SPF, DKIM and DMARC

A little overview of :

SFP (Sender Policy Framework)

DKIM (Domain Keys Identified Mail)

DMARC (Domain-based Message Authentication, Reporting & Conformance)

———-

These are all related features built into DNS and the SMTP protocol and they are made to secure your email systems and to prevent spam and spoofing.

The primary function of all of these is to set policies for how the receiving end should treat your email if it does not comply to your defined standard.

The functions are not new, DMARC as an example was invented in 2012.

DMARC is using both SPF and DKIM to check the senders origin of an email, and the policy can be set to “none”, “quarantine” or “reject”

DMARC can also send reports to an email adress about which systems sendt from your domain and how they behaved in relation to your current SPF and DKIM settings, which are configured in DNS for the domain in question.

New in 2023 is that MS 365 will send DMARC reports and there is even a free report viewer that can be integrated in Azure portal, it’s named Valimail.

Valimail will give you better insights on how your domains are validating when sending email with methods SFP,DKIM and DMARC. It can also be used standalone, does not need to integrate in Azure portal.

SPF is simply a list of allowed senders from your domain.

It also contains switches advicing the receiver how to handle the email if the sender is not in the list.

(~all meaning softfail, can still be delivered, while -all means hardfail “drop if sender is not in this list”)

An SPF DNS record should not be longer than 255 chars. You can read more in RFC7208

DKIM is a DNS CNAME record pointing to a public key available on a primary mailhost, like MS 365.

It provides public key encryption for verification of the sending system. For more details see RFC6376

After DKIM is enabled , you can see in the received email’s header that it has been signed:

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=testdomain.no;
s=selector1;

You can check you DKIM public key by running a nslookup on the CNAME, and ofcource check all your related DNS records. A great toolbox is as always MXtools

The Norwegian security agency, NSM(nasjonal sikkerhjetsmyndighet) have created a list of recommendations for securing email, and there is lots of info available many places.

NSM guide can be downloaded here (in Norwegian)

Login AS can help you out if you need any help configuring this correctly.

Check your DNS records

By using nslookup whe can query the DMARC TXT record:

_dmarc.yourdomain.com

will return your record, that could start out looking like this:

“v=DMARC1; p=none; pct=100; rua=mailto:dmarc_agg@vali.email; fo=1”

Note that the policy is set to “none” in the above because we want to monitor what’s goint on before we activate quarantine or reject.

Look up your DKIM selector entry like this:

nslookup

Allthough DKIM is a CNAME record, we want to query a TXT record in order to resolve the pub key. so:
set type=txt

the next query depends on your record, but the 365 records looks something like this:
selector1._domainkey.yourdomain.com

The return should be the public key for your DKIM:

“v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BA

QEFAAOCAQ8AMIIBCgKCAQ

AnqWH00z/rgdgosRQeIihJSD

LBhmWklP01wXlM1+ZWzf4a

01AqGj5NKcsoF1z45IpzOZyO

pXxGkQLMkDeh202E423XUf

+12ZE0CNqTYZuaNaf41wm5y

5BDc6/WUMulXD9tmVzn86h

DIZDvsJAPZW8FyDdRCFTxy

hxqfD70ki+ngdki0C0lM8rtSH

Z6TYTtVGO”

“OXVEODQUTXQESj9yrcCI7u

DjLPZ3xBqMYkmhhbBJ8YUz

Ed0Ivgpmwq271hVaUDmagz9

e4ztY22xnEmOX9gpKJPTUlSj

PYy2mHowUwb75hHfiPYQUr

EKWkYjigDBxJCvKmURkHkY

cbJ7pWmz2sw2OQIDAQAC;”

More articles