DKIM, DMARC & SPF: What are they and how do you use them?

Email was never intended to be what it is.

It’s grown beyond the inventor’s wildest vision.

As a result, when the developers built the system that ran email, they did so with very little in the way of security: There was no way of checking a senders identity – mainly because the developers couldn’t envisage why would someone would want to send you a 100 character message pretending to be someone else.

Sadly, as email became widely used (using that same framework that those developers created – called SMTP), that lack of security has been exploited – with millions of messages being ‘spoofed’.

It’s clear that we REALLY do need to verify who is sending things to us – but there’s no real way to add those features to SMTP.  Instead, to get around it, there have been a series of new frameworks created that work with SMTP to add layers of security. These are SPF, DKIM and DMARC – and they all use DNS to help validate your email is coming from where it’s supposed to.

Sorry about all the acronyms – we’ll try and explain them!

What is DNS again?

DNS (or Domain Name System) is the rather clever set up that directs traffic around the Internet. It’s what ensures that people around the world who type your web domain into their browser get pointed to the specific location where your web pages sit. Each website on the Internet chooses somewhere that controls their DNS listing and, through clever jiggery-pokery, this is then copied across the whole of the Internet (If this has sparked your interest, “How Stuff Works” has a fuller and better description of DNS).

As the owner of a domain name (for example: iamcurious.co.uk) you need to direct traffic accordingly when someone visits your website. This is done with DNS records.

If the Domain Name System is a bit like a telephone directory, then DNS Records are the individual directory listings.

They tell computers what to do with the various different types of web traffic they might want to send to your domain: in particular where to send emails, and where to find your website. They’re simple pieces of text that are listed with your domain name and visible to anyone.

There are different types of records. For example:

“You’ll find my website over here” (A record)

Or, “Send my email over here” (MX records).

There are also various types of notices and information you can put in your DNS records which don’t necessarily point anywhere, but are used as a way to prove that it’s legitimately your real web domain: These are things like TXT records, SPF, and DMARC records.

The frameworks that have been put in place to improve email security, all use these records in different ways to help email systems understand if the email you send is genuine or not.

Basically, these frameworks say that. if the person who is sending email on behalf of a domain doesn’t meet the conditions defined on that domain’s DNS, then the message is probably spam and that person is trying to trick you.

Why should you care about this?

Well, because if you’re someone who sends emails, if you don’t get these records right, your emails will still be sent – but the strict rules that email providers have in place to prevent spam will mean they’re not delivered.

SPF, DKIM, DMARC and what they do.

SPF, DKIM, and DMARC are all different ways you say ‘this email comes from a legitimate sender”.

Each technology is newer than the last. So SPF is the oldest, DKIM is newer, and DMARC is newer still – each developed as a response to dodgy types finding ways around existing protections.

All are agreed upon standards that use a combination of DNS records and data written into the header of the email to confirm that an email really is send by the people who own that particular web domain.

To explain how each works, think of a receiving a real parcel in the post from an online store.

SPF – Verifying Authorised Senders

SPF (Sender Policy Framework) is a bit like a list of a company’s employees.  It’s like the the sender saying, “This specific employee  is allowed to send you a parcel (an email) using our system, but anyone not on this list isn’t authorised.”

DKIM – Authenticating the Sender

DKIM (DomainKeys Identified Mail) is a digital signature that’s included in the email that validates the email hasn’t been altered in transit. A security key is stored on the senders DNS so that the email provider receiving the mail can check that the digital signature is legitimate. It’s a bit like your parcel being delivered in a branded truck, driven by an employee in the right uniform.

DMARC – Handling Unverified Emails

DMARC (Domain-based Message Authentication, Reporting, and Conformance) instructs your system on what to do with emails that fail SPF or DKIM checks. Typically, it might tell your system to delete the mails, or to send a notification back to the sender. Think of this as the sender of your parcel having a clear delivery and returns policy; it builds trust and ensures that the person receiving the email knows you care about it being delivered safely.

 

To ensure that your email is delivered, you will want to use at least two of these frameworks (DMARC + one other) – or ideally all three*

 

*This only counts if you’re sending email from your own web domain. If you use GMail, Hotmail or some other similar email service, then you don’t need to worry about any of this!

Leave a Reply

Your email address will not be published. Required fields are marked *