Enhancing Email Security: A Simple Guide to SPF, DKIM, and DMARC

Email security might sound extremely technical, but keeping tight control of your eMail setup is essential in maintaining credibility as an organisation. After all, if an organisation cannot keep it's IT / eMail in order; how can they be trusted with, often, greater things?

Three key tools, SPF, DKIM, and DMARC, when configured correctly can vastly enhance your eMail security yet, over and over again, I encounter scenarios where only one has been implemented - SPF.

If the truth be known, only SPF is implemented in a lot of cases out of pure necessity - a lot of spam filters nowadays block eMail from domains for which proper SPF records have not been created and published.

Understanding SPF (Sender Policy Framework)

What is SPF?

Back in "the bad old days" I could fire up a copy of Outlook Express or any mail client ( even command line ), craft an eMail and send it as any eMail address under the sun. Those days are well and truly gone - for the better!

This issue has been thwarted nowadays by only allowing SPECIFIC mail servers on the Internet send / relay eMail as my eMail domain. This information is posted publicly online ( via DNS ) and can be used by anyone receiving eMail to double check where the mail has come from and whether that source is authorised to send/relay mail for my domain.

Therefore, once in receipt of an eMail, your first question should be "How has this eMail actually arrived to me? What Mail Server sent this? Is that mail server actually authorised to send eMail on behalf of that domain?" This is where SPF kicks in.

SPF stands for Sender Policy Framework. Essentially, it's a published list (on DNS) identifying servers allowed to send/relay mail on behalf of the domain. Recipients check the IP address of the sending / relaying mail servers

How Does it Work?

As an analogy, imagine that there is a letter box on your street and you decide to send a letter to somebody from that mailbox - the posting part, being completely anonymous, causes the recipient to have no way possible of checking who actually sent that letter and whether they actually are who they claim to be.

On the other hand, imagine that your boss discovered that scam letters were being sent purporting to be from your company and instructed An Post, that from now on, anything posted as coming from the company could only be done via a specific locked post box assigned to the company, for outbound posting, at a specific post office. Imagine it was possible for An Post to "detect and dump" all fake post in the system ( purporting to be from the company that didn't emanate from that mailbox )?

This would mean that the recipient could be confident that if the letter states that it was sent from the company; it was genuinely sent from the company.

Implementing SPF (Sender Policy Framework):

1. Identify Your Domain's Email Servers: List all the servers and services (e.g. Microsoft 365, any third-party email services e.g. scanners, voicemail systems etc.) that send email on behalf of your domain.
2. Create and Publish SPF TXT Record in Your DNS: Access your domain's DNS management console. Create a new TXT record. The value of the TXT record should be something like:

Understanding DKIM (DomainKeys Identified Mail)

What is DKIM?

Whilst SPF allows you verify that the eMail has been sent to you from an authorised mail server; it does not allow you verify whether the contents have been tampered with.

DKIM allows an organisation take responsibility for a message in transit by adding a unique digital fingerprint to your emails, like a verified badge on social media. It helps prove that your emails are genuinely from you and haven't been tampered with.

How Does it Work?

When you send an email, this system attaches a special secure tag (a digital signature). When your email arrives, the recipient's system checks this tag against a public key published in your DNS records. If it matches, it's a green light that the email is authentic.

Setting it Up:

1. Your email service will generate a special key pair – one private (for your use only) and one public (shared in your DNS records).
2. When you send an email, your server uses the private key to attach the digital signature. The receiving server uses the public key to verify this signature.

In fact, Microsoft 365 automatically creates a DKIM signature for your outbound emails. Here's how you can set up DKIM in Microsoft365:

1. Enable DKIM in Microsoft 365:- Go to the Microsoft 365 admin center.- Navigate to the Exchange admin center.- Select protection, and then go to dkim.-Choose the domain and then select:"Enable for Sign messages for this domain with DKIM signatures."
2. Create and Publish DKIM CNAME Records for Your Domain:You need to add two CNAME records to your domain's DNS settings. These records can be found in the Microsoft 365 admin center.The records will be similar to:

Replace <YourDomain> and <TenantDomain> with your actual domain and Microsoft 365 tenant domain.

Understanding DMARC (Domain-based Message Authentication, Reporting & Conformance)

What is DMARC?

DMARC is a mechanism where you tell recipients ( of mail purporting to be legitimate eMail from your domain ) what to do if such mail fails SPF and DKIM checks to verify that an email is legitimate.

If an email doesn't pass the check, DMARC advises what to do with it – either let it through, quarantine it, or reject it outright.

How Does it Work?

DMARC checks each email against your SPF and DKIM settings. If the email doesn't align with these settings, DMARC steps in and decides based on the policy you've set.

Setting it Up:

1. Decide on your policy – Do you want to monitor emails, quarantine suspicious ones, or reject them outright?
2. Create and Publish a DMARC TXT Record to your DNS:

p=none is a good starting policy as it collects data without affecting delivery. Over time, you can change it to quarantine or reject as per your requirement.

The rua tag in the DMARC record specifies where you want to receive reports about messages that pass or fail DMARC evaluation.

Best Practices and Tips

1. Regular Updates: Keep your SPF and DKIM records up to date, especially if you change email service providers.
2. Test Your Setup: Regularly check if your SPF, DKIM, and DMARC are configured correctly. There are online tools available for this.
3. Monitor Reports: DMARC can send you reports on your email flow, helping you spot potential issues.

By enabling SPF, DKIM, and DMARC for your eMail domain, you can significantly enhance your organization's email security - protecting your domain against misuse and your recipients against phishing and spoofing attacks.