Increasingly, SPF, DKIM and DMARC are used to secure mail domains. Secumail has mastered these techniques and gets the most out of it for expanding its own filter performance for you as a customer. We would like to give you an overview of the technology here – without the details that your administrator ultimately has to deal with.

Where is the benefit?

Both SPF, DKIM and DMARC are intended to authenticate mails correctly. The necessity is shown by the fact that the sender in e-mails can in principle be freely set or forged. So anyone can compose an e-mail and pretend to be you, for example, by setting your e-mail address as the sender. In your case, this is certainly annoying, but it becomes dangerous if the sender is an address known to you, @sparkasse.de or bestellung@amazon.de. This is an attempt to gain trust in order to persuade the recipient to take an action that is in the interest of the sender – usually to the detriment of the recipient.
In order to subsequently expand the e-mail standard with mechanisms that automatically enable validation of the sender, various standards have been created. These are called DKIM, SPF, and DMARC. If a mail domain is equipped with all three mechanisms, then it can no longer be forged by strangers, provided that the spam filter used knows how to handle it exactly.

SPF

The Sender Policy Framework (SPF) is used to verify the sender in a message. In the appropriate DNS entry, the owner of the mail domain can xyz.de tell which mail servers a mail with the sender @xyz.de may come from. This is a first level of security that increases the authenticity of the mail. The receiving mail server can now request the SPF record in the DNS and thus determine whether the mail comes from an approved mail server.

But there is a catch: Like real letters, e-mails also have an envelope (envelope in technical jargon). In your mail program, you typically see the address from the message header instead of the address on the envelope. This can be different from the address on the envelope, just like a real letter. SPF also only checks for the address on the envelope.

SPF is therefore not complete protection against counterfeiting. A spammer can simply use an address on the envelope that does not have an SPF record in the DNS. In the e-mail, he then uses the address he wants to forge. A substantial gap, then.

DKIM

DomainKeys Identified Mail is used to secure the message header and the body of an email. In addition to the sender in the message header, other components such as subject and recipient can also be verified. Technically, this works with signatures that can be verified with the help of an entry in the DNS. If the signature is incorrect, the mail can be recognized as forged without hesitation. So, you can use a DKIM signature check to ensure that the data displayed is correct.

But DKIM also has a loophole: there is no way to specify whether all messages from the sender addresses @xyz.de must be signed. A spammer can therefore simply send his messages without a signature and thus bypass DKIM in the easiest way.

DMARC

Since SPF and DKIM have gaps on their own, a correction had to be made. Domain-based Message Authentication, Reporting & Conformance, or DMARC for short, offers an approach to this. however, the wheel was not reinvented at this point, but built on DKIM and SPF. With the DMARC record in the DNS, the administrator of a mail domain can tell the receiving mail servers which criteria a mail must meet in order for it to actually come from the domain. This includes a policy for SPF and/or DKIM. Depending on the setting set, the recipient’s mail server can also dispose of emails as spam that are forged due to the lack of a DKIM signature or whose SPF is not verifiable. DMARC checks against the sender @xyz.de in the headers, and its mail client also displays a verified address.

It is only with DMARC that DKIM and SPF get real teeth. An administrator of a mail domain can announce via DMARC that he sends all his emails with DKIM and SPF. Everything else is officially not from him and may therefore be disposed of as spam. This is exactly what Secumail does for you. In addition to your business partner, every professional administrator can secure the mail traffic for his organization. According to the statistics on dmarc.org , more and more companies and organizations are using DMARC and SPF. As of July 2017, 69 of the Alexa Top 100 had a policy that can be viewed with DMARC over DNS. Secumail can thus protect mails from these providers against forgeries.

How do I benefit as a Secumail customer?

Secumail customers automatically benefit as recipients without having to change anything on their own domain. Especially for large companies, the e-mail traffic is authenticated in a secure way. You will no longer receive phishing or spam with fake senders as long as the sender domain supports SPF, DKIM, or DMARC.

We hope to have provided you with a good and understandable insight into SPF, DKIM, and DMARC. If you have any questions, would like to implement SPF, DKIM or DMARC yourself, please contact us by email at support@secumail.de or by phone 08171-246920!

Michael Wodniok

Related pages and articles:

• RFC 7208: “Sender Policy Framework (SPF) for Authorizing Use of Domains in Email, Version 1”
• RFC 5585: “DomainKeys Identified Mail (DKIM) Service Overview”
• dmarc.org
• “Senders you can rely on” by Stefan Cink, published as a thematic supplement “Security & Data Protection, Issue 2/2017” in iX issue 12/2017 (EAN: 4018837015674)