Recently we have had several conversations with partners regarding Phishing/Spoofing/Outgoing email being classified as spam, and the topic of SPF, DKIM and DMARC is coming up frequently.
SPF is easy to understand and implement, however DKIM and DMARC are a bit more of a mystery so we thought we would try to explain each technology and why you might want to think about enabling for your customers’ domains.
All 3 tools/technologies exist to help protect the reputation of your’s and your customers’ email domains. They combat email spoofing, phishing scams and reduce the chances of outgoing email ending up in recipients’ spam/junk folders.
SPF (Sender Policy Framework)
What does it do?
- It is a method to identify the servers and hosts that are permitted to send email on behalf of a domain.
- Mail systems receiving email can check that the sending server is permitted to send email on behalf of the domain.
How do I set up?
- Identify all systems the domain is sending outgoing email from, e.g. Office 365, Exchange, ISP Smart Host, Marketing Systems like Mailchimp etc.
- You may need to check with any 3rd parties e.g. Mailchimp for their current SPF record.
- Create a TXT DNS entry in the domain’s zone file that publishes the list of systems.
Example:
- We have a test domain here called sme-ecom.co.uk, it only sends emails out via Vitanium systems. Our SPF record looks like this:
“v=spf1 include:spf.vsl-net.com -all”
- The recipient’s mail system can check if the system sending the email is defined in the domains SPF record, depending on how the SPF record is configured the recipient server can decide on what to do with the email, accept, reject or junk.
DKIM (DomainKeys Identified Mail)
What does it do?
- It is a method to verify that the message’s content is trustworthy.
- A sending mail system adds a DKIM-Signature to the message headers.
- A receiving mail system can detect the DKIM-Signature and check to see if it is valid, if its valid it means the fields specified in the DKIM-Signature header have not been altered.
How do I set up?
- Various 3rd party software (commercial and open source) can integrate with On Premise mail servers like Microsoft Exchange and can add DKIM-Signatures.
- Office 365 can add DKIM-Signatures (see https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/use-dkim-to-validate-outbound-email?view=o365-worldwide)
- Vitanium’s outgoing mail servers will shortly be able to add a DKIM-Signature on behalf of your customers.
- The system adding the DKIM-Signature has a Public/Private key pairing, the Private key is used to create the DKIM-Signature header and the Public key is published via a DNS TXT record.
- A receiving system can detect and decrypt the DKIM-Signature header (via a DNS lookup for the domain’s public key) to check if its valid.
Example:
- Again, using the sme-ecom.co.uk test domain.
-
- I am running an implementation of DKIM on our outgoing mail servers and have generated a Public/Private key pairing specifically for the sme-ecom.co.uk domain.
- I created the following DKIM record in the sme-ecom.co.uk DNS zone file using the base64 encoded public key:
default._domainkey.sme-ecom.co.uk. 38400 IN TXT “v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC8C5zzgVSiov60BxlMPuln4/FShEyYKW6BXZdeab5qRZW277mmRzzCG/Pcxr9CukOd2gkvbHCojSjIS4b7l3jNbDZ86u0gvsvGy2ep2SIhBNAqrNJq7PhAc7QuycySVXMEXXB1eu54ju8RDUeK1vpIbokNyq1S2C3OvQ/LJU0TWwIDAQAB”
- When an outgoing email from sme-ecom.co.uk is sent, the server adds the following DKIM-Signature header, the “b=FU….” section is the output of hashing various message headers e.g. From, To, Subject using the private key.
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sme-ecom.co.uk;
s=default; t=1588241973;
bh=akPQL/UysSVt9jzBX+LP/WvbSLneU7LB9kkwTUYxX/Q=;
h=From:To:Subject:From;
b=FUMNc3nxf4rBJ411PrxzuOH14zPAUs/X+2lcqsVY163OE8/lBQKLtN8ZH8SJLO1Mk
Mk/9dhs4OoFOBIg1scGmhmsqPClbnmg+aFCTCS1GCw2p+829eWA7X0FhhnLwe5D/tT
FrxQFo4ik6gexaRlKFZshmYOmXzEWuEGa2LVvCs4=
- I sent the message to my personal @talk21.com address, talk21.com is operated by yahoo and if I check the message headers after delivery, I see this
Authentication-Results: mta1029.bt.mail.ir2.yahoo.com;
dkim=pass (ok) header.i=@sme-ecom.co.uk header.s=default;
spf=pass smtp.mailfrom=@sme-ecom.co.uk;
dmarc=pass(p=none sp=NULL dis=none) header.from=sme-ecom.co.uk;
- You can see dkim=pass (ok), yahoo has obtained sme-ecom.co.uk public key via a DNS lookup on default._domainkey.sme-ecom.co.uk, decrypted the “b=FUM…” section of the DKIM-Signature using the public key and compared the decrypted values with the headers to confirm they are the same as when the DKIM-Signature header was added.
DMARC (Domain-based Message Authentication, Reporting and Conformance)
What does it do?
- DMARC enhances SPF and DKIM by adding a couple of important functions;
- Reporting – you can gain insight into who is sending email on behalf of your customers’ domains.
- Policy – you can state a clear policy as to what happens to if mail fails SPF and or DKIM checks.
- ISPs will provide Aggregate (RUA) and Forensic (RUF) DMARC reports and these reports can be send to the email address that’s published in your DMARC record. This can provide valuable insight into how your’s and your customers’ domains are being used.
How do I set it up?
- DMARC is implemented via a simple DNS record
Example:
- I have a DMARC record set up for sme-ecom.co.uk:
v=DMARC1; p=none; ruf=mailto:postmaster@vitanium.com; rua=mailto:postmaster@vitanium.com;
- v = version, p = policy e.g. none, quarantine, reject, ruf and rua are the address reports should be sent to.
- There are other settings that we won’t go into here but DMARC is a very valuable tool which can give a lot of insight into if a domain is being spoofed.
Further reading can be found here
https://en.wikipedia.org/wiki/Sender_Policy_Framework
https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail
https://en.wikipedia.org/wiki/DMARC
As always if you need any help or advice on SPF, DKIM or DMARC please drop us an email on support@vitanium.com and we will be happy to help.