Authenticating Email Using SPF, DKIM & DMARC

Businesses today still rely heavily on email for communication, collaboration, and outreach. According to one study, the average business user sends and receives 121 emails daily. This makes email a top target for threat actors, with 91% of all cyberattacks starting with a phishing email.  To mitigate risk and enable secure email at scale, businesses must use secure email authentication protocols, including the Sender Policy Framework (SPF), Domain Keys Identified Mail (DKIM), and Domain-Based Message Authentication Reporting and Conformance (DMARC). These authentication mechanisms make it easier to detect email fraud and prevent harmful messages from reaching end users and impacting operations. Let’s explore each authentication method, how to set them up, and some additional best practices for managing email security.

SPF is an email authentication protocol that enables organizations to specify which email servers can send emails on behalf of their domains. By configuring an SPF, organizations can prevent threat actors from sending emails that appear to come from the company itself and using those messages to spam or dupe end users.

How an SPF record works

Setting up an SPF requires organizations to attach an SPF record to the Domain Name System (DNS). This creates a secure email exchange by letting a recipient email server know that the incoming message originates from an authorized IP address within your organization. Security administrators often use SPF records to detect incoming phishing emails and prevent them from penetrating the organization.

Is it hard to create an SPF record?  

Setting up an SPF record should be relatively straightforward for most IT teams. Some  preliminary information gathering and a brief setup process is required. However, the most important part is entering the right information and ensuring the SPF is correctly configured.

Pros and cons of SPFs

With an SPF in place, your business can prevent threat actors from creating harmful messages and using your company’s property to infect other organizations. At the same time, SPF filtering can help ensure that all incoming emails originate from the right domain, helping organizations avoid costly cybersecurity breaches. Further, SPF policies can also increase an organization’s domain reputation score, making it more likely that emails end up in the recipient’s inbox.   However, SPF doesn’t work with forwarded emails; if someone forwards an email from your domain, their IP address will not appear on your SPF record. As a result, that email could fail to pass authentication and wind up in a spam folder. In addition, SPF records can be time-consuming and challenging to maintain. Organizations need to update these records any time they change their IP address or onboard a new third-party vendor that will send emails from the company’s domain. 

DKIM is another common email authentication technique that prevents harmful messages from passing through to users. This strategy enables users to ensure that an incoming message  originates from an authorized domain. 

How does DKIM secure an email exchange?

DKIM is an authentication strategy that uses cryptographic authentication to digitally sign an email message. In turn, email providers can verify that the message originates from the organization that appears to be sending it. Here’s how it works: An administrator uses a private key to encrypt the header in an outbound email. The receiving server then deploys a public key, which sits inside a DKIM record, to decode the message and verify its sender. To access a DKIM record, an email server must query the domain’s DNS records.

Is it difficult to implement a DKIM record?

To implement DKIM, organizations must go through a brief qualification process. For example, you need to verify whether your domain provider supports a 1024- or 2048-bit DKIM key. It’s also necessary to check outbound gateway settings and determine whether there’s an existing DKIM key for the domain in question. 

Pros and cons of DKIM

DKIM creates a secure email exchange between two parties and prevents important messages from winding up as spam. DKIM also helps detect potentially malicious messages, reducing the chances an impersonator attacks anyone on the organization's email list. The main disadvantage to using DKIM is that it only requires signing a specific part of a message, which makes it vulnerable to replay attacks. As a result, someone can insert additional fields and forward the message, and the signature will still match. 

SPF and DKIM have shortcomings that make them vulnerable to security and performance issues. DMARC combines SPF and DKIM, providing a more complete email authentication service to protect against spoofing, spam, and phishing.  With DMARC, a business publishes a policy known as a DMARC record that defines email authentication practices. The record provides specific instructions to incoming mail servers to enforce its rules.

Passing vs. aligning in DMARC

When using DMARC, the domain for a passing DKIM or SPF must correlate with the domain of the message’s “from” header within the body of the email. In order to receive DMARC authentication, the emails need to align with each other. If there’s a mismatch, DMARC will fail to authenticate the message, and the email will fail or receive a spam flag. 

Three DMARC policies to know about

There are three DMARC policy options to select from:

1. The “none” policy informs a recipient’s email provider to avoid taking action if an email fails a DMARC inspection.

2. The “quarantine” policy involves placing questionable messages into custom folders for further inspection. 

3. The “reject” policy instructs the provider to automatically block an email that can’t pass a DMARC inspection. 

DMARC pros and cons

DMARC can reduce authentication errors while supporting flexibility and customization. This mechanism makes it much harder for threat actors to launch successful email phishing campaigns.  The main drawback of DMARC is that it often creates false positives that send legitimate messages to spam. This often stems from configuration errors in SPF and DKIM systems. For this reason, it's essential to take your time when setting up SPF and DKIM mechanisms and review your systems and policies regularly.  

The key takeaway 

As threat actors continue to monetize cyber crime, email remains vulnerable to spoofing and phishing. However, SPF, DKIM, and DMARC are available to enhance the security of email systems. Even Google recommends all Workspace administrators use SPF, DKIM, and DMARC to fortify Gmail.

To avoid configuration errors, consult with IT administrators setting up SPF, DKIM, and DMARC authentication. Once IT is on board, follow these basic guidelines to set up each mechanism.

SPF setup 

1. Gather preliminary information

To generate an SPF record, you’ll need some supporting details. Check if your business has an existing SPF record for its custom domain. It’s also necessary to collect any external IP addresses your business uses and domain names for all third-party vendors.

2. Create or update your SPF record

The next step is updating your SPF record or creating one from scratch. For a detailed breakdown, check out Microsoft’s instructions for creating or updating an SPF record.

3. Publish the SPF to DNS

Once you have an SPF record, publish it to DNS. This way, mailbox providers can reference the record and authenticate incoming messages. You may need to consult with your internet service provider to accomplish this.

4. Test the SPF record

The final step is to test the SPF record to ensure it’s accurate and free of any errors that could impact authentication. 

DKIM setup

1. Collect preliminary data 

Again, you’ll need to collect preliminary information. First, sign in to your domain service and determine if the provider supports 2048-bit DKIM keys. Review your outbound gateway settings and see if you have a DKIM key for the domain before moving forward. 

2. Turn on DKIM

The next step is to activate DKIM for your domain. To do this, take your DKIM key from the admin console and add the key to your domain provider. Once complete, turn on DKIM and verify it's active.

3. Test the DKIM Service 

The final step is to verify that DKIM is functioning correctly and that legitimate messages can pass DKIM authentication.

DMARC setup

1. Identify valid mail sources

If you’re setting up DMARC for the first time, you must determine which IP addresses send messages from your domain and any third parties that send messages on your behalf. 

2. Set up SPF and DKIM

Next, go through the above steps to set up and activate SPF and DKIM. As a reminder, DMARC requires SPF and DKIM to function.

3. Create a DMARC record

The final step is to form a DMARC record for your domain. For the best results, set up policies that govern how external mail systems handle messages that fail DMARC. 

In addition to enhancing your email with SPF, DKIM, and DMARC, there are several additional steps organizations can take to keep corporate email secure. 

Monitor for spoofed domains

Threat actors often set up or spoof domains similar to a company's email domain and then activate a domain's MX record to launch a spear phishing attack. Monitor for similar domains with active MX records; this can prevent threat actors from launching targeted attacks to steal data and funds.

Enforce a strong authentication policy

Email accounts typically contain a trove of sensitive information. Consider creating a reliable authentication policy that requires employees to create and use strong passwords, change them regularly, and sign out of sessions when they aren’t in use. Use tools like multi-factor authentication (MFA) and single sign-on (SSO) for access control.

Consider security training

The cyber threat landscape is constantly changing, with threat actors adjusting their tactics and techniques to evade defenses. This makes information sharing between security teams and employees critical. One of the best ways to do this is to set up ongoing security education and training. Forming an incident response plan can also help to remediate issues faster and improve communication after a breach.

Protect your business from phishing

Take steps to prevent phishing from causing damage. In addition to SPF, DKIM, and DMARC, some common anti-phishing strategies include setting up network-based domain reputation filtering, using MFA, and deploying anti-phishing software. 

Be wary of public networks

Employees should avoid checking email on public WiFi (e.g., airports and coffee shops). These networks are often highly insecure and may be monitored by hackers seeking to capture sensitive data in transit. Instead, use secure communications channels such as virtual private networks (VPNs) to facilitate secure access to business data

Look into cyber insurance

It's unrealistic to think you can successfully block all attackers trying to gain access to your network. Eventually, an attacker will breach your defenses, leading to a costly cyber incident. Luckily, the right cyber insurance policy can offer protection and help your business survive a devastating attack.