What is that eMail compliance SPF/DKIM/DMARC Stuff! For non-technical people

Written By Jean-Francois Bourdeau

SPF/DKIM/DMARC are mechanisms (Version 6)

  • working hand in hand to make eMail secure

  • help prevent spoofing(yes, someone pretending to be @fromyourdomain.com and sending eMails to the world) so your domains doesn’t end on BlackList with a bad reputation.

  • one side effect is that it will improve your email deliverability rate. Most eMail providers like when you’re using SPF/DMARC/DKIM properly and will give you more chances to reach people’s inboxes instead of sending your eMail into people’s spam Folders(JunkMail) or worst, rejecting your emails. New trend : Some providers will send your eMails directly to Junk/Spam if you’re not using spf/dkim/dmarc!

    BOLD NOTE(technical): if your DMARC policy is “left” at p=none / monitoring mode, it will allow your domain to be spoofed ! Most IT will set and leave your DMARC policy at p=none. DMARC is the only mechanism protecting you from spoofing, if well configured(not left at none).

BUT WHAT IS IT! ?? How does it work ?

Note : below is the 6th attempts to make all that simple. It’s far from perfect but, for now, it will be this(tech people, close your eyes please),

Imagine you got an invitation to attend some VIP event at some fancy BAR and that they will only be accepting people with clean/legit ID cards.

Toc Toc Toc, you arrive at the event :

SPF(origin) : you show a Driver License, Tom Smith from Miami. The ID is a real legit driver license, they were able to verify that this ID is from a Miami driver. Note : your domain SPF record(you are the one configuring it) provides a list of all eMail services you are using and show from where your eMails will be coming from(eMail campaign tool, CRM, eMail provider as google,MS, etc). Note : sometime you’ll be using some eMail provider that do not need you to list them in your SPF(I can’t explain why here…)

DKIM (domain signing): You then show another legit ID showing you are Mark Smith from Macrosoft.com and they were able to validate this ID OnLine(forget about the picture LOL It will ruin my analogy) and confirm that this ID is really from Macrosoft.com

Then you present yourself : (The FROM / sender people will see in the eMail you sent)

“ HI, I’m bob from New York from @a-well-known-domain.com“

The Doorman(DMARC): Here is the magic happening

“ Listen, you telling me you’re Bob from New York but

  • you have an ID showing you’re Tom from Miami (SPF / where you are coming from)

  • and another ID showing you’re Mark Smith from Macrosoft.com (DKIM domain signing)

Sorry “BOB”, I can’t let you in!” (reject or whatever is your DMARC policy)

Note : in that crazy eMail world, an eMail may have a valid SPF (eMail coming from the right provider) and with a valid DKIM signature(proove this eMail is DKIM signed but from someotherdomain.com) and pretend to be @yourdomain.com and only DMARC will be able “recommend” the receiving eMail server the right decision to make.

SPF validation will simply make sure the domain used for SPF authentication authorized(in their SPF policy)the provider from which the communication originated from, to send eMail on behalf of that domain. (can be any domain that doesn’t have to match the domain people will see in the eMail)

DKIM validation will check if the d=whateverdomain.com DKIM signature is valid. Again here, that domain specified in the hidden DKIM signature doesn’t need to “Match/Align” with the domain people will see in the eMail.

DMARC is the only one, with the help of DKIM and/or SPF, that will be able to make some intelligent validation as if “who you pretend to be” (domain people will see when receiving an eMail) does match/align with the DKIM and/or SPF domains used for authentication.

It is called Alignment. DMARC, to pass, need either full alignment (all domains match) or at least one of the 2 authentication methods domains, to match the real domain people will see….

For sure, I Will update this post in the future

DMARC in the news

https://www.securityweek.com/us-says-north-korean-hackers-exploiting-weak-dmarc-settings/

https://www.bleepingcomputer.com/news/security/nsa-warns-of-north-korean-hackers-exploiting-weak-dmarc-email-policies/

Technical details about spoofing :

Most Domain Can be spoofed

DMARC / SPF / DKIM for Techies & Nerds

https://www.uriports.com/blog/demystifying-dmarc-alignment/

lastspam.com

Jean-Francois Bourdeau
Previous

Avoid relying only on SPF! DKIM eMail authentication will often "save the day" / A must for DMARC
Next

What! My domain can be spoofed even if we configured a Strict -all DNS SPF/TXT entry? / FOR TECHIES ONLY