Well-known acronyms: DMARC, DKIM, SPF… or not?


In today’s world, protection from unsolicited content is a mandatory requirement of modern email systems. To achieve that goal, there are multiple configuration options available.

In today’s world, protection from unsolicited content is a mandatory requirement of modern email systems. To achieve that goal, there are multiple configuration options available.

One of the core settings to contribute to spam reduction is the proper interaction of DMARC, DKIM, and SPF settings. In the following lines of this first part on email security, we shall describe these three technologies and their high-level interdependencies.

The Sender Policy Framework (SPF) is an email-authentication mechanism. It allows a receiving email server to verify if the sending email server is authorized to send emails from the domain of the sender’s address. This verification makes use of a DNS record, which is published by the sender’s domain and lists all authorized sending host names or IP addresses.

DomainKeys Identified Mail (DKIM) in turn leverages a cryptographic approach to email authentication. In DKIM, each email gets attached a digital signature, which is linked to a domain name. This signature ensures the authenticity of some parts of the message and can be verified. To do so, the receiver looks up the public key in a DNS record published by the domain linked to the signature.

Domain-based Message Authentication, Reporting, and Conformance (DMARC) allows for domains to indicate that SPF and DKIM are available for message authentication and to publish a policy leveraging DNS on how to handle authentication failures. Additionally, DMARC supports so-called Identifier alignment, i.e., the email messages’ “From” field is checked for alignment with the domain linked to the DKIM signature and the domain of the identity given during the SMTP “MAIL FROM” exchange verified via SPF. Furthermore, there are several reporting options to provide the domain owner statistics about authentication failures.

Together, DMARC, DKIM, and SPF contribute a big part in reducing SPAM, Phishing, or other email-based fraud, by authenticating an email’s origin. In the next part, we shall discuss the Sender Policy Framework in detail.