What are DMARC, DKIM, and SPF?
June 15, 2017
What are DMARC, DKIM, and SPF?
Author | Brittany McCusker
If you’re asking:
- What does dmarc mean?
- What is a dmarc error?
- What is a dmarc record?
- What is a dmarc report?
- What is dmarc in email?
- What is dmarc verification?
- What is dmarc and dkim?
- What is a dmarc dns record?
- What does dmarc stand for?
- How does dmarc work?
- How do I add dmarc record into CPanel?
- How does DMARC work?
- Or are looking for:
- An SPF example
- A DKIM example
- A DMARC example
You’re in the right spot. Below we describe what DMARC, DKIM, and SPF are, why DMARC, DKIM and SPF matter, and how all three work. Plus we included examples of each for when you’re ready to put them in place.
SPF (Sender Policy Framework)
To understand SPF it helps to know a little background.
The first mention of SPF was in the year 2000. Posts on the concept ignited the interest of a group of programmers. Together they formed the Internet Engineering Task Force (IETF) Anti-Spam Research Group (ASRG). Through IETF, the idea of SPF became a reality as its first ‘identity’ was published in 2002.
SPF used to stand for Sender Permitted From and SMTP+SPF is how people used to refer to it. In other words, it had the long name of Simple Mail Transfer Protocol + Sender Permitted From. Then in February 2004, the name changed to Sender Policy Framework (SPF).
In April 2014 IETF published SPF in RFC 7208 as a “proposed standard” for email authentication. What this means is that SPF since 2014 is a standard form for authorizing the use of domains in an email.
What is Sender Policy Framework (SPF)?
SPF is a form of authentication. An SPF record is a type of Domain Name Service (DNS) record. This record can see which mail servers have privilege to send email on behalf of a domain. So, it can detect spoofing and spammers.
- SPF is Sender Policy Framework
- SPF is a ‘Proposed Standard”
- SPF is a Form of Email Sender Authentication
- SPF can detect spoofing and spamming
Why Does SPF Matter?
The value of SPF comes from knowing if a server’s allowed to send mail from a domain. SPF is important as it can increase your email’s deliverability. To do this you publish SPF records that include all your email tools.
An email from a domain without an SPF is suspicious. Because of this, almost every marketer uses SPF. And if you don’t, you should because:
SPF lets the recipient know if the server that sent them mail should be sending mail from that domain at all. If you don’t use SPF you have a greater chance of your email getting marked as spam or blocked
How Sender Policy Framework works:
Once an email delivers, SPF allows the receiving mail servers to do a check. This check confirms if the domain the email came from had approval from the sending mail server. This check makes it harder for a spammer to set up a new server and send mail from your domain.
SPF protects the domain of the SPF record (a TXT record) that lives in the Domain Name System (DNS). And SPF lists any authorized servers by IP address. This makes it easy to detect fraud.
In the SPF record below you will see a reference to a domain’s SPF record (v=spf1). You’ll also notice a closing “include statement” (Include:_). This statement informs the recipient server how strict they want the recipient to be (~all).
Learn how to create an SPF TXT record.
inboxpros.com IN TXT
“v=spf1 ip4:220.127.116.11/28 include:_spf.google.com ~all”
DKIM (DomainKeys Identified Mail)
Cisco started the development of Identified Internet Mail, a signature-based mail authentication standard.
They decided to merge and create DKIM (DomainKeys Identified Mail) in 2004.
Now in 2017, large providers such as Yahoo, Gmail, AOL, and Fastmail carry a DKIM signature. Most ESP’s (Email Service Providers) use their own DKIM signature to confirm a sender’s identity and make sure the message wasn’t tampered with in transit. This is useful in case individual marketers don’t use DKIM.
What is DKIM?
DomainKeys Identified Mail (DKIM) is a way to ‘sign’ an email with a digitally encrypted signature. The message header text is where DKIM lives.
DKIM has two main parts: a DKIM Record and a DKIM Signature. Below is a more advanced understanding of what each is:
A DKIM record is a TXT record stored in the DNS (also known as the public record) of the domain that signs its email. The record contains the type of algorithm used to generate the public and private keys. (The standard is rsa-sha, RSA-sha1 or RSA-sha256)
A DKIM record lives in a special “selector” subdomain. This subdomain (used in the example below) is in the DKIM signatures that use this key.
A DKIM signature is a ‘digital signature’. It has two encrypted hashes, the header hash (“bh=”), and the body hash (“b=”). When you encrypt certain header fields (listed in “h=”) with the private key, you create a header hash.
The recipient server decrypts that hash with the public key. Then, it compares the results to the header fields it received. So, if someone tampers with the header fields, it’s easy to verify.
Only the owner of the domain can publish a private key. Thus proving that that sender has the private key corresponding to the public key in the DNS. When you encrypt a segment of an email messages’ body with a public key, you create a body hash. To decrypt it, you will need the private key.
(Having these “keys” prevent a hacker from re-creating a matching body hash)
The recipient server then creates its own body hash with the public key. Then it compares that to the body hash in the signature. If the new hash is different from the signature, someone has tampered with the body.
How Does DKIM Work?
A DKIM signature uses a public-private key pair encryption (As explained earlier). One key can only be decrypted with the other key. When you use DKIM you’ll be able to know if an email has been tampered with.
- DKIM has a signature assigned by the sending server
- DKIM has a DNS record containing the public key
Why Does DKIM Matter?
Even though DKIM isn’t required, having emails signed with DKIM is important. It shows ISP’s that the email wasn’t tampered with. It also identifies the sender as the owner of the signing domain. Thus, increasing the sender’s trustworthiness with the recipient.
Using your own DKIM helps you take control of your reputation and protect your users. (Many ISPs use the DKIM domain to track a senders’ reputation).
- DKIM helps identify you as the sender
- DKIM increases your trustworthiness
- DKIM helps you take control of your reputation
DKIM Signature Example:
DKIM-Signature: v=1; a=rsa-sha256; d=inboxpros.com; s=01012017;
c=relaxed/simple; q=dns/txt; l=1234; t=1117574938; x=1118006938;
DKIM Record Example:
01012017._domainkey.inboxpros.com IN TXT
- Bank of America
- JPMorgan Chase & Co.
Their common goal was to develop a formal standard that would serve two purposes.
- Enable senders to publish policies on unauthenticated email
- Enable receivers to provide authentication reporting to senders so senders can improve and watch their authentication infrastructure
DMARC was a specification in 2012 and evolved into an internet draft in 2013.
In 2014, Yahoo changed its DMARC policy to p=reject. This called out misbehaving in several mailing lists. A few days later, AOL changed their policy to reflect the same.
The outcome of this policy change was chaotic for mailbox providers. They were accused of forcing costs on third parties for their own security failures.
In March 2017 the Federal Trade Commission published a study on DMARC usage by businesses. The study found that only 10% of 569 businesses with a large online presence actually published strict DMARC policies.
What is DMARC?
If you’re asking yourself: What is a DMARC record or DMARC report? What does DMARC mean? What is DMARC? Or -how do I add a DMARC record into cpanel? You’re in the right spot.
Let’s go over the definition of DMARC.
DMARC stands for: Domain-based Message Authentication, Reporting & Conformance.
- It’s an email authentication policy.
- It’s a reporting protocol that uses SPF and DKIM to establish the sender’s identity.
The DMARC report helps the recipients identify when an email is fraudulent. It also helps senders protect their domain from getting a reputation for phishing.
If you’re receiving a DMARC error, this means you need to fix your DMARC record (example below). After that, send out a DMARC email test through Dmarcian to make sure it’s working.
Why Does DMARC Matter?
Let’s look at who is using DMARC.
You’ll find that all major ISPs enforce DMARC for received mail. According to data provided by DMARC.org, more companies are implementing it each day.
The internet landscape is overflowing with social and e-commerce information. So, it’s easy for spammers and phishers to steal information. All a spammer has to do is insert your logo into an email and many users assume it’s legitimate.
If a domain is being phished, the ISPs will start to block it altogether. This is because they can’t be sure what’s real and what’s fake.
Now in 2017, it’s becoming more difficult for users to differentiate between a real message and a fake one. Recent news stories like the Gmail phishing attack are becoming popular. Part of this is from spammers becoming more clever with how they steal information.
Mail providers are getting the sour end of the stick with all the spam going on. Because they have to make a judgment call on which messages to deliver and which to not deliver. But, as I’m sure you know, they often make mistakes.
This is where DMARC comes in: it provides Internet Service Provider’s (ISP’s) with an answer to the phishing chaos.
How Does DMARC Work?
Publishing and enforcing a DMARC policy tells the recipient ISPs something. It let’s it know that the sender has done something that only the real sender can do. That is: align their DKIM and/or SPF domains with the “Friendly-From” domain that the user sees.
Only someone who owns that domain’s DNS zone can create this alignment. The ISP knows that the sender is who they claim to be if they do two things:
1. They pass SPF and/or DKIM
2. They have the same domain as the “Friendly-From”
DMARC also gives the recipient ISP the opportunity to report back to the sender. The recipient ISP can report about the emails it has received from the domain in question. Which, can alert the sender about phishing attempts and the success of their authentication efforts. If you’re receiving a DMARC error implying a ‘missing dmarc record’, look below to find a DMARC record ‘how to’. First open up cpanel and insert your company’s version of this DMARC record. Then check DMARC for your domain.
_dmarc.example.com IN TXT
“v=DMARC1; p=quarantine; pct=75; p=reject; pct=25; rua=mailto:email@example.com; ruf=mailto:firstname.lastname@example.org;”
The above record requests that ISPs apply a “p=quarantine;” policy. This means it will send emails that fail to spam. This policy applies in the example to 75% of email from example.com. The “p=reject;” policy (bounce failures outright) accounts to 25%.
The policy requests that the ISP send back reports. These reports provide a view of the email that ISP has received from example.com. They also provide failure reports, detailing on each email that did not pass the DMARC policy.
Unfortunately, the majority of senders are unaware of email authentication problems. They usually don’t notice the problems until the damage is already done. This moment comes when their opens and clicks flat-line.
Marketers who have experienced SPF and DKIM issues understand how these complex issues can affect an email program.
This is why deliverability consulting is becoming a key line item in marketing budgets around the world. Having the extra deliverability member on your marketing team is what companies such as eHarmony and Rolling Stone are doing. If you can’t afford a consulting company, another option is to become deliverability certified or take a deliverability class.