SPF or DMARC?

Which type of email authentication should I prioritize in setting up my email server?

QUI-GON Asked on 9th May 2019 in general.
Add Comment
1 Answer(s)

I have the practice to enable SPF, DMARC and DKIM in any domain that I come across. In the future, everybody should and eventually enabling this, but we are still not there because of the poor adoption. Enabling this will help any email domain to not marked as SPAM, of course, if you are using a domain to send SPAM, the domain will eventually end up on a blacklist and be marked as SPAM, even if you have all three authentications enabled.

Here are some tools that you can use to check if you already have them enabled:

SPF Validated: https://mxtoolbox.com/SuperTool.aspx 

DKIM is validated: https://app.dmarcanalyzer.com/dns/dkim?simple=1

DMARC Inspector: https://dmarcian.com/dmarc-inspector/

Message Header Analyzer: https://testconnectivity.microsoft.com/MHA/Pages/mha.aspx

https://blogs.technet.microsoft.com/exchange/2013/05/01/introducing-message-analyzer-an-smtp-header-analysis-tool-in-microsoft-remote-connectivity-analyzer/

Message Header Analyzer (Outlook Mobile): https://appsource.microsoft.com/en-us/product/office/WA104005406

 

  SPF DKIM DMARC
What does it stands for? Sender Policy Framework DomainKeys Identified Mail Domain-based Message Authentication, Reporting and Conformance
What is it? A system to declare and verify who can send e-mails from a given domain An e-mail authentication system based on asymmetric cryptographic keys. An e-mail authentication system that helps determining what to do when messages fail SPF or DKIM checks.
How does it work? The receiving host checks if the sending host is allowed to send e-mails from the sender domain. The sending host signs email body and/or headers with its private key. The receiving host verifies the signature, identifying if the fields are intact. The receiving hosts applies the DKIM and SPF checks. Then it validates the results against the published DMARC policy and decides what to do: Block, quarantine, deliver, report to sender.
     
The information stating who can send e-mails is stored on a TXT record in the DNS zone. No digital certificate is required. Public key is published using DNS TXT records. The DMARC policy is published via DNS TXT record.
Why is it important? It helps preventing spoofing and can prevent damage to your brand. Greatly reduces the chances that your messages are treated as spam by digital signature. Helps receiving organization decide what to do with e-mails that fails checks and create a feedback loop to allow course correction.
Where can I learn more? Sender Policy Framework DomainKeys Identified Mail Domain-based Message Authentication, Reporting & Conformance

 

 

 

 

 

Here are some interesting articles:

https://docs.microsoft.com/en-us/office365/SecurityCompliance/anti-spam-message-headers

https://www.endpoint.com/blog/2014/04/15/spf-dkim-and-dmarc-brief-explanation

https://blog.higherlogic.com/spf-dkim-dmarc-email-authentication

https://blogs.technet.microsoft.com/fasttracktips/2016/07/16/spf-dkim-dmarc-and-exchange-online/

Hope you find here the answers that you are looking for.

Regard,

João Dias

LUKE SKYWALKER Answered on 9th May 2019.
Add Comment

Your Answer

By posting your answer, you agree to the privacy policy and terms of service.