Skip to content
English
Visit our website
  • There are no suggestions because the search field is empty.

SPF, DMARC & DKIM: A Guide

Email is one of the biggest points of attack for threat actors. Email impersonation fraud tactics like spoofing and business email compromise are some of the most frequently reported cyber-fraud losses. SPF, DMARC and DKIM can reduce this risk.

What is SPF?
SPF stands for Sender Policy Framework. It’s an email authentication technique that is used against email spoofing. An SPF record allows a domain owner to publish a list of the domains or IP addresses that should be trusted to send emails for a domain in a DNS TXT record. If a domain or IP that is not in the published record attempts to send an email - it will not pass the SPF security check, indicating that it may be a fraudulent or spoofed email. It will then be treated in accordance with a defined DMARC policy.

What does an SPF record look like?
An SPF record is added to your domain's DNS zone file as a TXT record and it identifies authorized SMTP servers for your domain. You can choose how strict the policy is by implementing a hard or soft fail. When your SPF record is complete it should look like this: 

v=spf1 include:_spf.example.com~all

What is DMARC?
DMARC is an email validation system designed to protect your company’s email domain from being used for cyber-crimes. It provides domain-level protection of the email channel. DMARC
authentication detects and prevents email spoofing techniques used in phishing, business email
compromise (BEC) and other email-based attacks. DMARC empowers SPF by stating a clear policy which should be applied and allows to set an email address which can be used to send the statistics reports regarding a specific domain.

What does a DMARC record look like?
It is recommended that a DMARC policy is implemented gradually and with a phased approach, gradually reducing the stringency of the policy over time. At the start of implementing DMARC it should look something like this:

v= DMARC1; p=none; rua = mailto:user@example.com

What is DKIM?
DKIM stands for "DomainKeys Identified Mail”. It is a protocol that authenticates emails to prevent spoofing or phishing. It acts like a digital signature - verifying the authenticity of the mail being sent, and confirming that the content was not interfered with in transit. It works by a public key stored in your DNS record. When someone receives an email purporting to be from you, they use this public key to confirm whether the hashed key in your email header is authentic, and that the email is legitimate an unchanged.

What does a DKIM record look like?
How you create and implement DKIM will vary depending on your email provider so we would recommend that you consult their documentation before attempting to generate a DKIM record. You should add the DKIM signature to a TXT record in your DNS and it should look like this:

v=DKIM1; k=rsa; p=[public_key]

What to remember:
Any organization that has not put the standard email protections in place is at high risk of having these addresses spoofed or impersonated to defraud its employees, customers, partners and suppliers. KYND continuous monitoring is always checking your publicly available email records to check that you have these in place. You can find results in your KYND ON account or your Signals report.

Checklist
Check whether you have implemented SPF, DMARC, and DKIM in your DNS TXT records

  1. Check whether you have implemented SPF, DMARC, and DKIM in your DNS TXT records
  2. Review your syntax for errors to ensure they are working properly
  3. Consider chancing the stringency of the records if you are ready to advance your email protection.
  4. Remember to cover the domains you do not email from as threat actors will be trying to spoof these as well
  5. Conduct regular phishing exercises with users to ensure they understand the risks of spoofing
  6. Check your KYND Risk Report or Signals Report for email security related alerts.