A little overview of :
SFP (Sender Policy Framework)
DKIM (Domain Keys Identified Mail)
DMARC (Domain-based Message Authentication, Reporting & Conformance)
———-
These are all related features built into DNS and the SMTP protocol and they are made to secure your email systems and to prevent spam and spoofing.
The primary function of all of these is to set policies for how the receiving end should treat your email if it does not comply to your defined standard.
The functions are not new, DMARC as an example was invented in 2012.
DMARC is using both SPF and DKIM to check the senders origin of an email, and the policy can be set to “none”, “quarantine” or “reject”
DMARC can also send reports to an email adress about which systems sendt from your domain and how they behaved in relation to your current SPF and DKIM settings, which are configured in DNS for the domain in question.
New in 2023 is that MS 365 will send DMARC reports and there is even a free report viewer that can be integrated in Azure portal, it’s named Valimail.
Valimail will give you better insights on how your domains are validating when sending email with methods SFP,DKIM and DMARC. It can also be used standalone, does not need to integrate in Azure portal.
—
SPF is simply a list of allowed senders from your domain.
It also contains switches advicing the receiver how to handle the email if the sender is not in the list.
(~all meaning softfail, can still be delivered, while -all means hardfail “drop if sender is not in this list”)
An SPF DNS record should not be longer than 255 chars. You can read more in RFC7208
—
DKIM is a DNS CNAME record pointing to a public key available on a primary mailhost, like MS 365.
It provides public key encryption for verification of the sending system. For more details see RFC6376
After DKIM is enabled , you can see in the received email’s header that it has been signed:
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=testdomain.no;
s=selector1;
You can check you DKIM public key by running a nslookup on the CNAME, and ofcource check all your related DNS records. A great toolbox is as always MXtools
The Norwegian security agency, NSM(nasjonal sikkerhjetsmyndighet) have created a list of recommendations for securing email, and there is lots of info available many places.
NSM guide can be downloaded here (in Norwegian)
Login AS can help you out if you need any help configuring this correctly.
Check your DNS records
By using nslookup whe can query the DMARC TXT record:
_dmarc.yourdomain.com
will return your record, that could start out looking like this:
“v=DMARC1; p=none; pct=100; rua=mailto:dmarc_agg@vali.email; fo=1”
Note that the policy is set to “none” in the above because we want to monitor what’s goint on before we activate quarantine or reject.
Look up your DKIM selector entry like this:
nslookup
Allthough DKIM is a CNAME record, we want to query a TXT record in order to resolve the pub key. so:
set type=txt
the next query depends on your record, but the 365 records looks something like this:
selector1._domainkey.yourdomain.com
The return should be the public key for your DKIM:
“v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BA
QEFAAOCAQ8AMIIBCgKCAQ
AnqWH00z/rgdgosRQeIihJSD
LBhmWklP01wXlM1+ZWzf4a
01AqGj5NKcsoF1z45IpzOZyO
pXxGkQLMkDeh202E423XUf
+12ZE0CNqTYZuaNaf41wm5y
5BDc6/WUMulXD9tmVzn86h
DIZDvsJAPZW8FyDdRCFTxy
hxqfD70ki+ngdki0C0lM8rtSH
Z6TYTtVGO”
“OXVEODQUTXQESj9yrcCI7u
DjLPZ3xBqMYkmhhbBJ8YUz
Ed0Ivgpmwq271hVaUDmagz9
e4ztY22xnEmOX9gpKJPTUlSj
PYy2mHowUwb75hHfiPYQUr
EKWkYjigDBxJCvKmURkHkY
cbJ7pWmz2sw2OQIDAQAC;”