• Skip to primary navigation
  • Skip to main content
  • Skip to footer
Vitanium logo

Vitanium

  • Home
  • Products & Services
    • Datahive cloud backup
    • Veeam cloud connect backup
    • Veeam cloud connect for MSPs
    • Veeam Cloud Connect Replication
    • Cloud email filtering
    • Cloud email archiving
    • Virus Protection
  • Solutions
    • Office 365 Solutions
    • Ransomware
    • Business continuity
    • GDPR
    • Backup for education
  • Pricing
    • Datahive backup
    • Veeam cloud connect
    • Cloud email filtering
    • Cloud email archiving
  • Partners
  • About
  • Blog
  • Contact

What are SPF, DKIM and DMARC?

May 1, 2020

Recently we have had several conversations with partners regarding Phishing/Spoofing/Outgoing email being classified as spam, and the topic of SPF, DKIM and DMARC is coming up frequently.

SPF is easy to understand and implement, however DKIM and DMARC are a bit more of a mystery so we thought we would try to explain each technology and why you might want to think about enabling for your customers’ domains.

All 3 tools/technologies exist to help protect the reputation of your’s and your customers’ email domains. They combat email spoofing, phishing scams and reduce the chances of outgoing email ending up in recipients’ spam/junk folders.

SPF (Sender Policy Framework)

What does it do?

  • It is a method to identify the servers and hosts that are permitted to send email on behalf of a domain.
  • Mail systems receiving email can check that the sending server is permitted to send email on behalf of the domain.

How do I set up?

  • Identify all systems the domain is sending outgoing email from, e.g. Office 365, Exchange, ISP Smart Host, Marketing Systems like Mailchimp etc.
  • You may need to check with any 3rd parties e.g. Mailchimp for their current SPF record.
  • Create a TXT DNS entry in the domain’s zone file that publishes the list of systems.

Example:

  • We have a test domain here called sme-ecom.co.uk, it only sends emails out via Vitanium systems. Our SPF record looks like this:
    “v=spf1 include:spf.vsl-net.com -all”
  • The recipient’s mail system can check if the system sending the email is defined in the domains SPF record, depending on how the SPF record is configured the recipient server can decide on what to do with the email, accept, reject or junk.

DKIM (DomainKeys Identified Mail)

What does it do?

  • It is a method to verify that the message’s content is trustworthy.
  • A sending mail system adds a DKIM-Signature to the message headers.
  • A receiving mail system can detect the DKIM-Signature and check to see if it is valid, if its valid it means the fields specified in the DKIM-Signature header have not been altered.

How do I set up?

  • Various 3rd party software (commercial and open source) can integrate with On Premise mail servers like Microsoft Exchange and can add DKIM-Signatures.
  • Office 365 can add DKIM-Signatures (see https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/use-dkim-to-validate-outbound-email?view=o365-worldwide)
  • Vitanium’s outgoing mail servers will shortly be able to add a DKIM-Signature on behalf of your customers.
  • The system adding the DKIM-Signature has a Public/Private key pairing, the Private key is used to create the DKIM-Signature header and the Public key is published via a DNS TXT record.
  • A receiving system can detect and decrypt the DKIM-Signature header (via a DNS lookup for the domain’s public key) to check if its valid.

Example:

  • Again, using the sme-ecom.co.uk test domain.
    • I am running an implementation of DKIM on our outgoing mail servers and have generated a Public/Private key pairing specifically for the sme-ecom.co.uk domain.
    • I created the following DKIM record in the sme-ecom.co.uk DNS zone file using the base64 encoded public key:

default._domainkey.sme-ecom.co.uk. 38400 IN TXT “v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC8C5zzgVSiov60BxlMPuln4/FShEyYKW6BXZdeab5qRZW277mmRzzCG/Pcxr9CukOd2gkvbHCojSjIS4b7l3jNbDZ86u0gvsvGy2ep2SIhBNAqrNJq7PhAc7QuycySVXMEXXB1eu54ju8RDUeK1vpIbokNyq1S2C3OvQ/LJU0TWwIDAQAB”

  •   When an outgoing email from sme-ecom.co.uk is sent, the server adds the following DKIM-Signature header, the “b=FU….” section is the output of hashing various message headers e.g. From, To, Subject using the private key.

   DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sme-ecom.co.uk;
s=default; t=1588241973;
bh=akPQL/UysSVt9jzBX+LP/WvbSLneU7LB9kkwTUYxX/Q=;
h=From:To:Subject:From;
b=FUMNc3nxf4rBJ411PrxzuOH14zPAUs/X+2lcqsVY163OE8/lBQKLtN8ZH8SJLO1Mk
Mk/9dhs4OoFOBIg1scGmhmsqPClbnmg+aFCTCS1GCw2p+829eWA7X0FhhnLwe5D/tT
FrxQFo4ik6gexaRlKFZshmYOmXzEWuEGa2LVvCs4=

  • I sent the message to my personal @talk21.com address, talk21.com is operated by yahoo and if I check the message headers after delivery, I see this

   Authentication-Results: mta1029.bt.mail.ir2.yahoo.com;
dkim=pass (ok) header.i=@sme-ecom.co.uk header.s=default;
spf=pass smtp.mailfrom=@sme-ecom.co.uk;
dmarc=pass(p=none sp=NULL dis=none) header.from=sme-ecom.co.uk;

  • You can see dkim=pass (ok), yahoo has obtained sme-ecom.co.uk public key via a DNS lookup on default._domainkey.sme-ecom.co.uk, decrypted the “b=FUM…” section of the DKIM-Signature using the public key and compared the decrypted values with the headers to confirm they are the same as when the DKIM-Signature header was added.

DMARC (Domain-based Message Authentication, Reporting and Conformance)

What does it do?

  • DMARC enhances SPF and DKIM by adding a couple of important functions;
    • Reporting – you can gain insight into who is sending email on behalf of your customers’ domains.
    • Policy – you can state a clear policy as to what happens to if mail fails SPF and or DKIM checks.
    • ISPs will provide Aggregate (RUA) and Forensic (RUF) DMARC reports and these reports can be send to the email address that’s published in your DMARC record. This can provide valuable insight into how your’s and your customers’ domains are being used.

How do I set it up?

  • DMARC is implemented via a simple DNS record

Example:

  • I have a DMARC record set up for sme-ecom.co.uk:
    v=DMARC1; p=none; ruf=mailto:postmaster@vitanium.com; rua=mailto:postmaster@vitanium.com;
  • v = version, p = policy e.g. none, quarantine, reject, ruf and rua are the address reports should be sent to.
  • There are other settings that we won’t go into here but DMARC is a very valuable tool which can give a lot of insight into if a domain is being spoofed.

Further reading can be found here

https://en.wikipedia.org/wiki/Sender_Policy_Framework
https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail
https://en.wikipedia.org/wiki/DMARC

As always if you need any help or advice on SPF, DKIM or DMARC please drop us an email on support@vitanium.com and we will be happy to help.

Filed Under: blog Tagged With: Office 365

Footer

EMEA

Vitanium

Europe, Middle East & Africa
phone + 44 (0)345 258 1500
email info@vitanium.com

America & Asia

Vitanium

10 Lanidex Plaza West Ste 213
Parsippany, NJ 07054
phone +1 973 526-2979
hotline +1 973 526-2988
email info@vitanium.com

Asia Pacific

phone +65 6353 0555
hotline +65 6353 7448
email info@vitanium.com

Newsletter Optin

Sign up to our newsletter for the latest in backup and data protection solutions. No spam - we promise!

  • LinkedIn
  • Twitter

Useful links

  • Home
  • Datahive cloud backup
  • Veeam cloud connect backup
  • Veeam Cloud Connect Replication
  • Office 365 Solutions
  • Cloud email filtering
  • Cloud email archiving
  • Pricing
  • Partners
  • About
  • Complaints

Copyright © 2021 · Vitanium Cloud Limited.

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Cookie settingsACCEPT
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are as essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary
Always Enabled

Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.