Thursday, April 11, 2019

DKIM, SPF, and DMARC Email authentication


Sender Policy Framework (SPF).

Publishes a list of servers that are authorised to send email on behalf of a domain. SPF is akin to path based authentication.

 

Domain Keys Identified Mail (DKIM).

A tamper proof domain seal to an email. DKIM is akin to signature based authentication.

 

Domain-based Message Authentication, Reporting and Conformance (DMARC).

Creates a link between a domain and an email, and validates SPF and DKIM authenticated headers match the from header domain.   DMARC builds upon SPF and DKIM authentication. Anyone can buy a domain and put SPF and DKIM in place. However DMARC closes off this problem by checking the SPF and DKIM authenticated headers ALSO match the domain found in the from header.  This is termed 'Identifier Alignment'.

 

Once an email domain owner is confident that they’ve deployed SPF and DKIM across all of their email streams, the domain owner can then tell the world to act against email that is not compliant with DMARC.  Not just gentlemanly but ensures brand protection and effective email delivery (by helping to prevent SPAM filter false positives).

 

DMARC is a freely available technical specification. DMARC records are published with DNS Domain.

 

Examples of DMARC Matching

From: rich.com   SPF: rich.com             DKIM: (none)               DMARC Match?  Yes

From: rich.com   SPF: paul.rich.com    DKIM: (none)               DMARC Match?  Yes

From: rich.com   SPF: richierich.com   DKIM: (none)               DMARC Match?  No

From: rich.com   SPF: richierich.com   DKIM: rich.com           DMARC Match?  Yes

From: rich.com   SPF: paul.rich.com    DKIM: paul.rich.com   DMARC Match?  Yes

From: rich.com   SPF: tealeaf.com       DKIM: crook.com        DMARC Match?:  No

From: rich.com   SPF: r1ch.com            DKIM: (none)               DMARC Match?:  No