• SPF, DKIM and DMARC (e-mail)
  • Domains

    • SPF, DKIM and DMARC (e-mail)

    In this article:

      Introduction

      SPF, DKIM and DMARC are three tools that can assist in preventing spoofing (that is used for phishing and spam) by validating the authenticity of emails. Since emails are always associated with a domain, validation of emails is centered around the domain setup, which takes place on the DNS server that the domain belongs to.

      Note: This guide is based on your shop and the e-mails sent from the shop system (order confirmations, order status emails, invoices, etc.). These examples are therefore based on our shop system and the settings we use in our systems in general.

      Understand SPF, DKIM and DMARC

      A short explanation of the mechanisms and their function (we'll take a closer look at the details later in the article series):

      • SPF: SPF is a mechanism that lets the recipient's email server know which email servers are authorized to send emails on behalf of your domain (in this case your shop).
        (SPF is an abbreviation of "Sender Policy Framework).
      • DKIM: DKIM is a mechanism that signs all outgoing emails from your domain with a private key, which can then be validated with a public key placed on the shop's domain.
        (DKIM is an abbreviation of "DomainKeys Identified Mail")
      • DMARC: DMARC is a mechanism that ties SPF and DKIM together, and lets the owner of a domain notify the receiving server how to deal with email claiming to come from a sender that do not match SPF or DKIM (DMARC is an abbreviation of "Domain-based Message Authentication, Reporting and Conformance").

      All three mechanisms include a string of text that is added in the DNS-zone of your domain as TXT and CNAME records respectively. In addition to adding a CNAME-record to the DNS, DKIM also includes adding a key in your email server's settings in order for the server to be able to sign the emails that are sent from the shop system.

      How it works

      In this diagram, we go through the email flow when your shop system sends an order confirmation to the customer:


      SPFDKIMDMARCDIAGRAM

      1. Domain: SPF, DKIM and DMARC are set up as DNS-records in the DNS-zone of the domain in order for them to read on the internet. The mail server's internet address is included in the SPF record, and the mail server's public DKIM key and DMARC information are inserted in their own DNS record.
         
      2. Shop: The order confirmation email is actually sent from an email server connected to the shop. The mail server has been set up so that the outgoing emails are DKIM-signed with a private key. The key has a corresponding public key that can be found in the domain of the shop (see point 1).
         
      3. E-mail: The DKIM-signed email is sent to the recipient. Besides holding the DKIM-key, the sender's email address and the internet address of the server can be also be read in the email.
         
      4. Recipient: The recipient server reviews the data that the email consists of and compares the information with the information on the shop's domain (SPF, DKIM and DMARC) to get an overall assessment:
         
        • SPF check: The recipient server evaluates whether the sender (the email server that has sent the email) is included in the SPF-record of the domain. This can be in the format of a domain or an IP-address.
           
        • DKIM check: The recipient decodes the DKIM-key with which the email has been signed (the key is located in the email header text) by using the public key found in the domain's DKIM record. The validation is successful if the private key can be decrypted by the public key, and if the result (the decrypted content) matches the information found in the DKIM-record (domain name and selector).
           
        • DMARC check: The recipient server makes sure that SPF and DKIM are valid. This includes a cross-check of the sender information in order to be able to relate SPF and DKIM to each other. The server may also be asked to send a status report back to the sender, which can be used by the sender to make adjustments on eg. the SPF- or the DKIM-record (this information is part of the DMARC record on the domain).

      Setting up SPF, DKIM and DMARC

      Read about the individual mechanisms and how you set up the different DNS records:

      Useful links

      (Under construction)