SPF, DKIM and DMARC are essential components in order to ensure the protection of your company’s email environment.

Among other things, they help protect from the imitation (or spoofing) of domains, and therefore protect your customers and providers from phishing, spear-phishing or business email compromise (BEC) attacks that would impersonate your company.

If these three elements are set up correctly, they will authenticate and ensure the legitimacy of an email and its sender.

But in detail, what are SPF, DKIM and DMARC, and, importantly, how can you set them up?

In order to answer this and help you protect your company, Mantra’s IT Security teams have prepared this article.

What are SPF, DKIM and DMARC?

It can be hard to track all these acronyms. No worries though, here’s a quick recap:

  • SPF : For Sender Policy Framework. It is a way to validate that the sender of an email can legitimately use the domain name of the mail server they use (by validating the IP address of the sender is in a list of authorized IP addresses). It prevents people from spoofing domain names by enabling a company to specify who is allowed to use its domain name. For example, it validates that if I receive an email from company.io the email is really from that firm.
  • DKIM : For DomainKeys Identified Mail. It is a cryptographic signature of the email that validates that it has not been tampered with between the moment it was sent and when it was received. It validates that my company.io email was not modified after it was sent and that the email is signed by company.io, since the DKIM key is associated with the domain name
  • DMARC : For Domain-based Message Authentication Reporting and Conformance. It’s a protocol that verifies that the domain name in the email from is the same one as specified in the SPF and DKIM policies. It will also specify how emails that have failed SPF and DKIM verifications should be treated : whether they should be treated as spam, blocked, sent to a specific folder…

To summarize, the SPF, DKIM and DMARC trifecta protects your domain name and its use in emails: this prevents hackers from using your domain (and your company’s reputation) to communicate with other parties.

Why should you set up SPF, DKIM and DMARC?

Why are they important?

In 2021, 2 out of 3 Fortune 500 companies didn’t have their DMARC setup. What risk does this pose and why should you set up SPF, DMARC and DKIM?

  • Avoid spam: Emails from your company will have a greater likelihood of landing in a recipient’s spam folder if SPF, DKIM and DMAR are not set up
  • Identity usurpation: SPF specifies who (which servers) is allowed to send emails with your company’s domain name. And DKIM protects against altering of an email and spoofing of a domain name. Taken together with DMARC, this will prevent hackers from using your  domain name to send emails that would appear to come from your company.
  • Business Email Compromise: This is a more specific type of attack in which (in most cases) a hacker is going to try and secure the payment of a fake invoice by impersonating a supplier. In this event, SPF, DKIM and DMARC make identity usurpation harder.

Protecting your company’s domain name with SPF, DKIM and DMARC therefore means contributing to protect your customers, suppliers and other companies from cyberattacks that would seek to capitalize on the credibility and reputation of your company.

Why is it important not to forget DMARC?

SPF is linked to the sender on the email’s envelope and DKIM to a domain declared during signing. These aren’t necessarily the same as the sender shown in the email’s from field.

The DMARC checks that the from field shown (visible by the reader) is the same as for the SPF or DKIM policies.

It would therefore be possible to create a malicious.com domain that would have SPF and DKIM and to send an email specifying a different from domain like example.io

Without DMARC, this mail would be valid because the SPF and DKIM tests (the envelope sender is malicious.com) would check the policies of that domain.

Only DMARC would notice that example.io is a different than the domain of the SPF and DKIM policies and therefore that something is off.

Example of address impersonation

Without SPF, DKIM and DMARC, it’s therefore easy to spoof an email from a trusted company.

For example:

  • We were able to find a company that doesn’t have DMARC set-up (Dassault-Aviation, a leading French Aerospace manufacturer)
  • Find who the CEO is and what the standard email template is
  • Spoof an Executive Committee email and send an email, delivered to our mailbox:

How can you set up SPF, DMARC and DKIM?

You want to check whether or not SPF, DKIM and DMARC are set up on your domain? There are quite a few tools out there but MxToolbox is a good one: you can look up, for a domain name, whether or not SPF, DKIM and DMARC have been set up (https://mxtoolbox.com/)

And if they haven’t? Here’s a guide.

Setting up SPF

  1. Access your domain account on your domain host’s website (eg. GoDaddy, Squarespace, OVHCloud…)
  2. Access the DNS Records page
  3. Create a TXT Record with the following values

Name: @ or leave blank

TTL: 3600 or leave the default value

Value/answer/destination: enter v=spf1 include: _spf.google.com ~all (Beware, this will only work if Google is your email provider. If not, check with your email provider which value to input)

Then save and wait for it to take effect (this can take a few days).

Setting up DKIM

  1. Access your email provider (for example, in Gmail: Apps > Gsuite > Gmail then authenticate an email)
  2. Generate a DKIM key
  3. Access your domain account
  4. Create a TXT record with the DKIM key you just created in the DNS Records of your domain host. As name use the name your email provider gave and in value the TXT file you generated
  5. Save and launch “start authenticating” (in Google, wording will vary for other email providers)

Setting up DMARC

DMARC is a rule that tells your email provider what to do if SPF and DKIM have not been authenticated. There are 3 options: none, quarantine or reject.

  1. Access your domain account
  2. Add the following TXT Record to your DNS Records

Name: _dmarc

Value: (this is an example that you can reuse by replacing example@ex.com by an address that exists and belongs to you) v=DMARC1; p=quarantine; rua=mailto:exemple@ex.com; ruf=mailto:exemple@ex.com; fo=sw where

  • v : mandatory value, do not change
  • p : failure policy (quarantine, none ou reject)
  • rua : the email address to receive statistics
  • ruf : the email address to receive reports (each failure generates a report)
  • fo : determines when a report is sent (0 if failure of both SPF and DKIM check; 1 if failure of SPF or DKIM; d for a report for each DKIM test run and s for a report for each SPF test run)

Dealing with third-parties

Once DMARC is set up, it will provide instructions to mail servers on how to deal with emails that pass (or fail) SPF/DKIM tests.

In order to be delivered, your emails therefore need to pass SPF and DKIM tests.

This works well, and is enough, for simple mailboxes like your Outlook or Gmail company mailboxes.

However, you may be using services (like Mailchimp, ticketing tools, customer service tools…) that send emails using your domain. You don’t want these emails to be blocked if they don’t have an SPF and DKIM signature!

  • The first step is to analyze DMARC reports to see which emails pass or fail the tests. For this you can use tools like easyDMARC or DMARCian.
  • Then, you have to setup your SPF and DKIM for each third-party tool. They will most likely have instructions on how to set these up in your admin interface on these tools.

Conclusion

Will SPF, DKIM and DMARC prevent phishing? No, of course not.

It will still be possible to trick users by using look-alike addresses. But it does prevent hackers from usurping the identity and reputation of a legitimate business.

SPF, DKIM and DMARC are therefore an important building block of a more cybersafe world.

However, users can still be fooled by near domains (customer-amazon.com, Linkedln.com - the second i is in fact a lower-case L - or service-dashlane.com for example) which present a serious threat as they are difficult to detect.

Indeed, it is easy to set up credible near domains while on the other hand unprepared users receive so many emails that they do not pay enough attention to these details.