Skip to content

Email Security

Jump to bottom
FeIix edited this page May 2, 2026 · 1 revision
Stands for Purpose
DKIM DomainKeys Identified Mail Adds a cryptographic signature (digital signature) to your emails, guaranteeing that the message was not forged or altered.
SPF Sender Policy Framework Specifies which mail servers (IPs/domains) are allowed to send email on behalf of your domain.
DMARC Domain-based Message Authentication, Reporting & Conformance Uses SPF and DKIM to determine the authenticity of a message. It provides instructions to receiving servers on how to handle failed emails

How DKIM works

  1. DNS TXT Record (Sender Side)

    • The sender's domain publishes a DNS TXT record for DKIM containing a public key.

  2. Email Signing (Sender Side)

    • The sender domain mail servers digitally sign (digital signature) outgoing emails using the private key.
    • This signature is included in the email headers as a "DKIM-Signature" field.

  3. Verification (Recipient Side)

    • The recipient’s mail server extracts the "DKIM-Signature" from the email message.
    • It retrieves the public key from the sender’s DNS record and then validates the signature.
    • If valid, the message is considered authentic and untampered.
    • If invalid, the message is rejected or flagged as spam.

Example DKIM Record

default._domainkey.example.com TXT "v=DKIM1; k=rsa; p=MIIBIjANBgkqh..."
Notes
v=DKIM1 DKIM version.
k=rsa Encryption algorithm used.
p=MIIBIjANBgkqh... Public key for verifying signatures.

How SPF works

  1. DNS TXT Record (Sender Side)

    • The domain owner creates a DNS TXT record for SPF.
    • The SPF record lists authorized mail servers (IPs/domains) that can send emails from the domain.

  2. SPF Validation (Recipient Side)

    • When an email is received, the recipient’s email server checks the “MAIL FROM” field.
    • The recipient’s serve compares the sending mail server’s IP/domain with the list in the SPF record.
    • If match an authorized sender, the email passes SPF.
    • If not listed, the email fails SPF and may be rejected or marked as spam.

Example SPF Record

v=spf1 ip4:192.168.1.1 include:_spf.google.com -all
Notes
v=spf1 Specifies SPF version.
ip4:192.168.1.1 Authorizes this specific IP to send emails for the domain.
include:_spf.google.com Allows Google's mail servers (e.g., Gmail) to send emails for the domain.
-all Hard fail; reject emails from unauthorized sources.

How DMARC works

  1. Publish a DMARC Policy (Sender Side)

    • A DMARC policy is added as a TXT record in the domain’s DNS.
    • The policy defines what action the recipient should take if an email fails SPF or DKIM.
    • It also provides an email address for reporting authentication failures.

  2. Email Validation

    • When an email is received, the recipient's mail server checks SPF and DKIM.
    • Based on the DMARC policy, the recipient server rejects or quarantines the failed emails, or takes no action but monitor only.

  3. Reporting

    • The domain owner receives reports about authentication failures, which help analyze unauthorized email activity.

Example DMARC Record

_dmarc.example.com TXT "v=DMARC1; p=reject; rua=mailto:dmarc-reports@example.com; ruf=mailto:dmarc-forensic@example.com; fo=1"
Notes
v=DMARC1 Specifies DMARC version.
p=reject Reject emails that fail SPF/DKIM. Other actions are p=quarantine and p=none.
rua=mailto:dmarc-reports@example.com Sends aggregate reports (summary of DMARC failures).
ruf=mailto:dmarc-forensic@example.com Sends forensic reports (detailed reports for failures).
fo=1 Requests reports if either SPF or DKIM fails.

Clone this wiki locally