How DKIM, SPF, and DMARC Work

Description

This article provides a general overview of DKIM, SPF, and DMARC and how they work. For more information about DKIM, SPF, and DMARC as they relate to Mailprotector products, please see:

CloudFilter

Shield

Shield DNS and Microsoft Changes during Deployment

A DMARC record should be published so that receiving mail servers know how to handle messages sent by a domain.

DKIM

DKIM (DomainKeys Identified Mail) is an email authentication method that helps prevent email spoofing. It allows the receiver to verify that an authorized server sent an email and that its contents were not altered in transit.

How DKIM works

Signing the Email (Sender Side):
- When an email is sent, the sending mail server uses a private cryptographic key to create a digital signature.
- This signature is based on specific parts of the message (usually the body and selected headers).
- The signature is added to the email as a DKIM-Signature header.
Publishing the Public Key (DNS):
- The domain owner publishes the corresponding public key in their DNS records under a special subdomain (e.g., selector._domainkey.example.com).
- The "selector" is a label included in the signature to identify which public key to use.
Verifying the Signature (Receiver Side):
- When the recipient's mail server receives the message, it:
  - Retrieves the public key from DNS using the selector and domain in the DKIM-Signature.
  - Uses the public key to verify the digital signature.
  - Confirms that the signed content hasn’t been tampered with and that the sender is authorized to use the domain.

What DKIM Does

Authentication: It verifies that the email truly came from the claimed domain.
Integrity: It ensures the message hasn’t been altered after it was sent.
Spam/Phishing Defense: It's one piece of the broader email security stack, along with SPF and DMARC.

If DKIM verification fails, the recipient server may treat the message as suspicious or reject it altogether, especially if DMARC is enforced.

SPF

SPF (Sender Policy Framework) is an email authentication protocol that helps prevent email spoofing by allowing domain owners to specify which mail servers are allowed to send email on behalf of their domain.

How SPF works

Domain Owner Publishes an SPF Record (DNS):
- The owner of a domain creates a TXT record at the DNS host that lists the IP addresses or hostnames of servers allowed to send mail for that domain.
- Example SPF record:
```
v=spf1 ip4:192.0.2.10 include:mailprovider.com -all
```
- This means: "Allow 192.0.2.10 and any server listed in mailprovider.com's SPF record. Reject everything else."
Email Is Sent:
- When an email is sent claiming to be from user@example.com, the receiving mail server checks the envelope MAIL FROM domain (also called the Return-Path).
Receiver Looks Up the SPF Record:
- The recipient’s mail server queries DNS for the SPF record of example.com.
Receiver Compares IP Address:
- It checks whether the IP address of the sending server is listed (directly or indirectly) in the SPF record.
SPF Pass or Fail:
- If the sending server is authorized, SPF passes.
- If it’s not listed, SPF fails. Depending on DMARC or local policy, the email may be flagged, quarantined, or rejected.

What SPF Does

Helps prevent spoofing of your domain.
Improves email deliverability when properly configured.
Works with DKIM and DMARC to form a layered defense.

Limitations:

SPF checks the envelope sender, not the visible "From" address that users see.
SPF breaks with forwarding unless special handling (such as SRS – Sender Rewriting Scheme) is used.

In short, SPF tells the world which servers are allowed to send mail as you and helps others decide if an incoming email claiming to be from your domain is legitimate.

DMARC

DMARC (Domain-based Message Authentication, Reporting, and Conformance) is an email authentication protocol that builds on SPF and DKIM to protect your domain from being used in spoofing, phishing, and impersonation attacks.

How DMARC Works

Domain Owner Publishes a DMARC Record (DNS):
- It’s a TXT record published at the DNS host.
- It specifies:
  - How to handle mail that fails SPF/DKIM checks (none, quarantine, or reject)
  - Where to send reports (rua, ruf)
- Example:
```
v=DMARC1; p=reject; rua=mailto:dmarc-reports@yourdomain.com; adkim=s; aspf=s;
```
  This DMARC policy uses strict alignment for both SPF and DKIM (adkim=s;aspf=s) and rejects any emails that fail (p=reject). Aggregate reports will be sent to dmarc-reports@yourdomain.com.
Receiver Performs SPF & DKIM Checks:
- When an email claiming to be from your domain is received:
  - The receiving mail server checks the SPF and DKIM authentication status.
  - It also checks alignment:
    - SPF Alignment: Is the domain in the envelope sender (Return-Path) the same as (or aligned with) the From: address?
    - DKIM Alignment: Is the domain that signed the message (in DKIM) the same as (or aligned with) the From: address?
DMARC Decision:
- DMARC passes if:
  - SPF passes and is aligned, or
  - DKIM passes and is aligned.
- If neither passes, DMARC fails.
Action Based on Policy:
- The receiving server follows the published DMARC policy:
  - none — Take no action (monitor only)
  - quarantine — Treat the message as suspicious (e.g., send to spam)
  - reject — Reject the message outright
Reports Are Sent:
- If the DMARC record includes a rua (aggregate) or ruf (forensic) email address, the receiving server sends reports back to the domain owner about what messages passed/failed DMARC.

What DMARC Does

Protects your domain from spoofing and phishing
Enables visibility into how your domain is being used (or abused) via reports
Allows domain owners to enforce authentication policies