.g reject the message),
  • how to check the From field presented to end users,
  • a reporting mechanism (e.g. to which email addresses send summary reports).

Example of DMARC record

v=DMARC1; p=reject; rua=mailto:[email protected], mailto:[email protected]

 

 

Igor Springer

I build web apps. From time to time I put my thoughts on paper. I hope that some of them will be valuable for you. To teach is to learn twice.