Learn about DMARC, DKIM and SPF

DMARC, DKIM and SPF are not expensive products. They are standards set by the Internet Engineering Task Force, and so you can use them to your advantage for free. The starting point for how they work together to improve email is the Domain Name System, the same public place where you keep all the information on how people can find your website (www.example.com) or your mailserver (e.g. imap.example.org). It provides a consolidated source of truth about your domain. You could see the DNS as a very simple database: you ask it a question about something.example.org, and it comes back with an IP address, or a short string of text. It is a cascading system that unravels its secret from right to left: from the root of the internet it delegates to .org, .com, .eu, etc. Each of those top level domains (or TLD’s) is managed independently. The organisation running .org again delegates the responsibility for secondary domains (e.g. example.org) for most TLD’s via so called registrars to registrants - the domain name holder. In other words: you.

As the owner of example.org you can publish whatever you want underneath your part of the tree. These are so called DNS records. So you can create a record something.like.this.under.example.org if you wanted, and put a short bit of text or an IP address there which any computer connected to the internet knows how to request. There are different kind of records, so that software can ask simple questions without getting confusing answers.

So if your browser wants to know at which IP address https://example.com lives, it asks for a different record (‘A’ and ‘AAAA’ for IPv4 and IPv6 addresses respectively) than an email server would if it wanted to deliver an email for you@example.com (email needs the so called MX record, short for ‘Mail Exchange’). DNS records can be digitally signed, so you can check if they have been tampered with or not.

SPF, DKIM and DMARC are just three specialised DNS records, intended to be used by email software from others to vet incoming email from you.

The three standards work in tandem. In layman’s terms:

• SPF is the most simple: it is a just an inventory of every legitimate server you use yourself to send email. This is a one time setup and if you don’t add any new servers, you never need to touch it again.

Technically SPF whitelists the IP-addresses of servers that are allowed to deliver email bearing your domain name.

• DKIM involves a bit more work, because announcing the public key with which you sign emails obviously needs to be followed up by actually signing the emails. You have to use either an email server that does this, or install a plug-in or extension.

Technically a DKIM record announces the public key used to add a header with a digital signature to all your emails

• DMARC is where both come together: it lets you describe what receipients should do in case an email from you fails either check in a way that can be automated, so that the world doesn’t have to second guess. They return the favour by letting you know what they did, so that you know if you have delivery problems.

Technically, DMARC sets a policy on how you want all email claiming to come from you to be treated, and tells people where to send reports to.