1. Cybersecurity

How DKIM, SPF & DMARC Work to Prevent Email Spoofing and Phishing

Disclaimer: This is a user generated content submitted by a member of the WriteUpCafe Community. The views and writings here reflect that of the author and not of WriteUpCafe. If you have any complaints regarding this post kindly report it to us.

What's a hacker's weekend gateway?” They do Phishing. Hackers can have very few attacks for a weekend, but there are many weeks of intense activity. Right now, we are experiencing intense attacks.


Anybody on the Infosec team will know what I mean. You will need to send a dozen emails to set up a meeting. A lot of spam and phishing emails will be awaiting review. Attachments are edited, re-edited, and changed until nobody knows which version is current. Notifications urgent messages are drowning in spam and forwards.


If many emails are examined, it can be difficult to identify spam and phishing emails. Analysts must think beyond the email to create filters that automatically reject or block spam. There were few tools available to verify the identities of senders in the early days of email.


 Many spammers, fraudsters, and viruses sent via email used forged sender data, and some still do. It wasn't easy to verify the identity of email recipients.


The three major email security protocols, SPF, DMARC and DKIM, complement each other, so implementing all three provides the best protection. These three protocols will authenticate your mail server and prove to ISPs and mail services that the sender is authorized to send an email. All three of these prove that the sender has been properly authorized to send an email, that their identity is not compromised and that they are not acting on behalf of another person. All mail services and servers will eventually require these antispam measures.


They are all difficult to set up and require a lot of research to understand how they work together and what their respective defensive capabilities can do for you. However, the effort required to learn how to use them is well worth it.


What is SPF?


  • SPF stands for Sender Policy Framework and is another great email authentication mechanism for security and delivery.
  • It protects your DNS servers and restricts who can send you emails.SPF can stop domain spoofing.
  • Internet Service Providers can use an SPF record to verify that a mail server has authorized sending email to a specific domain. An SPF record can be described as a DNS TXT file that lists IP addresses allowed to send emails to your domain.
  • SPF consists of three components: a policy framework, and an authentication technique. Additionally, there are particular headers within emails that contain this information.


How SPF detects fraudulent emails


  • SPF is used by receiving mail servers to confirm that an email was sent from a domain name from an authorized host. These steps explain how SPF works.
  • The DNS publishes the SPF record. This record lists all IP addresses that can send an email to the domain. It is part of the overall DNS records.
  • The SPF mechanism uses domain information in the return-path addresses to identify the SPF records. Inbound servers compare the IP addresses used by mail senders and authorized IP addresses in SPF records.
  • To decide whether to accept, reject or flag an email message, the receiving mail server uses the rules in the SPF record of the sending domain.


Importance of SPF


  • SPF protects email users from spammers. Spam and Phishing emails often use fake “from” addresses or domains. Validating SPF data is one of the best and most reliable antispam strategies.
  • A spammer might try to send mail from your domain if you have a good reputation for sending an email. SPF authentication properly configured will show the receiving ISP that the domain is yours, but the sending server has not been authorized for mail to your domain.
  • Although the email may be authentic, it could also be fake. It is possible that a real email was forwarded. It means it could have been sent from anywhere, so the list of approved recipients may not be helpful. You might also find the email to be fake.


There are many possible outcomes, and it isn't easy to understand why SPF does not provide a link. DKIM is an additional method that attempts to link email messages to domains.


What is the point of SPF-Only?


The Internet is the best place to forward emails. However, the SPF mechanism does not survive the forwarding process. The email appears to be coming from infrastructure with nothing to do with you.

Forwarding can be resisted by DKIM signature. Forwarding is not possible with SPF. It's a list that servers are authorized to send for your domain. A domain owner cannot keep a list.

A list of forwarders cannot be maintained on behalf of your domain or domain owner.



What is DKIM?


  • DomainKeys Identified Mail is an email authentication method. This method detects fake or spoofed sender email addresses. It is another way to link email addresses back to a domain.
  • DKIM allows email senders to attach DKIM signatures to their emails (header added to the email and encrypted).Once the recipient has received the email, they will be able to verify that you sent it.
  • DKIM, like SPF, is used in DMARC alignment. Although it is more complicated than SPF, the DNS has a DKIM record. DKIM can resist forwarding, which makes it more secure than SPF. It also provides a solid foundation for email security.


Key terms in DKIM


DKIM Record: Domain owners add a DKIM (a modified TXT) record to the DNS records of the sending domain. The TXT record will contain the public key used by the receiving mail servers to verify the signature of a message. This key is usually provided by your email senders, such as Gmail.


DKIM Signature: DKIM provides email signatures added to emails and encrypted with encryption. DKIM Signatures contain all information required for an email server to verify the signature's authenticity. Each signature is encrypted using a pair of DKIM keys.The “private DKIM key” is the key that the origin email server uses for verifying the signature.

ISPs or the receiving mail server can also use this key to verify the signature. These signatures are sent along with emails and verified by the servers that send them to their destination.

DKIM Selectors – The DKIM selector can be specified in the DKIM Signature header. It indicates the DNS location of the public key portion for the DKIM pair. To verify that the email message has not been altered or stolen, the receiving server uses the DKIM selector. When the email is sent, the DKIM selector will appear in the DKIM Signature email head as an “s=” tag.

How DKIM detects suspicious emails?


  • Inbound mail servers will recognize DKIM signatures when they receive messages and search DNS to find the sender's public DKIM key keys.
  • Each email is sent a special DKIM signature by email servers.These signatures are sent with emails and are verified by email servers as they reach their destination.
  • These signatures act as a watermark on email and allow recipients to verify that the email was sent from the correct domain.
  • The variable or DKIM chooser provided in the DKIM signature can be used to determine where to search for the key. Once the key is located, it can then be used to decrypt the DKIM signature. The key is then compared with the values from the mail. If they are in agreement, the DKIM is valid.


DKIM is important


DKIM checks the following components:

  • The DKIM domain is owned by the sender or authorized by the owner.
  • Emails are not altered in any way.
  • The email headers have not been modified since the original sender, and there is no new “from” domain.


Why is DKIM only not sufficient for security?


DKIM does not provide reliable methods of verifying identity of an email sender, and it doesn't prevent the spoofing or manipulation of the domain in the email's header. DMARC solves the problem because the domain end-user sees identical to the domain validated by DKIM or SPF.




DMARC stands for Domain-based Message Authentication Reporting and Conformance. DMARC is especially useful for businesses because it uses both DKIM records and SPF records to verify the sender of an email. A DMARC record is used to notify a sender that SPF or DKIM has encrypted their messages. It also instructs the recipient on what to do if either of these authentication methods fails, such as discarding or rejecting the message.

How DMARC will detect a malicious email?


DMARC uses established standards such as SPF/DKIM for email authentication. It also depends on the well-established Domain Name System.

 The process for DMARC validation is described as follows:


  1. Domain administrators publish the policy that describes its email authentication policies. It also explains how it will deal with mail sent to recipients who do not comply with this policy. The domain's DNS records will list the DMARC policy.
  2. An inbound mail server receives an incoming message.It uses DNS to search the DMARC policy for the domain specified in the message's head (RFC 5322).The inbound server checks the message for these key factors.
    • Is the DKIM signature still valid for the message?
    • Did the message originate from IP addresses that were allowed by the SPF records for the sending domain?
    • Are the headers of the message correct in displaying the “domain alignment”?
  3. This information will allow the server to use the DMARC policy of the sending domain to determine whether the message should be accepted, rejected, or flagged.
  4. The receiving mail server will inform the sender of the outcome after using the DMARC policy.


Key points/terms in DMARC


DMARC Record: A DMARC record (Domain-based Message Authentication Reporting & Conformance). is a specially formatted version of a DNS TXT record that has a specific name. It is part of an organization's DNS Database.


DMARC Domain Alignment:


“Domain alignment” is a term that expands on the domain validation inherent in DKIM or SPF. DMARC domain alignment matches a message's “from” domain with relevant information according to these other standards.

  • SPF requires that the From the domain of the message and its Return-Pathdomain must be identical.
  • DKIM requires that the message's From and DKIM domain must match.
  • You have two options: aligning the domains in a relaxed way (matching base domains but allowing subdomains) or aligning them strictly (precisely matching all domains). The DMARC policy published by the sending domain will specify this choice.


There are three policies available when you implement a DMARC Record. These policies tell the recipient server how to handle mail that you have not made DMARC compliant. Mail sent from you is not required to be treated as requested by the recipient server.

DMARC policies:


  • None: All mail sent from your domain should be treated as if it were without any DMARC validation.
  • Quarantine: The recipient server can accept the mail, but it should not be placed in the recipient's mailbox (normally, the spam folder).
  • Reject: Completely reject this message.


DMARC Report:


As a part of the DMARC validation, inbound mail servers produce DMARC reports. DMARC reports can be obtained in two formats.

  • Reports aggregate
  • Forensic reports


Importance of DMARC


  • Phishing refers to the fraudulent practice in which malicious emails are sent pretending to belong to someone else to steal credit card information and other personal information. DMARC protects you.
  • DMARC uses the existing email authentication methods SPF (Sender Policy Framework) and DKIM (Domain Keys Identified Mail). Reporting is an important function of DMARC.
  • Domain owners can gain insight into who is sending emails for their domain by publishing a DMARC file to their DNS record. This information can be used for detailed information about the email channel. This information allows a domain owner to take control of the email sent on his behalf.


What does DMARC do with the mail that has been validated in Email Gateway?


The DMARC policies mention that an email can be rejected or quarantined if it is not validated with DKIM and SPF.

Understanding what happens when a DMARC rejects policy or publishes a quarantine is crucial. These differences can be better understood by us.




Email receivers should use greater caution when receiving emails that fail to pass the DMARC check. Email is still acceptable, but the recipient must decide what quarantine to use. Here are some examples of possible implementations.


  • Send to the spam folder: If the email receiver hosts ‘the recipient's mailbox’, the receiver may be able to send non-compliant mail to the recipient's junk folder.
  • Temporary quarantine: An email recipient can temporarily quarantine any email that isn't compliant in order to permit additional analysis. After reviewing the email, an operator can release it from quarantine.
  • Increased aggressiveness in antispam filters: Antispam filters are a compromise between accidentally identifying spam mail as spam and identifying spam as it is. Mail that is subject to DMARC policies or quarantine will be more likely be deemed spam.

It is important to remember that any non-compliance email can still be delivered despite having a quarantine policy published. Non-DMARC technology may block spam. However, an email will still flow from the servers.





A DMARC policy with p=reject tells email recipients to reject any email that fails to pass the DMARC check. Two possible implementations are known:

  • Refuse to receive a non-compliant email at SMTP. It is the most popular and widely used implementation, as it prevents delivery to DMARC-verifying receivers. The system will immediately inform the sender why an email that isn't compliant isn't reaching its intended recipient.
  • Accept email via SMTP initially and then stop the delivery of any email that fails DMARC. It is a less ideal implementation because the responsibility for email delivery has been transferred to SMTP, and the email is not delivered. Two things can happen when a delivery fails:
    • A Delivery Status Notification is generated, also known as a “bounce” email message.
    • The email containing non-compliance is silently deleted.

Emails that fall within the DMARC reject policy won't be delivered default. It is a powerful control to prevent unauthorized email sending.


The following are the effects of Quarantine or Reject policies:


  • The impact of a reject policy will be obvious on legitimate but non-compliant emails: it will stop flowing. Domain owners should be ready to handle legitimate email sources that might encounter reject-based policies when switching to a rejection policy. The email source will almost certainly need assistance in becoming DMARC compliant.
  • The effect of a quarantine policy for legitimate non-compliant emails will not immediately be apparent to the email's authors.This will affect legitimate, but not-compliant email communications. Due to the many ways the DMARC quarantine policy can be applied, the email sources will be spam-folder and delayed. It may be rejected by the email receivers. If the source of the affected email is not paying attention to its performance, then the impact of quarantine could go unnoticed for a while.



Given the constant cyber-criminal activity, it seems only natural to protect your email streams from fraud. DMARC is beneficial regardless of how large a company may be. It allows full domain visibility, control of email traffic, and security against phishers. DMARC can also improve deliverability, as mailbox providers can verify that you are a legitimate sender if your email authentication is correct.



Original source: https://telegra.ph/How-DKIM-SPF–DMARC-Work-to-Prevent-Email-Spoofing-and-Phishing-05-25




Welcome to WriteUpCafe Community

Join our community to engage with fellow bloggers and increase the visibility of your blog.
Join WriteUpCafe