Brief Introduction to SPF and DKIM
The first step in this help is to explain these email security measures in order to understand how they work.
What is SPF?
SPF (Sender Policy Framework) is a technique that helps prevent spam or fraudulent e-mail by verifying whether the mail server sending a message is authorised to do so on behalf of a specific domain.
Step-by-step explanation:
- An e-mail server receives a message from a sender, e.g. "usuario@midominio.com".
- The recipient's server queries the SPF records for the domain "mydomain.com".
- SPF records contain a list of mail servers that are authorised to send mail on behalf of "mydomain.com".
- The destination server checks if the server sending the mail is on that list.
- If it matches, the mail is considered legitimate and is delivered. If it does not match, it may be treated as spam or rejected.
![Flowchart of a domain verified by SPF](https://cdn-0.plantuml.com/plantuml/png/XP31IiGm48RlUOgVNBoe3x07MN0LF0YB1U-ncTZ19f79TA4-lIJLkXJ5sv3__xuaio_gHASuchkah3DiHycJN1GyEXxHaPn8B5n1QS7QUwAUtvcI_bALxymSdBeNLmZsaAFZTDxoxSGiNbpT_60xr5U0OlK6oV6h2nldPRhkSxHc1Igz13lS3jI_eJlULryMNn2oRCbbtbnwb7nYJ_-nAx71dqaupE007QYjYzChIlimkC1DEcJX3_9_AXx2MUiIdaQkSFMrPPWz9J_5yHC0)
(Flowchart of a domain verified by SPF)
What is DKIM?
DKIM (DomainKeys Identified Mail): is another technique that helps to guarantee the authenticity of emails by adding a digital signature to the message.
Step-by-step explanation:
- When a mail server sends a message, it creates a unique digital signature for that message using a private key.
- The mail server adds this signature to the message header.
- The destination server, which has the corresponding public key, can verify the signature.
- If the signature is valid, the message is considered authentic and has not been altered in transit.
![Flowchart of a domain verified by DKIM](https://cdn-0.plantuml.com/plantuml/png/ZP2_JWCn3CRtUmeh2mlm01rGXouLga1KOdSlFcgHFvNZ2zpRGowb1n58R57yVJ__v7LI51szwoWewmHcJy6IN2NO8JlOasGI0vWWpODBxebwFZ45_IKgNxFEek814u7PH8ySlgVi_DDLBjpSBRKL50iWNxXlh4VOt6ztaFWbe8v2C4ZqOFnK4RTzzAQxj1lKfoXn9j0ZdObOsEygs6lvRU0_GNN32XuEMlHFuy5n3wyqmH2bLQZlPl-ZnCpsl6Nf_-dxJCB3r4ZLAnJPVn2smvnSofmWesDx3POSPvBb6DsQWXsz-m00)
(Flowchart of a domain verified by DKIM)
What is DMARC?
DMARC (Domain-based Message Authentication, Reporting, and Conformance) is like an email supervisor for a domain (such as "mydomain.com"). Think of it as a set of rules that the domain owner sets up to tell other mail servers how to handle emails that appear to come from their domain.
- Rules Configuration: The domain owner (such as a company) configures specific rules in the DNS records of their domain. These rules indicate how emails impersonating your domain should be treated.
- Receiving an Email: When a mail server receives an email claiming to be from that domain (such as "usuario@midominio.com"), it checks the DMARC rules that the domain owner has configured.
- DMARC-based actions: DMARC tells the receiving mail server what to do with the email. You can do one of three options:
- Accept Email: If the email complies with DMARC rules (such as having the correct SPF and DKIM signatures), the server delivers it to the inbox.
- Mark as spam: If the mail does not comply with DMARC rules, the server may mark it as spam or put it in the junk mail folder.
- Reject Email: En casos extremos, si el correo no cumple con las reglas de DMARC, el servidor puede rechazarlo por completo, evitando que llegue al destinatario