Since the early days of the internet, spam has been a persistent and chronic problem. Gary Thuerk of Digital Equipment Corp (DEC) sent the first unsolicited mass e-mailing (later dubbed SPAM) on May 1, 1978, advertising the VAX T-series to 400 of the then 2600 ARPAnet users.
The SMTP email protocol, which we still use today, evolved from these early ARPANET mail protocols (Postel RFC788 and RFC821) in the early 1980s, and has changed very little since then. The SMTP protocol has had little to no security built in since its introduction, and when used to send email, it offers little defense against spoofing of email addresses or servers. However, several new tools have recently been added to the email security arsenal to protect against these threats.
SPF, DKIM, and DMARC are all similar features for detecting spoofed or spam emails, but they vary slightly.
SPF (RFC 7208)
SPF (Sender Policy Framework) specifies a list of servers that are permitted to send email for a particular domain using a DNS entry. Its security is based on the fact that only authorized domain administrators have access to the DNS zone records for the domain.
DKIM (RFC 6376)
DKIM (DomainKeys Identified Mail) differs from SPF in that it verifies that the receiving server is allowed to send mail for the domain and that the quality of the mail has not changed since it was sent. Using DKIM keys stored in DNS and DKIM uses a public/private key signing mechanism.
The following steps are applied to the email process with DKIM:
- Sending servers create a signature with their DKIM private key and insert it into the email header (DKIM-Signature).
- Email recipients look up the DKIM public key in the sending domain’s DNS TXT record, which is then used to verify the DKIM-Signature attached to the email.
If the email body content is modified, the email signature will no longer match and validation will fail.
This process verifies that the email content has not been tampered with, as well as that the email was sent from a domain-approved server.
DMARC (RFC 7489)
DMARC (Domain-based Message Authentication, Reporting, and Conformance) incorporates elements of both SPF and DKIM by stating a simple DMARC policy that can be used in both tools, as well as allowing the domain administrator to set an address that can be used to submit information about forged mail message statistics gathered by receivers against the same domain, for example:
- Relative levels of spoofing of your domain(s).
- Who is spoofing email purporting to be from your domain?
Does that mean your spam problem is resolved?
In an ideal world, all email servers would use these techniques, and SPAM would be significantly reduced. However, since making a mistake in configuring the necessary DNS TXT records can result in the loss of important emails, some domain owners have been hesitant to implement the methods.
Despite this, major email domain owners such as Google, Microsoft, and Yahoo have implemented these approaches.
SPAM can still be transmitted via compromised accounts and servers, shared hosting email servers, and misconfigured servers, so multilevel email protection is the only way to ensure a clean and safe email feed.
How effective are DMARC, SPF, and DKIM?
These tools will undoubtedly have a significant effect on the fight against SPAM, and the more domains that use them, the better. However, caution should be exercised during DMARC implementation to ensure that all settings are right before going live. SPF, for example, allows you to set the changes in a test mode, which means that recipient domains will not block any mail that fails the test.
ProgIST believes in protecting both your and your clients’ email rights and privacy. ProDMARC helps you implement DMARC authentication to stop fraudsters from misusing your domain. Get Started with top-class cybersecurity solutions for your business at ProgIST.