SPF, DMARC and DKIM

This post is general information for next post.
In order to make email transaction more secure, below subject can be consider, as part of securing email transaction.

  • SPF
  • DMARC
  • DKIM

By transaction, I don’t mean the transfer of email itself but the fact that receiver can be sure they get the right email and the sender can be more confident that no one is using their domain/identity for sending emails.


Sometimes, one might implement and/or configure one or two of these three features alone but for having more secure transaction, one should consider using of all three of them.

Below is short information about each one.

SPF (Sender Policy Framework)

Sender Policy Framework (SPF) is an email authentication method designed to detect forging sender addresses during the delivery of the email. It allows the receiving mail server to check during mail delivery that a mail claiming to come from a specific domain is submitted by an IP address authorized by that domain’s administrators. The list of authorized sending hosts and IP addresses for a domain is published in the DNS records for that domain.

For example, adding below line in DNS will help email receiver to check if the received email originated from any of mentioned IP addresses; in this example, there are two possible IP address for mail server.

"v=spf1 ip4:a1.b1.c1.d1/24 ip4:a2.b2.c2.d2 a -all"

Domain-based Message Authentication, Reporting and Conformance (DMARC)

DMARC is an email authentication protocol and it’s designed to give email domain owners the ability to protect their domain from unauthorized use, commonly known as email spoofing.
Once the DMARC DNS entry is published, any receiving email server can authenticate the incoming email based on the instructions published by the domain owner within the DNS entry.
If the email passes the authentication, it will be delivered and can be trusted.
If the email fails the check, depending on the instructions held within the DMARC record the email could be delivered, quarantined or rejected.
DMARC is capable of producing two separate types of reports. Aggregate reports are sent to the address specified following the rua. Forensic reports are emailed to the address following the ruf tag. 

For example, by adding below line can be used only for monitoring (since Policy has been set to none) and rua@domain.com is the mailbox which will receive aggregated reports and this policy will apply to 100% of emails.

"v=DMARC1; p=none; sp=quarantine; pct=100; rua=mailto:rua@domain.com"

DomainKeys Identified Mail (DKIM)

DKIM is an email authentication method designed to detect forged sender addresses in emails (email spoofing), a technique often used in phishing and email spam.
DKIM allows the receiver to check that an email claimed to have come from a specific domain was indeed authorized by the owner of that domain.
It achieves this by affixing a digital signature, linked to a domain name, to each outgoing email message. The recipient system can verify this by looking up the sender’s public key published in the DNS. A valid signature also guarantees that some parts of the email (possibly including attachments) have not been modified since the signature was affixed.

For example, below is DNS part of the DKIM implemention which has public key.

"v=DKIM1; k=rsa; t=s; p=MIGfMA0GCSqGSIb3DQEBAQUA*********DAQAB"

For more information about each subject, you can check below links.

Also you can check ‘Introduction to email authentication‘ from dmarc.org as well.

It's your kindness to leave a reply/feedback