Email Standards: SPF, DKIM & DMARC

Domain-based Message Authentication, Reporting and Conformance (DMARC) is an authentication policy that uses two other policies:

• Sender Policy Framework (SPF) provides authorization
  • Identifies which mail servers can send mail on behalf of the custom MAIL FROM domain configured in DNS.

  MAIL FROM is also called the RETURN PATH, ENVELOPE FROM, BOUNCE ADDRESS and is an email address.

  • Recipient mail servers will check the SPF to ensure that the sending server is allowed to send mail for the MAIL FROM domain
  • Designed to prevent spoofing, but not 100% reliable, so also need to use DKIM
• DomainKeys Identified Mail (DKIM) provides authentication
  • Adds a digital signature to the messages, in a header
  • The recipient servers can then confirm that the signature matches a key that the domain owns (public key in the DNS)
  • Since the signature is in a header, DKIM works when a mail server chooses to forward email unchanged (which would fail under SPF)

Both SPF and DKIM verify things that ther user cannot see, namely that the MAIL FROM aligns with the sending server's IP (SPF) and that the message is signed properly by the MAIL FROM domain. In particular, there is no checks done against the address that the user's see, the FROM address. DMARC fixes this:

1. There must be alignment on at least 1 of the classic SPF/DKIM checks on the MAIL FROM address.
2. For further SPF alignment (if previously aligned), DMARC requires that the FROM address and the MAIL FROM address have the same domain.
3. For further DKIM alignment (if previously aligned), DMARC requires that the domain specificed in the DKIM signature matches the one in the FROM address.

References

• What is a DNS TXT record? | Cloudflare
• Amazon SES
  • SPF Authentication
  • DKIM Authentication
  • DMARC