Put simply, SPF, DKIM and DMARC are ways to authenticate your mail server and to prove to ISPs, mail services and other receiving mail servers that senders are truly authorized to send email. When properly set up, all three prove that the sender is legitimate, that their identity has not been compromised and that they’re not sending email on behalf of someone else.
These antispam measures are becoming increasingly important, and will one day be required by all mail services and servers. ISPs and mail services, such as Gmail and Office 365, are getting more and more stringent in the types of email they’ll accept, so having all three checks configured ensures that email gets delivered and isn’t rejected outright or otherwise delayed.
SPF is an acronym for “Sender Policy Framework”. As with all three checks, SPF is a DNS TXT record that specifies which IP addresses and/or servers are allowed to send email “from” that particular domain. It’s essentially like the return address that’s placed on a letter or postcard that lets the recipient know who sent the communication. The idea is that if they know who sent them the letter, the recipient is more likely to open it. In this example, though, the “recipient” is the receiving mail server, not the actual person being emailed.
DKIM is an acronym for “DomainKeys Identified Mail”. It’s also known as “email signing”. Just like an SPF record, DKIM is a TXT record that’s added to a domain’s DNS. And if SPF is like a return address on a letter, DKIM is like sending that letter via Certified Mail as it further builds trust between the sending server and receiving server. That’s because DKIM’s intent is to prove that the contents of an email message haven’t been tampered with, that the headers of the message have not changed (e.g., adding in a new “from” address) and that the sender of the email actually owns the domain that has the DKIM record attached to it. (Or is at least authorized by the owner of the domain to send emails on their behalf.)
Unlike SPF, however, DKIM uses an encryption algorithm to create a pair of electronic keys -- a public and a private key -- that handles this “trust”. The private key remains on the server it was created on, which is your mail server. The public key is what’s placed in the DNS TXT record. Because of this relation, DKIM records generally need to be created and managed by Domain Administrators. And while the private key is kept private, the public key is generated by a tool on the mail server and can easily be copied and pasted into a TXT record with that domain’s DNS provider (e.g., GoDaddy, eNom, DynDNS, etc.). In addition, Domain Administrators have control over all DKIM settings for a domain, and these can be changed and edited as needed. The new record simply needs to be re-added to a domain’s DNS.
DMARC is an acronym for “Domain-based Message Authentication, Reporting and Conformance”. It’s an email authentication, policy and reporting protocol that’s actually built around both SPF and DKIM. It has three basic purposes:
- It verifies that a sender’s email messages are protected by both SPF and DKIM,
- it tells the receiving mail server what to do if neither of those authentication methods passes, and
- it provides a way for the receiving server to report back to the sender about messages that pass and/or fail the DMARC evaluation.
Since DMARC uses both SPF and DKIM, you may wonder why it’s even necessary. Well, it’s simple: DMARC basically builds on SPF and DKIM to ensure that, when an email is received, the information contained in both records matches the “friendly from” domain (e.g., firstname.lastname@example.org) that the user actually sees and the from address that’s contained in the message’s header.
Are All Three Measures Required?
The most basic answer to that question is “yes” and “no”. While SPF and DKIM are gaining wider adoption, DMARC is still something that is taking a while to catch on. That said, prudent email administrators WILL get all three set up for the domains they manage as more and more ISPs and email providers are beginning strict enforcement of all three. As the saying goes, “an ounce of prevention is worth a pound of cure.” For email, this has never been more true. Having all three records in place shows that your email domains are truly who they say they are. It also shows that you as an administrator, and your domain administrators as well, are all serious about ensuring you’re following best practices and doing your part to prevent spam, phishing and other email security issues.