11 April 2022

April 11 - Fighting spam with SPF, DKIM and DMARC

Play0:00-0:009 min

April weather over in Sweden - a couple of degrees and windy. Building a porch for my Dad.

Last week I talked about DNS - and I have also mentioned my Email-project even if I haven't done a deep-dive into it yet. Related to both of these are SPF and DKIM. 

SPF - stand for Sender Policy Framework - this is a policy you can set that will hinder spammers  and scammers from sending email as you. 

It is a short text string that you can add to the DNS for your domain. Mainly three sections - SPF-version, allowed ip-ranges and what should happen if not a match. 

IP-ranges means which mail-servers that are allowed to send email for the domain. That should only be your email-providers domain. The policy or what should happen can be everything from do nothing - to block. The harder you set this rules the less spam will be sent and impersonated as your domain. 

This works by receiving email servers checking the SPF-records before accepting an email - spam filters can also use this data and score unmatched records higher if block is not on. 

DKIM - stands for DomainKeys Identified Email - it reminds a lot of SPF but takes it a bit further. 

Also with this standard you enter a text message into your DNS. This time it contains a bit more information - but the important part is a public key. This should be a key generated by the sender domains email-server(s). When sending email the email server will sign the message using the private key and receiving email server can then use the key in the DNS to verify that it was sent by an approved sender. 

This is a bit more technical to setup than SPF and it also requires that the email server supports DKIM-signing. 

DMARC - stands for Domain-based Message Authentication, Reporting and Conformance - this is the glue that ties it all together. 

In DMARC - again a DNS-text record, a policy can be defined what should happen when a message is breaking the SPF-policy or is missing or has a false DKIM signature. This can tell the receiving email-servers as an example to quarantine or block the message and also report back to a specific email adress. 

I am using SPF and DKIM - I have not yet setup a DMARC policy - it is probably something I should do together with DNSsec to improve my overall domain security. Are you using any of these techniques to stop spam and spoofing from your domain? 

The most common reason to not implement SPF or DKIM is not knowing that it exists or the belief it will be hard and risking the correct email to be rejected. Domains with good SPF and DKIM setup has a better chance to pass spam-filters since they are specifically configured to not allow uncontrolled senders. o the internet a service and set it up on your domains today. 

I hope you enjoyed todays episode of Martin Uncut.