Email Standards: SPF, DKIM & DMARC
Domain-based Message Authentication, Reporting and Conformance (DMARC) is an authentication policy that uses two other policies:
- Sender Policy Framework (SPF) provides authorization
- Identifies which mail servers can send mail on behalf of the custom
MAIL FROM
domain configured in DNS.
MAIL FROM
is also called theRETURN PATH
,ENVELOPE FROM
,BOUNCE ADDRESS
and is an email address.- Recipient mail servers will check the SPF to ensure that the sending server is allowed to send mail for the
MAIL FROM
domain - Designed to prevent spoofing, but not 100% reliable, so also need to use DKIM
- Identifies which mail servers can send mail on behalf of the custom
- DomainKeys Identified Mail (DKIM) provides authentication
- Adds a digital signature to the messages, in a header
- The recipient servers can then confirm that the signature matches a key that the domain owns (public key in the DNS)
- Since the signature is in a header, DKIM works when a mail server chooses to forward email unchanged (which would fail under SPF)
Both SPF and DKIM verify things that ther user cannot see, namely that the MAIL FROM
aligns with the sending server's IP (SPF) and that the message is signed properly by the MAIL FROM
domain. In particular, there is no checks done against the address that the user's see, the FROM
address. DMARC fixes this:
- There must be alignment on at least 1 of the classic SPF/DKIM checks on the
MAIL FROM
address. - For further SPF alignment (if previously aligned), DMARC requires that the
FROM
address and theMAIL FROM
address have the same domain. - For further DKIM alignment (if previously aligned), DMARC requires that the domain specificed in the DKIM signature matches the one in the
FROM
address.