DKIM and SPF are email authentication protocols that ensure better email deliverability and email security. Let’s understand how different these two protocols are from each other.
DomainKeys Identified Mail (DKIM) is an anti-tamper protocol that ensures your mail remains secure in transit. DKIM uses digital signatures to check that the email was sent by a specific domain.
DKIM validates your communications in two ways. The first operation occurs on the server that sends DKIM-signed emails, and the second occurs on the receiver server that verifies DKIM signatures on incoming messages. The entire DKIM procedure relies on a private and public key pair. The private key is kept secure either on a server or with the ESP while the public key is added to the domain's DNS records to aid in email authentication.
The email is considered secure and authentic after the receiving server checks that it is verified with a valid DKIM signature. DKIM signatures are usually not visible to end users because the validation is done at the server level.
Sender Policy Framework (SPF) is an email authentication protocol that allows the domain owners to specify which email servers are permitted to send emails from their domain(s).
While the email is being delivered, SPF identifies fake sender addresses. It detects falsified sender claims in the email's envelope, which is utilized when it bounces. It can only be used in combination with DMARC to detect email spoofing, a frequent phishing and spam method. SPF allows the recipient mail server to verify that email purporting to come from a certain domain was delivered from an IP address approved by the domain's administration during delivery.
Messages sent from your organization or domain without SPF are more likely to be marked as spam by recipients' mail servers. In addition to SPF, we recommend that you set up DKIM and DMARC. These authentication methods improve your domain's security and ensure that communications received from it are delivered appropriately.
SPF and DKIM are combined in DMARC. The domain owner can use SPF to define which addresses are allowed to send emails on their behalf. DKIM employs an encrypted signature to confirm that an email sender is truly who they claim to be. Individual authentication identities are generated by both these systems, which may be used to verify and validate emails in a variety of ways. If you use these technologies, your receiving server can see who an email is from but won’t know if your traffic is properly configured. Therefore, it can't take any action based on that information.
DMARC, however, uses SPF and DKIM findings to properly determine whether an email is from an authorized sender or a fake imposter. It actively inhibits cyber assaults by enforcing a policy published by domain owners. Domain owners can instruct receiving servers on how to handle emails by publishing a DMARC policy that suits their needs. In this way, DMARC gives domain admins complete control of their domain’s activities.
Steps to set up DKIM
DKIM configuration has three simple yet major steps.
- Generate a public domain key for the concerned domain.
- Add the public key to the DNS entries for that domain. This key can be used by email servers to validate DKIM signatures in your messages.
- To begin applying a DKIM signature to all outgoing messages, enable DKIM signing.
Steps to create an SPF TXT record
Step 1: List IP addresses that are used to send emails
Domain admins need to examine what mail servers are being used by their domain to deliver emails. They need to list down all the mail servers and sources that send emails on the domain's behalf.
Step 2: List all sending domains
Domain admins must ensure that all domains under their ownership have SPF records published even if a few authorized domains are no longer used to send emails regularly.
Step 3: Create the SPF record
Follow the steps given below to create an SPF record:
- An SPF record should always start with the version number v=spf1 (version 1). This tag defines the record as SPF.
- Add all IP addresses that are authorized to send an email on the domain’s behalf.
- For any third-party organization that sends emails on the domain’s behalf, you may use an ‘include’ tag, such as include:newdomain.com.
- You should end the record with an ‘all’ tag once all IP addresses have been implemented and include tags. The ‘all’ tag has the following basic types:
- -all: Servers that aren’t listed in the SPF record are not authorized to send emails, i.e, emails that fail will be rejected.
- ~all: If the email is received from a server that isn’t listed, the email will be marked as a soft fail, i.e emails will be accepted but marked.
- +all: It is not recommended to use this option as this tag allows any server to send emails from your domain.
Step 4: Add your SPF record to DNS
Work with the DNS server administrator to add the SPF records to DNS so that mailbox providers can use them.
Step 5: Test your SPF record
You can easily use the SPF check tool to check the SPF record created. You'll be able to view what your recipients see. You can include one or more of your valid sending IP addresses if they aren't mentioned.
After you’ve implemented SPF and DKIM, it is recommended to implement DMARC Right Way in alignment with them to strengthen your email communication. These protocols prevent elaborate and coordinated phishing attacks, inevitably saving you millions of dollars.