Email Authentication: SPF, DKIM, DMARC, and MX Records Explained

Aswin BennyAswin Benny
5 min read

This article gives an outlook regarding email authentication methods such as SPF, DKIM, and DMARC, along with MX records, to enhance your domain's security and prevent email spoofing. Understand how these protocols work together to protect your business's online reputation and maintain trust with your customers.

If you want short explanations, scroll to the bottom of the page

SPF (Sender Policy Framework):

  • Explanation: SPF is an email authentication method that helps prevent email spoofing. It works by allowing email senders to define which IP addresses are authorized to send emails for a particular domain. When an email is received, the recipient's mail server can check the SPF record of the sender's domain to verify if the email came from an authorized source.

  • Use Case: Let's say you own a domain (e.g., mycompany.com) and you want to ensure that only your company's email servers can send emails from addresses ending in @mycompany.com. You would set up an SPF record in your DNS (Domain Name System) to specify the IP addresses of your authorized email servers.

  • Issues: One common issue with SPF is misconfiguration. If the SPF record is not set up correctly or is outdated, legitimate emails may get rejected or marked as spam.

DKIM (DomainKeys Identified Mail):

  • Explanation: DKIM is another email authentication method that adds a digital signature to outgoing emails. This signature is generated using a private key held by the sender's mail server and is added to the email header. Upon receiving the email, the recipient's mail server can use the public key published in the sender's DNS records to verify the signature.
  • Use Case: Continuing with the example of mycompany.com, DKIM can be used to ensure that emails claiming to be from @mycompany.com are indeed sent by your company's authorized servers. By adding DKIM signatures to outgoing emails, recipients can verify the authenticity of the emails.

  • Issues: One issue with DKIM is key management. If the private key used for signing emails is compromised or lost, it can lead to potential security breaches or email spoofing attacks.

DMARC (Domain-based Message Authentication, Reporting, and Conformance):

  • Explanation: DMARC builds on SPF and DKIM to provide a policy framework for email authentication. It allows domain owners to specify what action should be taken if an email fails SPF and/or DKIM authentication checks. Additionally, DMARC enables domain owners to receive reports on email authentication failures.

  • Use Case: With DMARC, the domain owner (e.g., mycompany.com) can set policies to specify whether to quarantine or reject emails that fail SPF and/or DKIM checks. This helps protect against email spoofing and phishing attacks targeting the domain.

  • Issues: Configuring DMARC policies correctly can be challenging, and it requires careful monitoring and analysis of authentication failure reports. Additionally, enforcing strict DMARC policies may inadvertently block legitimate emails if not implemented properly.

MX Records (Mail Exchange Records):

  • Explanation: MX records are DNS records that specify the mail servers responsible for receiving email on behalf of a domain. When someone sends an email to an address ending in a particular domain (e.g., user@mycompany.com), the sender's mail server queries the DNS to find the MX records for mycompany.com and delivers the email to one of the listed mail servers.

  • Use Case: Suppose you want to set up email services for your domain mycompany.com. You would configure MX records in your DNS to point to the mail servers (e.g., mail.mycompany.com) that will handle incoming emails for your domain.

  • Issues: One common issue with MX records is misconfiguration or downtime of mail servers. If the MX records are not set up correctly or if the designated mail servers are not functioning properly, incoming emails may be delayed or undelivered.

Now, let's tie it all together with a real-world example:

Imagine you run an online retail business called "aswinbenny.in" You want to ensure that all outgoing emails from your domain are authenticated to prevent phishing attacks and maintain trust with your customers.

  1. You set up SPF records to specify the IP addresses of your email servers authorized to send emails on behalf of aswinbenny.in.

  2. You implement DKIM to add digital signatures to outgoing emails, allowing recipients to verify the authenticity of emails claiming to be from aswinbenny.in.

  3. You configure DMARC policies to instruct email providers on how to handle emails failing SPF and/or DKIM checks, such as quarantining or rejecting them.

  4. You ensure that your MX records are properly configured to route incoming emails to your designated mail servers for processing.

By implementing SPF, DKIM, DMARC, and properly configuring MX records, you enhance email security for your domain, reduce the risk of email spoofing and phishing attacks, and maintain trust and credibility with your customers.


Inshort

Email spoofing

  • Email headers containing 'from' address can be modified to be seen that the email is coming from a trusted source ie. our domain's email.

  • SPF, DKIM and DMARC helps preventing it.

  • DMARC can give reports of spoofing and rejections etc...

MX record

  • Mail Exchange

  • Needed for recieving emails

  • Direct incoming emails to the correct mail servers for your domain.

  • DNS records

    • Type: MX

    • Name: subdomain or @ for root

    • Value: mail server

SPF

  • Sender Policy Framework

  • List of authorised senders by listing their IP address in DNS records

  • DNS records

    • Type: TXT

    • Name: Usually "@" or "_spf"

    • Value: Includes a mechanism to specify authorized senders for your domain. For example, v=spf1 include:spf.example.com ~all

DKIM Record

  • DomainKeys Identified Mail

  • Email server creates a private key and public key

  • Public key is saved as DNS record

  • For every mail, a signature derived from private key is attached in header

  • Mail client deciphers the signature with the public key from DNS record

  • If signature, doesnt match then email is suspicious

  • DNS records

    • Type: TXT

    • Name: Usually a specific hostname like "selector1._domainkey" or similar.

    • Value: Contains the public key portion of your DKIM key pair.

DMARC Record

  • Domain-based Message Authentication, Reporting, and Conformance

  • It tells receiving servers what to do with emails that fail SPF or DKIM checks.

  • You can choose to quarantine them or reject them outright.

  • DMARC enables domain owners to receive reports on authentication failures, helping them monitor and improve their email security posture.

  • DNS records

    • Type: TXT

    • Name: Usually "_dmarc"

    • Value: Defines policies for handling emails that fail SPF or DKIM checks. For example, v=DMARC1; p=reject; rua=mailto:report@yourdomain.com

0
Subscribe to my newsletter

Read articles from Aswin Benny directly inside your inbox. Subscribe to the newsletter, and don't miss out.

Written by

Aswin Benny
Aswin Benny