To prevent hackers from spoofing your custom domain email address, there are 3 things you need to you need to know. DMARC, SPF and DKIM. In this article, we’re going to explain the concept and how to use them to prevent email spoofing.
Most tutorials will start with DMARC. However, I feel that it’s easier to understand DMARC if we talk about SPF and DKIM first.
What is SPF
SPF (Sender Policy Framework) is an email authentication technique. The concept is to add a DNS record to declare which email servers are authorized to send email from your domain.
When receiving email server gets an email, it will check your SPF DNS record to see if the incoming email is from the authorized server or not.
For example, if I use Google’s G-Suite service to send and receive email for my domain, my SPF DNS record should look like below. You can read more about SPF syntax here but essentially the record below tells the world that only _spf.google.com server can send email on my domain behalf.
v=spf1 include:_spf.google.com -all
So if any mail server receive an email from my domain but not being sent from Google’s mail server, it will be rejected or moved to spam due to failed SPF check.
But as you can see, SPF only verify the sender but not each individual mail. So we need another authentication method. And that’s DKIM.
What is DKIM
Domain Keys Identified Mail or DKIM is an authentication technique to verify if each individual mail is from the authorized sender or not. DKIM rely on public-private key principle. To implement DKIM, first we need to add DKIM DNS record and put the public key on it. Then for each email, we’ll send an encrypted signature using private key along with the header. When receiving server get an email, it will check the authenticity by verifying the signature using public key.
Most email services provider usually provides wizard to generate DKIM keys. You’ll only need to add the public key to the DKIM DNS Record. Here is the example.
v=DKIM1; k=rsa; p=M1GfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDhLfcag5y3kc8gyv7l8SZp9m7s6L67ua7Ih eEQs9NzRMzFRSE4Gmdky4PuH3KUlk2seD4JKFVoHw1fxeDKFVJIoeHa5qJmucr0K37q9DJisXNr dMYqYJ1E4fNXxH4Ml1SxMKo2L42tVFmxDAHz0Jf1zLiJ+LgZVuRk00JVzJ8B0wIDAQAB
Now you understand SPF and DKIM. Next let’s talk about DMARC.
What is DMARC
DMARC stands for “Domain-based Message Authentication, Reporting & Conformance”. Basically, it’s an email authentication protocol to prevent email spoofing. DMARC plays important parts whether your email will end up being in recipient’s spam folder, rejected right away or sent successfully.
Next we’ll talk about the process when receiving email server use DMARC protocol to verify the email.
DMARC Alignment Process
On your email, there are two “from” addresses. The first is the “header from” or the actual from address that you and recipient see. The second is “envelope from” which is a sender’s address when email is being sent via SMTP. (To look at these addresses, select “Show Original” from gmail menu)
First, the receiving server will check both “from” addresses if they are aligned or not. If they are, then server will check the SPF record if the address is authorized. If not then SPF check will fail.
Then the server will look at DKIM record public key and try to verify the DKIM signature in the email header. If the signature is authentic then DKIM check will pass. But if the signature verification fail or no DKIM record is published, then DKIM check will fail.
DMARC alignment requires either SPF or DKIM check to pass. If both SPF and DKIM check fail then DMARC will fail. Now this is where DMARC record comes into play. If an email passes DMARC check, usually it will be in the recipient inbox (unless spam filter caught it) But if it fails then the server will look at your DMARC policy DNS record.
DMARC Policy Record
You can setup DMARC policy to instruct mail servers how to deal with the failed emails (Ignore, quarantine or reject) Here is the example of DMARC record to reject all emails that failed DMARC check and send a report to a specific email address.
v=DMARC1; p=reject; rua=mailto:[email protected]
Below is the example of reject email when DMARC check has failed.
This is why “Send As” feature in gmail we mentioned in previous article is not working for non gmail address anymore. Gmail always uses main gmail address as “envelope from” address which is not aligned with the “header from” thus, failing SPF check. Since you can’t implement DKIM with gmail free account the email will always fail DMARC check and undeliverable (forcing you to switch to G-Suite paid plan)
And that’s all the basic you need to know to setup DMARC, SPF and DKIM to prevent email spoofing for your domain.