All you need to know about SPF, DKIM and DMARC

As a customer success engineer at OnDMARC I help organisations with DMARC every day and often get asked the same questions by lots of different people. So I’ve collated all the answers into one article to give you all the information you need to know to get started as well as how to troubleshoot.

Which part of the email does each protocol focus on?

SPF focuses on the “domain” found in an email header that has many names, Return-Path, MAIL-FROM, Bounce address, Envelope from. In this article we will refer to it as the Return-Path. If this header is missing, SPF falls back and looks at the “HELO/EHLO” hostname and checks for an SPF record there.

Don’t forget — this header is not visible to the end user unless they know how to display the headers of the email they have received.

DKIM focuses on the “DKIM-Signature” header.

Don’t forget — this header is not visible to the end user unless they know how to display the headers of the email they have received.

DMARC focuses on the domain found in the “From or Header from” header which is visible to the end user. In this article we will refer to it as “From”.

Now that we know what headers each protocol looks at, what is actually contained in those headers and what is checked?

SPF — This verifies if an email was sent by an authorised sender by checking a list of authorised IP addresses you publish in your DNS. The receiving server will take the domain found in the Return-Path header and check for an existing SPF record. It checks the SPF record to see if the sending IP address of the email is actually contained in the SPF record. If the IP address is contained in the SPF record that means that it is authorized to send emails. This means that SPF PASSED. If the IP address is not in the SPF record then SPF FAILS.

The overall logic is:

If the sending IP address is contained in the SPF record = SPF PASS

If the sending IP address is not contained in the SPF record = SPF FAIL

DKIM — the receiving server will check the DKIM-Signature header which contains the selector (s=) and signing domain (d=) which are tags used to look up the public key. Once retrieved, the public key is used to validate the email message. If validation is successful then DKIM PASSES and if the validation process is unsuccessful then DKIM FAILS.

The overall logic is:

If validation is successful = DKIM PASS

If validation is unsuccessful = DKIM FAIL

DMARC — the receiving server will check if either SPF or DKIM PASSED, then it will check if the Return-Path domain used by SPF and/or the “d=” domain used by DKIM align with “From” domain, and finally it will extract the DMARC policy published by the domain found in the “From” address and comply with the policy.

The overall logic is:

If SPF PASSED and ALIGNED with the “From” domain = DMARC PASS, or

If DKIM PASSED and ALIGNED with the “From” domain = DMARC PASS

If both SPF and DKIM FAILED = DMARC FAIL

DMARC not only requires that SPF or DKIM PASS, but it also requires the domains used by either one of those two protocols to ALIGN with the domain found in the “From” address. Only then will DMARC PASS.

What’s the difference between Strict vs Relaxed alignment?

Strict alignment means that the Return-Path domain or the signing domain “d=” must be an exact match with the domain in the “From” address.

Relaxed alignment means that the Return-Path domain or the signing domain “d=” can be a subdomain of the “From” address and vice versa.

If you’re interested in learning more check out this article.

What happens if DMARC fails?

If DMARC fails then the receiving server would typically comply with the policy that you have specified in your DMARC record.

If you are in report-only mode (p=none) the email will be accepted by the receiving server and scanned by other filtering criteria.

If you are in quarantine mode (p=quarantine) the email will be quarantined and typically sent to the spam folder of the recipient.

If you are in reject mode (p=reject) the receiving server will abort the connection with the sending mail server and the email will never reach the end user.

Irrespective of the policy, the metadata for the email will be logged along with the status of the authentication results and forwarded to your DMARC report processor.

SPF troubleshooting and top tips

  1. Make sure that you have an SPF record in your Return-Path domain.
  2. Make sure that you have an SPF record in your HELO/EHLO domain in case of bounces where the Return-Path domain is empty.
  3. Make sure there is a single SPF record per domain.
  4. Make sure that the SPF record syntax is correct.
  5. Make sure that your Return-Path domain aligns with the From domain.
  6. Make sure that your authorised senders are part of the SPF record.
  7. Make sure that unauthorised senders are not in your SPF record.
  8. Make sure that you do not go over the 10 DNS lookup limit imposed by SPF. If you have gone over the 10 DNS lookup limit you will have to consider using a feature such as OnDMARC’s Dynamic SPF.
  9. Make sure that deprecated SPF record mechanisms such as the “ptr” mechanism are not used in your SPF record.

DKIM troubleshooting and top tips

  1. Make sure that the sending systems you use support DKIM.
  2. Make sure that the emails are DKIM signed.
  3. Make sure that the signing domain aligns with the “From” domain.
  4. Make sure that you use a DKIM key size over 1024 bits (a 2048 bit key is advisable)
  5. Make sure, where possible, that the DKIM selectors you choose closely identify the sending service so you can distinguish between them.
  6. Make sure to revoke any keys that have been compromised.
  7. Make sure that the DKIM keys you manage are rotated on regular basis.
  8. Make sure that the DKIM key syntax is correct.
  9. Make sure that there exists a public key for each corresponding private key that signs your emails.

DMARC troubleshooting and top tips

  1. As DMARC is based on both SPF and DKIM and the domains used by those two protocols, you will have to make sure that the Return-Path domain for SPF is either an exact match or a subdomain of the “From” domain. The same applies to the signing domain used by DKIM.
  2. Make sure that the DMARC record syntax is correct.
  3. Make sure that you have configured all of your systems correctly with SPF and DKIM before moving to a reject policy as your emails will be lost.
  4. Make sure that you use a system or third-party provider such as OnDMARC to receive DMARC reports so that you can make sense of those reports and discover any systems that are misconfigured.
  5. Monitor the status of each of your sending sources and make sure that any changes to SPF and DKIM are identified. OnDMARC has this feature as a core part of its product.

So that’s all from me for now, I hope it’s helped you to understand more about DMARC and why it’s such a vital part of your cybersecurity infrastructure. If you’d like more support in implementing DMARC, our flagship product OnDMARC helps organizations across the globe get to p=reject quickly, easily, and reliably. Why not get started with securing your DMARC vulnerability today with a free OnDMARC trial?

free trial red sift

PUBLISHED BY

Ivan Kovachev

26 Mar. 2018

SHARE ARTICLE:

Categories

Recent Posts

VIEW ALL
Product Release

Red Sift’s Spring 2024 Quarterly Product Release

Francesca Rünger-Field

This early into 2024, the cybersecurity space is already buzzing with activity. Emerging standards, such as Google and Yahoo’s bulk sender requirements, mark a new era of compliance for businesses reliant on email communication. At the same time, the prevalence of sophisticated cyber threats, such as the SubdoMailing campaign, emphasizes the continual hurdles posed…

Read more
Email

Navigating the “SubdoMailing” attack: How Red Sift proactively identified and remediated a…

Rebecca Warren

In the world of cybersecurity, a new threat has emerged. Known as “SubdoMailing,” this new attack cunningly bypasses some of the safeguards that DMARC sets up to protect email integrity.  In this blog we will focus on how the strategic investments we have made at Red Sift allowed us to discover and protect against…

Read more
Email

Where are we now? One month of Google and Yahoo’s new requirements…

Rebecca Warren

As of March 1, 2024, we are one month into Google and Yahoo’s new requirements for bulk senders. Before these requirements went live, we used Red Sift’s BIMI Radar to understand global readiness, and the picture wasn’t pretty.  At the end of January 2024, one-third of global enterprises were bound to fail the new…

Read more
Cybersecurity

Your guide to the SubdoMailing campaign

Billy McDiarmid

A significant number of well-known organizations have been attacked as part of what’s being called the SubdoMailing (Subdo) campaign that has been going on since at least 2022, research by Guardio Labs has revealed.   The scale of execution of this attack is staggering, and the impact is hugely damaging, but the goal is simple…

Read more