SPF, DKIM and DMARC to Stop Email Sender Fraud: Intro and How to

Posted on In Network, Systems, Web

Email sender fraud is an annoying problem. Malicious email senders send spam emails with email senders that are under non-authorized domain names. This may affect the reputation of the domains used by the fraud sender. On another hand, lots emails will be rejected and reverted back, which causes lots additional work to the domain administrators. The SPF, DKIM and DMARC mechanisms introduced to Email communication standards to support sender verification which can be used to effectively stop email sender fraud.

What is SPF, DKIM and DMARC

Let’s first have an understanding of SPF, DKIM and DMARC.

What is SPF and how SPF works

Sender Policy Framework (SPF) is a DNS-based method for email receiving servers to verify that an incoming email was sent from a host authorized by that email domain’s administrators. An SPF record is the policy defining which mail servers (IP addresses) are authorized to send email from that domain. The SPF record is listed as part of the domain’s DNS records.

Overall, SPF works as follows. When a mail server receives an incoming email, it looks up the SPF record for the sender domain from that domain’s DNS records. The mail server compares the IP address of the sender with the authorized IPs defined in the SPF record to decide whether to accept, reject, or flag the incoming email. Detailed specification is in RFC 7208.

What is DKIM and how DKIM works

DomainKeys Identified Mail (DKIM) is a form of email authentication using “public key cryptography” which can be validated by the recipient to verify that an email message was sent from an authorized mail server to detect forgery.

DKIM works as follows. The email domain owner publishes a cryptographic key’s public key formatted as a TXT record in the domain’s DNS record. The email server adds a digital signature signed by its cryptographic key (the private key) to the headers of an outbound email. The receiving email server verifies the signature against the public cryptographic key from the sender domain’s DNS record. Detailed specification is in RFC 5585.

What is DMARC and how DMARC works

Domain-based Message Authentication, Reporting & Conformance (DMARC) is a standard that combines SPF and DKIM to determine the authenticity of email messages, together with conversions to streamline the process by coordinating the efforts between email inbound and outbound servers.

DMARC is also a TXT record in the sender domain’s DNS record. The receiving email server may choose to follow the DMARC policy in the sender domain’s DNS record to verify and handle emails and report. Detailed specification is in RFC 7489.

Setting Up SPF, DKIM and DMARC for a domain

All the setting up are in DNS’es! Setting up the DNS entries accordingly.

Setting up SPF

SPF is an TXT record in the domain DNS. Example:

$ dig -t TXT systutorials.com +short | grep spf
"v=spf1 redirect=_spf.yandex.net"

The values are usually provided by the email hosting provider.

Setting up DKIM

DKIM is an TXT record in the domain’s subdomain <selector>._domainkey where the <selector> is defined in th email header. Example:

$ dig -t TXT mail._domainkey.systutorials.com +short
"v=DKIM1; k=rsa; t=s; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDOI9ixu31Avnw8naUgzw+QL9v51OEiJYfr7H/ED7lHZuV9ULlNUqmNDmw65Nb9CCmijJJHAGxrQH+RcC0jj7m93gIHABdvBa6Niil7hL1f8n17E8bNK+rwuHlnFhiZa4824pb6+cX1ycFnoHwtdT74xQNQMeHlxQGLllP2gdhwmwIDAQAB"

The values are usually provided by the email hosting provider.

Setting up DMARC

DMARC is an TXT record in the subdomain _dmarc. Example:

$ dig -t TXT _dmarc.systutorials.com +short
"v=DMARC1; p=quarantine; rf=afrf; pct=100"

The meaning of the fields in this example is as follows.

  • v=DMARC1: the version is DMARC1. The TXT record should start with this string.
  • p=quarantine: the receiver to quarantine unqualified mail, that is, “directly to the spam folder”.
  • rf=afrf: the reporting format is aggregate failure reporting format.
  • pct=100: 100% of the mails should be subjected to the DMARC policy’s specifications.

Leave a Reply

Your email address will not be published. Required fields are marked *