If you haven’t implemented a feature which triggers sending an email to end-user so far the three acronyms may seem meaningless to you. I have and I often catch myself forgetting their meaning and importance. That’s why I decided to create this memo 🙂
They are email authentication methods. Thanks to them, domain owners can protect their domains from unauthorized use (email spoofing). They were created because the core email protocols do not have any authentication mechanism.
1. DKIM
DomainKeys Identifier Mail method allows to connect an email message with a domain.
How does it work?
The method relies on attaching a digital signature, as a message header, to each email sent from a domain. The signature is linked to the domain. When a server receives such a message, it fetches TXT
DNS record which should include details how the signature can be verified. If verification passes, the message is accepted.
Example of the signature
DKIM-Signature: v=1; a=rsa-sha256; d=example.net; s=brisbane; c=relaxed/simple; q=dns/txt; l=1234; t=1117574938; x=1118006938; h=from:to:subject:date:keywords:keywords; bh=MTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTI=; b=dzdVyOfAKCdLXdJOc9G2q8LoXSlEniSbav+yuU4zGeeruD00lszZ VoG4ZHRNiYzR
2. SPF
Sender Policy Framework is a non-commercial project created to secure SMTP (Simple Main Transfer Protocol) servers from receiving messages from forbidden sources.
How does it work?
An owner of an Internet domain specifies which servers are entitled to send mails in that domain using TXT
DNS records. A receiving mail server checks in the DNS system if a message comes from the server. The message is rejected otherwise.
Example of SPF record
TXT @ "v=spf1 a include:_spf.google.com ~all"
3.DMARC
Domain-based Message Authentication, Reporting and Conformance extends the SPF and DKIM methods.
How does it work?
The email domain owners add DNS record with instructions which solutions are used to protect outcoming messages (DKIM, SPF or both). In addition, they can specify:
- what the receiver of a message should so when the protection mechanisms failed (e.g reject the message),
- how to check the
From
field presented to end users, - a reporting mechanism (e.g. to which email addresses send summary reports).
Example of DMARC record
v=DMARC1; p=reject; rua=mailto:[email protected], mailto:[email protected]