Tutorial to understand SPF DKIM DMARC

Written by smtpcart

March 4, 2020

If you operate in email marketing, you’ve heard of DMARC, DKIM, and SPF. It sounds soup of acronyms is essential but sometimes confused. In the following summary, we’ll explain what DMARC is, why it’s important, how you set up your record, and then meet a few tips. 

Meaning of DMARC?

DMARC is a solution that makes it easier for email senders to see whether a message is legitimate or not. In most terms, DMARC is similar to checking the credentials of your email.

DMARC record will guarantees that the legitimate email is correctly authenticating toward established set standards and that fraudulent activity looking to come from domains under the organization’s control (your current sending domains, non-sending domains, and fully registered domains) is blocked. Two notable benefits of DMARC are domain alignment and reporting.

The alignment feature blocks spoofing of “header from” and address :

  1. Matching the “header from” and “message from” domain name used during an SPF check, and
  2. It matches the “header from” domain name with the “d= domain name” in the DKIM signature.

Why is DMARC so necessary?

Realizing DMARC is the best way to protect your customers, business, and employees from phishing and spoofing attacks. The Federal Bureau of Investigation observed just over 22,000 of these incidents, including US-based companies, from October 2013 to December 2016. As a result, they saw losses approximating $1.6 billion. That’s about $500 million being scammed each year, and dollar values affected have climbed sharply up 2370% between 2015 and 2016. Moreover, that’s just from the published cases.

This solution can enhance how your emails look to subscribers. DMARC can help enable pictures and other pieces from mailbox providers, such as the “from” profile image for Gmail users.

Accidentally, the Federal Trade Commission found that less than 10 percent of top online US businesses use DMARC’s “reject” policy, the most potent available tool to block unauthenticated email automatically. The study assumed that companies who want to stop phishing and protect their marks should implement DMARC.

How can I setup the DMARC record?

While the implementation process can get complicated, So establishing your record doesn’t have to be. Follow the steps below to create your DMARC record correctly. It will demand about 15 minutes or less.

A. Perform DKIM

Contact any email associated with third parties you work with (thus delegate signing too) to assure that they maintain DKIM signing. Some organizations would have separate keys (selectors) for various organizational systems. So, you will have to work with your IT and security departments to go completed the following checklist:

  • Identify all domains that you send, plus subdomains
  • Generate DKIM keys and perform signing profile for each domain
  • Give relevant private keys to any third parties
  • Distribute all public keys in the right DNS zones
  • Verify that the third parties are available to start the signing process
  • Inform third parties to start
  • enable DKIM signing in RELAYED Mail Flow Policy

B. Perform SPF

Correctly implementing SPF will be the most time consuming and cumbersome part of any email authentication infrastructure implementation. Because the email was historically straightforward to use, plus managed and open from a security and access point of view, companies didn’t enforce strict policies about who can use it and how it happened. Now, most organizations do not have a complete idea of all the different email sources, both internally and externally. The single biggest issue when performing SPF is discovering who is currently legitimately sending an email on your behalf.

Things to look for:

  • Apparent targets—exchange or other groupware servers either outgoing mail gateways
  • All DLP solutions or other email processing systems that may generate external information
  • CRM systems sending data communicating with customers
  • Many third-party applications that may send email
  • Lab, Test, or any different server may send email
  • Computers and configured machines to send an external email directly

The above list is incomplete, as companies have different situations, so we should use it as a general guideline. Once ISP recognizes your email sources, you probably need to take a step back and clean the list. 

Your outgoing mail gateways should deliver all your outgoing emails with a few justified exceptions.

If you use a proprietary or third-party solution, the infrastructure should be independent of production email gateways. If your mail delivery network is incredibly complicated, you should continue documenting your SPF’s current situation, but do take some time to clean up the case promptly. If you serve more than one domain over the same base, you probably need to properly create a single SPF record and reference it in an individual domain using the “include” mechanism.

C. Verify domain alignment

Start by preparing the email headers of the emails you are sending. Then Identify the domain or subdomain listed in the following places:

  • message From (i.e., Return Path or Mail-From)
  • “Friendly” From (i.e., “Header” From)
  • d=domain in the DKIM-Signature’

When you get your domain names aligned, you will protect your business from being used by unknown persons for various purposes.

But If your domain names are not aligned, you can still proceed to create your DMARC record. 

D. Identify email accounts to receive DMARC reports

Through DMARC, you will receive your reports daily. Select the email account(s) where you want to receive those reports. You probably want to use two independent accounts, as you could get overwhelmed with the details!

So you should prepare DNS access to assist you with this modification. Moving out to your IT department, security team, or even your ESP should work. You are making updates like this go behind a simple login. If you need to consult what your current setup is, use a DMARC lookup tool. We prefer this one from Proofpoint, which doesn’t need a login and gives the key to what your tags mean – but more on that later.

Reporting can be difficult to parse because you got them in a raw format. 

E. Meaning of DMARC tags 

DMARC tags are the expression of the DMARC standard. They tell the recipient (1) to check for DMARC and (2) what to do with messages that fail DMARC authentication.

Many DMARC tags are available. However, you don’t have to use all of them. You may want to keep it simple! Using Proofpoint’s lookup tool, you recognize what tags your record currently has and see what others mean. 

F. Generate your DMARC record 

Do you want to replace something on your records? You will probably rely on your DNS administrator to make a fast update or generate a new text record to copy then paste into each of your domains. Due to the complexity of the manner (and the possible issues that can occur), we prefer to use this tool from Proofpoint. There are several DMARC record generators out there—so please choose the one that you trust.

G. Implement your DMARC record (if needed)

Accomplish with your DNS administrator to add your DMARC records to DNS and start controlling your chosen domain. After you copy and paste your required records into each sending domain, you’ll start receiving daily updates on your entire email system, including who is sending email on behalf, which emails are getting delivered, and which emails are falling.

You May Also Like…

How to Avoid Emails Going to Spam

How to Avoid Emails Going to Spam

Is your message going out to the spam folder? So, let’s show you three easy steps to keep it from happening. Step one...

Email Marketing Strategies

Email Marketing Strategies

Email marketing is the most effective marketing channel. moreover, for every $1 you spend, you can expect a return of...


Submit a Comment

Your email address will not be published. Required fields are marked *