The rise of junk mail has naturally mirrored the rise of the web. It’s true that anti-spam methods have grown in sophistication, filtering out more unwanted messages than ever before. But still – one or two uninvited guests manage to slip through the net. Spam email is as old as the web, and its growth has kept pace with the web’s explosion in popularity. So, enter three (fairly) new tools that are taking the fight against spam up a notch: DKIM, DMARC and SPF. Here’s a glimpse of these tools and a quick rundown of what they can do.
Can SPF, DKIM and DMARC free you from junk emails?
DMARC, DKIM and SPF – What are they?SPF (Sender Policy Framework) is a system that ensures emails are genuine by comparing them against a TXT list of approved senders. Senders are published in the DNS record. These DNS entries can be trusted because owners and administrators are the only individuals allowed to make them.DKIM (DomainKeys Identified Mail) detects forged email and allows each item to be authenticated. When sending an email, it’s easy to claim that it’s coming from a particular domain, but DKIM actually validates such claims. DKIM works by adding a digital signature to an email message so that the two become associated. The sender of an email publishes a key in the DNS and this can be compared to the signature. If they match, then it’s clear that there has been no tampering with the email.DMARC (Domain-based Message Authentication, Reporting and Conformance) is an additional mechanism that works in tandem with SPF and DKIM. With this, the domain admin can publish a policy, saying whether it uses SPF, DKIM or both. It lets the receiving server know how it should handle failures.It’s clear that the DNS is key for these systems to function properly. Let’s see how they work.
How Does SPF Work?
- First, the receiving mail server fetches the sender address of every message it gets.
- Then, it performs a TXT DNS query, checking the SPF entry’s claimed domain.
- After, the data in the SPF entry can be used to authenticate the sender’s server.
- Finally, the sender’s server receives a rejection notice if this authentication fails.
How does DKIM work?
- The final server in the domain infrastructure compares the domain that is in the “From” header. This ensures that it has an entry in its signing table. If not, the process stops.
- Second, a “DKIM-Signature” header is added to the mail message, using the private part of the key in the message content.
- Now, the content of the message is locked and nobody can modify it. Any attempt to do so results in a mismatch with the DKIM header.
- So when the message gets to the receiving server, it creates a TXT DNS query that lets it get hold of the key from the DKIM-Signature field.
- Finally, the result of the DKIM header check reveals if a message is real or fake.
How does DMARC work?
- When a message arrives, the mail server looks for a DMARC policy relating to the domain that DKIM and/or SPF use.
- If one or both checks are successful and still comply with the DMARC policy, then it will be deemed successful. If not, it fails.
- In the event that the check fails, the published DMARC policy will guide further action.
Best practices and their limitsUnfortunate but true: even if you observe best practices and your mail system uses all of these tools correctly, phishers, scammers and spammers will still get through your defenses now and then.Not all servers are using all of these three tools, but even if they are, it still helps to note the limits of what SPF, DKIM and DMARC can do:
- Using DKIM on its own doesn’t ensure that the server sending the message to a specific domain is entitled to do so.
- SPF can’t do anything with messages that have been forged in a shared hosting situation. This is because all of that mail will appear to be coming from the same IP address.
- DMARC is still in its infancy stage and has not enough users have adopted it to make a significant difference.
- Used on its own, DMARC can and will break your mail flow. To avoid this, you will need to set up both DKIM and SPF before you change the DMARC policy to anything other than “none”.