Wakefly BlogDemystifying SPF, DKIM and DMARC: Strengthening Email Security

With Slack and other instant messaging services handling more and more of our online communication, email can sometimes feel like a newspaper being delivered at your door. It’s hard to believe that email has been around for 50 years and still remains an integral part of communication for both businesses and individuals. Unlike newer communication methods, email does not have any central authentication system. That means your local email server does not know if an incoming message is really from who it claims to be from. As a result, email has long been plagued with spam, or worse, phishing attacks that attempt to trick recipients into handing over personal or financial information.

In response to these challenges, a trio of technologies have become widely adopted that combine to add a measure of trust between email servers. Google and Yahoo!, two of the Internet’s largest email handlers, recently announced that bulk senders of more than 5,000 messages per day must have DMARC in place by February 2024 to ensure delivery of their messages.

Before digging into all these acronyms, we need to first define one more: DNS is an Internet protocol that translates names to server locations. Think of it as the Internet phone book. When you enter the domain www.google.com into your browser’s address bar, your browser performs a DNS lookup to find out what server(s) on the Internet serve content for that domain. It then sends the page address you requested to one of those servers to get the page content for display. SPF, DKIM and DMARC all rely on DNS as a secure way to gather information about an incoming email and verify its authenticity.

Here's how each layer contributes:

Layer 1: Authorization (SPF)
SPF authorizes email servers as valid senders for a given email domain. SPF can prevent hackers from sending microsoft.com emails from a server that Microsoft does not control.

The owner of the domain sending the email publishes a list of authorized servers allowed to send emails for their domain in the form of a special DNS record. When an email arrives, the receiving mail server checks the sender's domain for this SPF record. The server then verifies if the email originated from a server listed as authorized (on the ID list). SPF helps prevent unauthorized servers from impersonating a domain to send emails.

Layer 2: Verification (DKIM)
DKIM uses public key cryptography to ensure a message hasn't been altered in transit and originated from an authorized server.

The sending server adds a special encrypted signature to the email header. This signature is created using the domain owner's private key. The recipient's mail server can then lookup the domain's public key from a DNS record. Using the public key, the server verifies the signature on the email.

Layer 3: Reporting and Enforcement (DMARC)
DMARC builds upon SPF and DKIM by instructing receiving mail servers on what to do with emails that fail authorization or authentication.

DMARC policies can instruct the server to:

• Quarantine: Isolate the email for further review.
• Reject: Bounce the email back to the sender.
• Deliver: Allow the email despite failing authentication (though risky).

DMARC also allows sending reports to the domain owner about emails that failed authentication. These reports help identify potential spoofing attempts and track down unauthorized use of the domain. Importantly, DMARC allows for delivery and reporting of suspect messages while administrators fine tune their SPF and DKIM configurations.

The Layered Advantage
Each layer strengthens the overall security. An attacker would need to bypass all three layers to successfully spoof an email:

• SPF prevents unauthorized servers from sending emails altogether. 
• DKIM verifies the email content hasn't been tampered with. 
• DMARC provides reporting and enforcement options to further protect the domain and allows for taking action against spoofing attempts.

By working together, SPF, DKIM, and DMARC create a robust defense system against email-based threats.