Why and how SPF, DKIM and DMARC are all essential to your email security

For email, it’s far too late for security by design. Unfortunately, adding security as an afterthought is not easy, especially when you must guarantee backwards-compatibility with something that’s already been globally deployed. This is where essential additional standards – SPF, DKIM and DMARC – come in.

When the first emails were being exchanged at MIT in 1965, security wasn’t an issue – they were all on the same mainframe (carefully nurtured in its air-condition room). SMTP wasn’t created until 1982, also at a time when cyber security simply wasn’t a consideration. There was no authentication, no confidentiality, no integrity checks and no protection from unsolicited messages. Life was simpler then. However, as soon as email’s popularity escalated, the problems – and vulnerabilities – soon became clear.

In an effort to make email more secure, SPF, DKIM and DMARC have since been added to email. None of them are perfect – but they are important.

SPF prevents spoofing – up to a point

By defining an SPF (Sender Policy Framework) policy, you can prevent malicious actors sending email while pretending to be your organization. Configuration is easy and relatively risk-free: you just need to map all the IP addresses that your organisation uses to send email, which is a small amount of effort for the benefit obtained. Unfortunately, SPF is far from being the perfect spoofing solution, but it is much better than nothing.

DKIM guarantees the integrity of email content

Setting up DKIM (DomainKeys Identified Mail) requires a little more effort than SPF, but it is safe. If you misconfigure it, email will not get lost. DKIM checks the email’s electronic signature to determine if it has been modified or tampered with. If the signature is valid, you know that you can rely on the content of the email. This signature is automatically added and checked by mail servers, and the user doesn’t need to do anything. Again, this doesn’t completely solve the phishing problem.

DMARC checks the email’s credentials

DMARC stands for Domain-based Message Authentication, Reporting and Conformance. The DMARC policy checks that the sender displayed to the recipient matches what’s being identified through SPF or DKIM. The email must be sent from an authorised IP address for that domain (SPF is ok), or it must be signed with a legitimate key of that domain (the DKIM signature is ok), otherwise it will not be delivered.

DMARC is configured by the email administrator of the sending domain. And although it provides excellent protection against spoofing and impersonation, the configuration is not straightforward and mistakes can lead to email loss.

Other standards in use

TLS (Transport Layer Security) encrypts data sent between computers, and this is automatically managed by mail servers, so there’s no setup required. S/MIME (secure/multipurpose internet mail extensions) and PGP (Pretty Good Privacy – yes, really!) both provide end-to-end encryption, but their adoption is far from widespread because of the complexities involved for users in key management.

Expert support is always available

Configuring SPF, DKIM and DMARC will not solve all email security problems, but it will make your email communication much more secure and reliable. Email is more complex than it appears, so it’s worth obtaining support from an email security specialist if you are in any doubt. Libraesva also offers solutions for exceptional email security, email archiving and phishing awareness

Try our free email pen test

Ready to find out more?

Talk to us or set up your own free trial now.