This is part of the Semicolon&Sons Code Diary - consisting of lessons learned on the job. You're in the web-development category.
Last Updated: 2024-11-23
SPF, DKIM and DMARC are email protocols providing ways to prove to ISPs, mail services and other receiving mail servers that the senders were truly authorized to send email.
All three are implemented as DNS TXT records, email headers, and code on the recipient server that must obey these protocols (and major mail servers do - e.g. Gmail, Microsoft)
The problem they solve is that emails, without extra measures, are a bit like letters, in that the sender address can be set to whatever you want - even something not under your control.
The DNS text record specifies what IP addresses are allowed to send the email from the mailing domain.
Let's analyze a typical instance:
v=spf1 ip4:10.23.24.25 include:amazonses.com -all
Fields:
ip4:22.23.24.0/20 etc.include statement - references the policy of another domain. If that domain
passes, this mechanism passes.all) tells receiver server how to handle mail from a domain was not mentioned in SPF record. Options:
-all (dash all) - hard fail. Reject those emails~all (tilde all) - soft fail. Mark as spam instead of rejecting.+all (plus all) - any domain, even if not listed in SPF record is authorized to send emailWARNING: You cannot have multiple SPF entries for a domain. Instead combine them together into a single entry. E.g.
"v=spf1 a:example.com a:sub.example.net -all"
Let's analyze a typical instance of the DNS records:
myhouse._domainKey.example.net; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBg
QC1TaNgLlSyQMNWVLNLvyY/neDgaL2oqQE8T5illKqCgDtFHc8eHVAU+nlcaGmrKmDMw9dbgiGk1ocgZ56NR4
ycfUHwQhvQPMUZw0cveel/8EAGoi/UyPmqfcPibytH81NFtTMAxUeM4Op8A6iHkvAMj5qLf4YRNsTkKAV
Fields:
myhouse._domainkey.example.net (This will be denoted s= in email headers
below). The ._domainkey. bit is a fixed part of the specification.p=Let's also look at the email headers:
DKIM-Signature:
v=1;
a=rsa-sha256;
d=example.net;
s=myhouse;
c=relaxed/simple; q=dns/txt; t=1117574938; x=1118006938;
h=from:to:subject:date:keywords:keywords;
bh=MTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTI=;
b=dzdVyOfAKCdLXdJOc9G2q8LoXSlEniSbav+yuU4zGeeruD00lszZ
VoG4ZHRNiYzR
In contrast to SPF, it's possible to have multiple DKIM entries for a domain thanks to its selector.
myhouse and domain and gels
them together as myhouse._domainkey.example.net and searches for that in
the DNS.Built around SPF and DKIM, it verifies that a sender's message is protected by both. What's more, it tells the receiving mail server what to do if neither of those authentication methods pass. Lastly, you, the domain administrator, get feedback reports from email receivers with copies of these spoofed messages.
What's its purpose? It insures that the SPF and DKIM records match the info contained in the "from" field of the email received.
"v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com"
Fields:
One handy way is with Gmail: open an email you have received. On the right upper side there is a button. From there click "show source". The headers will have:
SPF: passed or failed DKIM: passed or failed DMARC: passed or failed
If you have two domains running on one website (e.g. for whitelisting), then email sent from one of them might appear to be from the right domain but via the other domain because the DKIM was signed by the other domain. That is unless you configure the mail service to use a different DKIM depending on which domain is sending.