What do SPF, DKIM, and DMARC mean, and what do they do?
By JAMES GENTRY
(Second, of a Multi-Part Series)
SPF, DKIM, and DMARC are designed to help confirm that emails that come from your domain are not forgeries or sent by an impostor.
You will need to know a few basic things to understand how this works:
- smith@sender.com will be our sender’s email address.
- jones@recipient.com will be our recipient’s email address.
- Email domain: everything on the right side of the @ symbol is the email domain. Therefore, Bob’s email domain is com, and Mary’s email domain is recipient.com.
- *Email spoofing: when impostors send forged emails that appear to come from within your organization.
Now what do those acronyms mean?
- SPF (Sender Policy Framework): SPF provides a way to specify which mail servers are allowed to send an email from your email domain. When Mary receives an email from Bob, her mail server checks to see if it came from an allowed server. If it matches, the email goes through. If not, it can be blocked, quarantined, or deleted depending on how SPF is set up.
- DKIM (Domain Keys Identified Mail): DKIM is another way to prove that an email comes from your organization. Outgoing emails are given a digital signature and are secured with encryption. The recipient’s mail system can then confirm that the contents of an email have not been tampered with or changed.
- DMARC (Domain-based Message Authentication, Reporting and Conformance): DMARC uses SPF and DKIM to ensure that an email did not come from an impostor. With DMARC, you can specify how recipients should handle emails that did not pass SPF or DKIM checks—either by blocking altogether or quarantining into a spam folder.
Why are SPF, DKIM, and DMARC important?
Email spoofing* has become common. Such emails appear to come from within your organization. Impostors may use malicious links in spoofed emails to commit phishing attacks, social engineering scams, or ransomware attacks.
Example: a spoofed email appearing to come from upper management is sent to a lower-level employee (or other managers) with an urgent request. The recipients, believing that the email came from a trusted source, may be fooled into clicking something dangerous or may follow instructions that lead to ransomware, data theft, or even fraudulent wire transfers.
Likewise, a spoofed email could be sent to vendors, customers, or others—also with an urgent request. Remember: These types of emails are designed to get the recipient to panic and act quickly without thinking.
Using SPF or DKIM can greatly reduce spoofing attacks. Using SPF, DKIM, and DMARC all together can possibly even eliminate spoofing attacks.
Does your business already use SPF, DKIM, and/or DMARC?
You or your IT provider can fairly easily determine if your email is authenticated by SPF, DKIM, and/or DMARC. The method depends on your email provider and whether you have your own email domain. Here are the differences:
- If you DON’T have your own email domain:
- If you use either Office 365 or Google as your mail provider, and your email domain is either com or gmail.com, then SPF, DKIM, and DMARC are already set up for you, and you need no further action.
- If you DON’T use Office 365 or Google as your mail provider, you may or may not have authentication in place. Instructions on how to determine follow below.
- If you DO have your own email domain:
- If you are using Office 365 or Google, then a basic form of authentication may be set up by default, but for full protection, you or your IT provider will need to ensure that SPF, DKIM, and DMARC are all working together.
- NOTE: If you have your own email domain, it is up to you or your IT provider to fully set up authentication.
As for how to determine what (if anything) you have in place, you can click on the following links. Enter your email domain to get your results:
- SPF – https://www.mimecast.com/products/dmarc-analyzer/spf-record-check/
- DKIM – https://www.mimecast.com/products/dmarc-analyzer/dkim-check/
- NOTE: You must enter your DKIM selector(s) to run this test. Ask your IT provider if you don’t know your DKIM selectors.
- DMARC – https://www.mimecast.com/products/dmarc-analyzer/dmarc-check/
Do you need help understanding or implementing SPF, DKIM, and/or DMARC?
If your business is not using authentication, or if you cannot determine its use with certainty, you will need to ask your email provider or your IT staff to help. If you don’t have anyone to ask, you can reach out to Atlantic Data Team, and we will help you find out at no charge. We are committed to making the web a safer place.
In next month’s article, I will discuss Remote Desktop Protocol (RDP) and how to keep your remote users working safely. Stay vigilant!
James Gentry is the president of Atlantic Data Team, a central-Florida-based business IT company. If you cannot get a straight answer on whether you use filtering or not, we will be happy to help you, at no charge to determine if you are protected. We are committed to making the web a safter place. For more information go to www.atlanticdatateam.com or email office@atlanticdatateam.com