IT Support, Security & Managed IT Services Blog - iCorps

Email Security for Your Business: SPF, DKIM, DMARC Explained

Written by Jeffery Lauria | 2023/06/6

If you own a domain and send emails from it, you probably want to make sure that your emails are authentic, secure, and delivered to your recipients. You also want to prevent spammers, phishers, and other malicious actors from impersonating your domain and sending fake or harmful emails to your contacts. 
 
That's where DMARC, SPF, and DKIM come in. These three email authentication methods help you prove that you are the legitimate sender of your emails and protect your domain reputation. This blog post will explain what each method does, how they work together, and how to set them up for your domain. 

What is SPF?

SPF stands for Sender Policy Framework. It is a way for you to tell the world which servers are authorized to send emails from your domain. It works by adding a TXT record to your domain's DNS settings that lists the IP addresses of your email servers. 
 
When a recipient's mail server receives an email from your domain, it can check the SPF record to see if the sender's IP address matches one of the authorized ones. If it does, the email passes the SPF check. If it doesn't, the email fails the SPF check and may be rejected, marked as spam, or quarantined. 
 
SPF helps prevent spammers from forging your domain in the "From" header of their emails and tricking recipients into thinking you sent them. 

What is DKIM?

DKIM stands for DomainKeys Identified Mail. It is a way to add a digital signature to your emails that prove that they came from your domain and have not been tampered with in transit. 
 
It works by using public-key cryptography. You generate a pair of keys: a private key that you keep secret on your email server and a public key that you publish in a TXT record in your domain's DNS settings. 
 
When you send an email from your domain, your email server uses the private key to sign the email header with a DKIM signature. When a recipient's mail server receives an email from your domain, it can use the public key to verify that the signature matches the email header and that your private key created it. 
 
DKIM helps prevent spammers from modifying your emails in transit and adding malicious content or links to them. 

 Download the Infographic

What is DMARC?

DMARC stands for Domain-based Message Authentication Reporting and Conformance. It is a way for you to tell the world how to handle emails from your domain that fail SPF or DKIM checks. 
 
It works by adding another TXT record to your domain's DNS settings that specifies your DMARC policy. Your DMARC policy can instruct the recipient's mail servers to do one of three actions: 

  1. None: Do nothing with emails that fail SPF or DKIM checks. This is useful for testing and monitoring purposes.
  2. Quarantine: Move emails that fail SPF or DKIM checks to the spam or junk folder of the recipient. This is useful for reducing spam and phishing attempts.
  3. Reject: Reject emails that fail SPF or DKIM checks and do not deliver them to the recipient. This is useful for enforcing strict security and preventing any unauthorized emails from reaching your contacts. 
     

DMARC also allows you to request reports from the recipient's mail servers about which emails pass or fail SPF or DKIM checks. This helps you monitor your email deliverability and reputation, identify any configuration issues or spoofing attempts, and adjust your settings accordingly. 

How to set up DMARC, SPF, and DKIM for your domain:

Setting up DMARC, SPF, and DKIM for your domain may seem complicated at first, but it is not too difficult if you follow these steps: 

  1. Check if your email service provider supports DMARC, SPF, and DKIM. Most popular providers, like Gmail, Outlook, Mailchimp, etc., support them and can help you with the setup process.

  2. Generate a DKIM key pair for your domain using a tool like dkimcore.org.

  3. Add a TXT record to your domain's DNS settings with the name "_dmarc.yourdomain.com" (replace "yourdomain.com" with your actual domain name) and the value "v=DMARC1; p=none; rua=mailto:youremail@yourdomain.com" (replace "youremail@yourdomain.com" with your actual email address). This sets up a basic DMARC policy with no action, and requests reports to be sent to your email address.

  4. Add another TXT record to your domain's DNS settings with the name "yourselector._domainkey.yourdomain.com" (replace "yourselector" with any word you choose and "yourdomain.com" with your actual domain name) and the value "v=DKIM1; k=rsa; p=yourpublickey" (replace "yourpublickey" with the public key you generated in step 2). This publishes your DKIM public key for verification purposes.

  5. Add another TXT record to your domain's DNS settings with the name "yourdomain.com" (replace "yourdomain.com" with your actual domain name) and the value "v=spf1 include:_spf.yourprovider.com ~all" (replace "_spf.yourprovider.com" with the SPF record provided by your email service provider). This authorizes your email service provider's servers to send emails from your domain.

  6. Test if everything works by sending an email from your domain to an external address (like Gmail) and checking if it passes DMARC, SPF, and DKIM checks. You can use tools like this one: mail-tester.com or mxtoolbox.com.

  7. Adjust your DMARC policy as needed by changing the "p" parameter in step 3 from "none" to "quarantine" or "reject." You can also add other parameters like "sp" (subdomain policy), "pct" (percentage of emails to apply policy), "adkim" (DKIM alignment mode), "aspf" (SPF alignment mode), etc.  

By following these steps, you can set up DMARC, SPF, and DKIM for your domain and improve your email security and deliverability. Learn more about securing your in-office and mobile employees through strategic email IT solutions with a free consultation from iCorps.