There are various methods to protect against spam and phishing, among which SPF and DKIM are the most popular. What exactly are these mechanisms? You’ll find out in the following post.
Before we start describing each mechanism, it’s important to note that no method guarantees 100% security. Your common sense is key.
Sender Policy Framework (SPF)
SPF, short for Sender Policy Framework, is a security measure for SMTP servers designed to prevent them from accepting emails from unauthorized sources. A server utilizing SPF checks DNS records to verify if an email originates from a server authorized to send emails for a specific domain. SPF allows domain owners to specify which mail servers are permitted to send emails on their behalf through a special DNS record. If an email originates from a non-authorized server, it will be rejected. This protection helps safeguard against emails from spammers who spoof email addresses. SPF doesn’t require configuration on the client side, it’s automatically added for every domain linked to our hosting account.
How does SPF work?
- Defining an SPF Record: The domain owner defines the SPF policy by creating a special text record (TXT) in the domain’s DNS configuration. This record lists the mail servers authorized to send emails from that domain.
- Sending a Message: When a mail server attempts to send an email, the recipient checks which domain the email originates from (e.g., @example.com).
- Checking the SPF Record: The recipient then queries the DNS to check the SPF record for that domain. The receiving mail server retrieves the information about which servers are authorized to send messages from that domain.
- Verification: If the server from which the message was sent is listed in the SPF record, the email is considered legitimate and can be delivered. If the server is not listed, the message may be rejected, marked as spam, or undergo further analysis.
Example SPF Record in DNS:
v=spf1 +a +mx +ip4:91.211.220.105 include:example.com -all
- v=spf1: Specifies the SPF version.
- +a: Indicates that any mail server whose IP address matches the domain’s A record is authorized to send emails from this domain.
- +mx: Indicates that any mail server defined in the domain’s MX record is authorized to send emails from this domain.
- ip4:91.211.220.105: Specifies that the IP address 91.211.220.105 is authorized to send emails.
- include:example.com: Indicates that the domain example.com is also authorized to send emails. External email services (e.g., Outlook, Gmail) often require this element to identify the service as a legitimate source of emails from the original domain. For example, most Microsoft 365 organizations require adding include:spf.protection.outlook.com.
- -all: Indicates that all other servers not listed should be rejected. This parameter comes in two versions: ~all (less strict) or –all (more strict). The detailed difference between them is discussed in another article: SPF – what is the difference between ~all and -all? – we talk about hosting unofficial (smarthost.au)
DomainKeys Identified Mail (DKIM)
DKIM is a solution that allows an email to be linked to a specific domain. It involves adding a DKIM signature to the email header. When a server receives an email, it retrieves data from the DNS (specifically from a TXT record) to verify the signature. The domain key allows verification of whether the message indeed comes from the domain it claims to be from. However, DKIM is not foolproof, as it’s possible to decrypt the key, especially if it is too short.
How does DKIM work?
- Generating Key Pairs: The domain owner generates a pair of cryptographic keys: a private key and a public key. The private key is stored on the mail server, while the public key is published in the DNS as a TXT record.
- Signing Messages: When an email is sent from the mail server, it uses the private key to generate a digital signature for the message. This signature is added to the email header as a special DKIM header.
- Sending the Message: The email with the DKIM header is sent to the recipient.
- Verification by the Recipient: The recipient (or their mail server) retrieves the public key from the sender’s DNS and uses it to verify the DKIM signature. If the signature is valid, the message is considered authentic, meaning:
- The message comes from an authorized sender (who has access to the private key).
- The message was not altered during transmission.
What does the DKIM header contain?
- d=example.com: The domain that generated the signature
- s=selector: The selector identifier used to fetch the correct public key from DNS.
- b=signature: The actual digital signature.
- h=header_list: The list of email headers included in the signature.
Example DKIM Record in DNS:
default._domainkey.example.com. IN TXT “v=DKIM1; k=rsa; p=MIIBIjANBgkqh[…] “
- default: The selector that identifies the specific DKIM key within the domain. Multiple selectors can be used for different DKIM keys in the same domain, allowing key rotation or the use of different keys for different services.
- _domainkey: The standard subdomain used to store DKIM records in DNS. Each DKIM record is stored in a subdomain ending with _domainkey.
- example.com: The main domain for which the DKIM record is configured.
- v=DKIM1: DKIM version.
- k=rsa: Cryptographic algorithm (usually RSA).
- p=…: Public key.
Both of these security measures (entries) are automatically set up when adding a domain to cPanel and require no user configuration.
What other options are available for spam protection? Our servers use SpamAssassin, a set of scripts that analyze messages for spam characteristics. Additionally, we recommend setting up the DMARC mechanism, which further enhances protection against spam and phishing. Information on what DMARC is and how to implement it can be found in the post: What is DMARC and why you should have it.
- DNSSEC – technical aspects of additional security for your domain. - September 29, 2024
- DNSSEC – basic informations. - September 29, 2024
- How to properly configure contact forms? - September 29, 2024