Avoid relying only on SPF! DKIM eMail authentication will often "save the day" / A must for DMARC

Written By Jean-Francois Bourdeau

Tks to https://securityboulevard.com for this nice picture

  • Did you know that a DNS SPF DNS record doesn't protect you against spoofing ? Only DMARC does (if the policy is p=quarantine or reject).

  • Did you know that if your SPF generate more than 10 DNS lookups, it will fail ( permerror) Example : one well known hosting provider recommend it's customers to use include:websitewelcome.com ! Only by itself, this will generate 9 DNS lookup !

  • SPF TYPOS : Did you know that if you use one simple include mechanism that refer to some external providers's includes with a typo down the line, your SPF will fail ?

  • Did you know that If your provider provides some include:something.theprovider.com and along the way they modify it and make it go over 10 DNS lookups, your SPF will fail ?

  • Did you know that if your eMails are sent to an address that happen to be a distribution List/Group or to some eMail address auto forwarding to another address or to some AntiSpam Gateway that SPF will most of the time be broken before reaching the final destination and won't survive it's journey?

  • Did you know that if an include generate more than 2 VOID DNS lookups that SPF verification will fail ?

There are so many scenarios where SPF will fail, it is a very useful but very fragile mechanism.

At the end of the day, it doesn't even mean emails were 100% sent from you, but more from someone using the same providers you are using

DKIM:

  • is more resilient/robust

  • will survive to more weird email scenarios

  • confirm the receiving party that eMails received from your domain were really sent from your domain and that those emails were not altered / tempered with along the way.

  • DKIM will be SPF Fail Safe to allow DMARC to work properly

Get in touch with your IT providers to implement DKIM(and DMARC) signing ASAP.

Note : we recommended people using DMARC to use both if possible (SPF/DKIM) but DKIM is an absolute MUST. A ~all (soft fail) SPF is also recommended as there are some very strict receiving Mail Server who will sometime stop at the SPF validation and won't allow DKIM to be considered. Industry specialists will all recommend ~all SPF when using SPF/DKIM/DMARC.

lastspam.com

Jean-Francois Bourdeau
Previous

Should IT people hide their mistakes?
Next

What is that eMail compliance SPF/DKIM/DMARC Stuff! For non-technical people