If you are new to email security, you've heard about SPF, DKIM, and DMARC. But what are they, and how do they relate to each other? email us now
Like regular postal mail, someone could send you a letter in an envelope and forge the sender's name on the envelope or the letter itself. The same is possible for email. Email is involved 90% plus of all network attacks through scams such as spear phishing. To better protect against fraud, SPF, DKIM, and DMARC were introduced. Our Video explains
Sender Policy Framework (SPF) is a mechanism that allows a domain to specify which sources (IP addresses) are allowed to deliver email on behalf of that domain.
In the postal mail analogy, this would mean that upon receiving an envelope, you contact the sender printed on it and ask them if Postman Pat can be trusted to deliver a letter on their behalf.
Domain Keys Identified Mail (DKIM) is a mechanism that allows a domain to claim responsibility for the message and protect it against modifications by adding a digital signature.
In the postal mail analogy, this means that the envelope has a stamped seal that proves that the letter inside was not altered by anyone who could have had access to the envelope, and the stamp can be verified to be from the sender on the envelope. (not the sender mentioned in the letter, this is a big difference)
Domain-based Message Authentication, Reporting, and Conformance (DMARC) is a mechanism built on top of SPF and DKIM. It checks the SPF and DKIM validation results and if the 'Header From' domain matches the domain used for the SPF and DKIM checks. The 'Header From' address is the email address that recipients see in their email client.
When SPF and DKIM checks fail or do not align with the 'Header From' address, the recipient server should honour the DMARC policy. For example, it could instruct the receiving server to quarantine (p=quarantine), reject (p=reject), or ignore the results and deliver the email (p=none).
Like regular mail, the sender's name on the letter does not have to match the sender's name on the envelope. The problem with email is that the envelope is not visible to the recipient, which causes risks.
Imagine your email server as a person handling your incoming messages. If you do not implement SPF, DKIM, and DMARC, this person will receive an envelope from anyone, open it, and put the letter on your desk without checking anything. Unfortunately, now, there is no way for you to check if the sender's name on the letter is trustworthy.
Stop people impersonating your emails
Only when both SPF and DKIM fail validation and alignment, the DMARC policy will be honoured. However, as long as either SPF or DKIM produces a pass and aligns, DMARC will not quarantine or reject the message.
A postman who is not trusted to deliver a message on behalf of the envelope's sender (SPF fail) delivers an envelope sealed with a stamp (DKIM pass) that matches the name on the letter (DKIM alignment pass). This message will get delivered.
A postman trusted to deliver a message on behalf of the envelope's sender (SPF pass) delivers an envelope without a seal (DKIM none). If the sender's name on the envelope aligns with the sender's name on the letter (SPF alignment pass), DMARC passes, and the message will get delivered.
Case #3 A postman trusted to deliver a message on behalf of the envelope's sender (SPF pass) delivers an envelope with a seal (DKIM pass). However, the sender's name on the letter does not match the name on the envelope or seal. Therefore, DMARC will instruct the recipient to reject the message (p=reject).
I hope this blog contributed to your knowledge about these email security techniques and convinced you that implementing these mechanisms is necessary to avoid phishing and other email spoofing attacks.
Want to see SPF, DKIM, and DMARC in action and test your email's security in the process?
DMARC policies aren’t enough to protect your brand. You need to enforce DMARC actively. DMARC enforcement ensures only legitimate email (that you’ve authorised) gets sent from your domains. Everything else is deleted or sent to the spam folder.
This happens by evolving your email program from a p=none policy to a p=quarantine or p=reject.
Internet Service Providers (ISPs) look at your sending domain’s reputation when making delivery decisions, and they take DMARC status into account. Customers enjoy an increase in delivery rates for their marketing campaigns, ranging from 5 to 10% when enforcing DMARC policy.
Sadly, many companies that adopt DMARC fail to reach the enforcement stage. Based on our research, 75% to 80% of domains that have published a DMARC record face challenges in achieving enforcement. These challenges often arise from configuration errors or, more commonly, getting stuck at the p=none policy—sometimes for extended periods, spanning months or even years.
Operating in monitor mode, with a DMARC policy of p=none, does not protect your business. It simply tells you how your domain is sending emails without taking any action.
To see if your domain is at DMARC enforcement or not, use our free domain checker! Want to see for yourself? Email us now
Articles, links and connections from the BeSecureOnline site you might find interesting
Get the latest updates in your email box automatically.
Your nickname:
Email address:
Subscribe