Antispam measures are becoming increasingly important, and will one day be required by all mail services and servers. SPF, DKIM and DMARC are ways to authenticate your mail server and to prove to ISPs, mail services and other receiving mail servers that senders are truly authorised to send email. When properly set up, all three prove that the sender is legitimate, that their identity has not been compromised and that they’re not sending email on behalf of someone else.

ISPs and mail services such as Gmail and Office 365, are becoming more stringent in the types of email they will accept, so having all three checks configured ensures that email gets delivered and isn’t rejected outright or otherwise delayed.

Whether Global Micro hosts your domain or not, we will work with you to ensure that the basic configuration is done to prevent some of the impersonation attacks from taking place. Let’s take a closer look at what the various components entail.

Sender Policy Framework (SPF)

SPF is simply a list of servers that you authorised to send mail from your domain and this list is published on your DNS record. Through SPF, domain owners could now tell receiving servers which servers are allowed to send mail off their domain, and get around people impersonating other people via email in order to gain access to sensitive data like bank details and personal information.

However, as promising as SPF was, it still presented a few issues when it came to authenticating email.

DomainKeys Identified Mail (DKIM)

DKIM is an email authentication framework whose major intent is to allow a receiving server to validate that the mail they received was the one that was originally sent.

With DKIM, the sending server puts a signature in the header of the email message when it is sent – much like a signature on a letter that validates that it has been read and approved by the sender.

Through encryption technology, the receiver then decrypts and analyses that signature and runs it through the public key. If the values match, then the content of the email can be verified as original and not altered in any way.

The main problem with both DKIM and SPF, however, was that when the receiving server checked the SPF and/or DKIM settings and saw that they were failing, it didn’t always know what to do with the mail in question. Should it put it in the spam bucket, or not accept it at all? Enter DMARC.

Domain-based Message Authentication, Reporting and Conformance (DMARC)

A policy called Domain-based Message Authentication, Reporting and Conformance (DMARC) was designed to sit on top of both SPF and DKIM. Because it is a policy that a domain owner publishes, it puts the control of what the receiver must do with a particular mail firmly in the domain owner’s hands.

This makes the task easier for receiving servers. Finally, the server no longer has to make up its mind about what to do with a particular mail; the domain owner tells them what to do. The second key function that DMARC has is to send a report to the domain owner upon receiving a mail that says, for example: “We got a mail from you, and it came from this particular IP, and it was passing SPF and failing DKIM.”

DMARC reports are so important, as they tell domain owners which severs are sending mail, and which ones should be audited and authorised where applicable. These reports then create full visibility for the domain owner, as they can see everybody sending mail from their domain. This, in turn, makes it much easier for them to authorise the correct servers, as before they may not have known about them. Implementing DMARC creates a simple way of putting control back into the email sender’s hands – no matter where that mail is sent.

Remember that in the past, receivers didn’t know what to do with a mail if it failed the SPF or DKIM checks. Now with DMARC, the domain owner essentially says to the receiving server: “If you get this mail from my domain and SPF or DKIM fails, do not accept it.”

Want to check your vulnerability score?

There is a simple way to check your current domain score, you can go to https://sendmarc.com/tools/basic-analysis/ and enter an email address, it quickly does a basic test and determines your overall score out of 5.