Introduction
SPF, DKIM and DMARC are the foundation of email security and authentication. When used collectively they significantly reduce the likelihood of your domain being used by unauthorised parties such as spammers and cyber criminals. All too often we see businesses with these configured poorly and yet they could help stop your business or clients from being scammed for free!
So let’s answer these questions:
What is SPF?
SPF, or Sender Policy Framework, is simply a list of servers that are allowed to send emails from your domain.
Think of an SPF record as a party guest list, only people on the list are allowed in, everyone else is turned away. At least this is true when the SPF record is set up following the best practices. A poorly configured SPF record is just as bad as not having one.
When a receiving email server processes an email from your domain, it can check the published SPF record to ensure the email originated from an allowed location. If not, the email server can tag the email as suspicious and either block it or send it to the recipient’s junk or spam folder. Some receiving mail servers will look at the record as guidance, opposed to a dictation. This is why it’s important to use SPF along with DMARC and DKIM (we’ll get to those other two shortly).
Best Practices
- Only one SPF record should be published on the domain. Multiple records can contradict one another and cause issues for mail servers checking the record.
- Pay attention to the formatting of the record. Mistakes like; double, leading, and trailing spaces, duplicated syntax, and positioning of the syntax can cause issues when email servers are processing the record.
- Unless testing, set the record to Hard Fail (-). Using Soft Fail (~), Pass (+) or Neutral (-) syntaxes arguably makes the record redundant.
- Keep the number of allowed servers to a minimum. The more allowed servers, the greater the risk of an email being allowed. Some mail systems will simply ignore the SPF record completely if the allowed list is too big.
An example of a good SPF record:
v=spf1 include:spf.protection.outlook.com include:spf.uk.exclaimer.net -all
In this example, only emails originating from within Microsoft 365 and Exclaimer are allowed. Receiving mail servers are instructed to Hard Fail (-) emails sent from anywhere else.
What is DKIM?
DKIM, or DomainKeys Identified Mail adds a digital signature to every email sent from your mail server. With a corresponding public key published on your domain.
Like how you would sign a letter, or a contract, receiving mail servers can verify the signature using the public key to ensure the email has been sent legitimately and has not been compromised along the way.
For the most part, DKIM is either on or off. There is very little variation in the records and implementation will depend on what email platform you are using.
Best Practices
- Switched on
What is DMARC?
DMARC, or Domain-based Message Authentication Reporting and Conformance contains details on how receiving mail servers should process emails sent from your domain. DMARC records dictate how malicious emails are processed, whether allowed (not recommended), blocked, or processed into a quarantine or Junk folder.
Simply put, DMARC sets the actions that a receiving mail server should use in the event an email from your domain should fail SPF or DKIM checks.
The DMARC record should also contain information on how receiving mail servers can report check statuses to domain admins. These are known and forensic and aggregate reports. These reports are invaluable to domain admins when it comes to monitoring the health of a mail system.
DMARC goes hand in hand with SPF and DKIM. Should your email fail SPF or DKIM checks, the receiving mail server will look for a DMARC record to understand how best to process the email. Similar to SPF, a poorly configured DMARC record can render it, and therefore SPF and DKIM, redundant.
Best Practices
- Only one DMARC record should be published on the domain. Multiple records can contradict one another and cause issues for mail servers checking the record.
- Pay attention to the formatting of the record. Mistakes like double, leading, or trailing spaces and duplicated syntax can cause issues when email servers are processing the record.
- Unless testing, the DMARC policy should be set to either quarantine or reject failed emails depending on your requirements.
- Unless testing, the percentage syntax should be set to 100. When less than 100%, failed emails can be allowed through.
- The subdomain syntax should be used to reject or quarantine emails originating from a subdomain. Unless your domain is legitimately sending from a subdomain.
- The RUF and RUA syntaxes should be used to allow receiving mail servers to send periodic reports to the domain admin for monitoring.
An example of a good SPF record:
v=DMARC1; p=quarantine; pct=100; sp=reject; ruf=mailto:postmaster@example.co.uk; rua=mailto:postmaster@example.com
In this example, 100% of emails that fail SPF or DKIM checks are quarantined. Emails originating from a subdomain are rejected and a destination for forensic and aggregate reports has been provided.
Where do I configure SPF, DKIM and DMARC?
All of these items are configured on your email domain hosting platform, though sometimes productivity suites such as Microsoft 365 or Google Workspace prompt you to set them up. Unfortunately they don’t always tell you the best practice, so it’s well worth having this guide open if you are going to do it yourself. Of course we’re available to give a helping hand too – just get in touch.
Advanced Email Solutions
Advanced email security solutions help prevent malware with multi-layered defences, including:
- Anti-evasion – Detect hidden malicious content.
- Threat intelligence – Stay ahead of emerging threats.
- Anti-phishing filters – Detect malicious URLs.
- Antivirus engines – Stop known malware.
Of course due to the skill of these solutions, they do indeed cost. We suggest if your business often sends sensitive data or requests payment details, you should have a more advanced email security solution. Unsure if you need a solution?
Summary
In summary then, when used together, SPF, DKIM and DMARC can greatly reduce the risk of your domain being used with malicious intent. But as the saying goes, a chain is only as strong as its weakest link. If any of the three mechanisms are missing or not configured correctly, it negates the effectiveness of the whole system.
If you’re thinking of implementing SPF, DKIM and DMARC, approach with caution. While these mechanisms are vital to protecting your domain, when used incorrectly, they can have the opposite effect of blocking legitimate emails, which can lead to your domain being blacklisted.
The best thing about these policies is that you don’t need a new solution and they are free to configure!
If you’re thinking of implementing SPF, DKIM and DMARC, or an advanced email solution, get in touch and we would be more than happy to help you through the process!