E-mail: What is the purpose of SPF, DKIM and DMARC records?

In keeping with Artera’s tradition of always being focused on innovation and security, we will devote this article to e-mail security.

When an e-mail is sent, it may happen that the message is received by the recipient as spam, causing the communication to be unread on several occasions.

There are many reasons why such a situation may occur, however, especially in the recent period, most cases can be traced back to the non-configuration or misconfiguration of SPF and DKIM records on the DNS zones of the domain used to send the e-mails. Another useful record to take into account, although it is not fundamental, is the DMARC record.

All these records are specific to the e-mail service and are intended to make the exchange of e-mails more secure, counteracting spoofing (a technique whereby the sender is falsified in order to mislead the recipient of the message) and phishing (a scam that attempts to retrieve sensitive information through misleading messages), and reducing the possibility of regularly sent messages being recognized as spam and treated as such by the recipient.

What is the purpose of SPF, DKIM and DMARC records? Let’s see it together!

The SPF (Sender Policy Framework) record makes it possible to indicate which servers are authorised to send e-mails. This means that the recipient of a message can identify the server that sent the e-mail, by retrieving the information written in the message header and comparing it with the servers indicated in the SPF record: if the verification returns a positive result, the message will be more easily considered trustworthy, otherwise it will have a greater chance of being identified as potentially dangerous mail or spam.

The DKIM (DomainKeys Identified Mail) record is nothing more than a digital signature, which allows the recipient to certify whether the message received was sent from an authorised domain and server.

This configuration also makes it possible to check that the content of an e-mail has not been changed after it has been sent.

The recipient’s server extracts the key from the header of the e-mail and through its verification determines whether the message is trustworthy or not, exactly as indicated for the SPF record.

The DMARC (Domain-based Message Authentication, Reporting and Conformance) record, unlike the other two seen above, does not define services authorised to send and does not allow specific verifications to be carried out, but it is very important because it defines how the recipient of an e-mail, according to the parameters specified with the SPF and DKIM records, must treat the messages received; it also allows reports to be sent to an e-mail address specified in the record, so that the owner is periodically updated on the messages sent from the active e-mail boxes on his domain, thus facilitating the identification of a possible problem or ‘suspicious’ cases.

All Artera products that include mail service and nameserver management are activated with great consideration for the importance of security in this area, which is why the SPF, DKIM and DMARC records are automatically configured on our DNS zones. Of the three mentioned, the DMARC is the only one that is a real exception. In fact, unlike the SPF and DKIM records, which are immediately decisive, the DMARC record is entered in generic form, as its mode of operation, as well as the email address enabled to receive reports, must be decided by you. Don’t worry: Artera non vi abbandona! Mettiamo a vostra disposizione tutta la nostra competenza per sfruttare appieno il potenziale di questo record DNS: qui potete trovare la nostra guida, che illustra nel dettaglio come funziona il record DMARC.

Artera support remains available for further clarification: open a ticket from your customer area or email support@artera.net for assistance!