DMARC, DKIM, and SPF—What’s That?!

Written By Terry Bradley

One of our most common security findings during a network penetration test is missing or misconfigured DMARC (Domain-based Message Authentication, Reporting, and Conformance). Out of the box, M365 and Google Workspace don’t have this important security protection configured and “enabling it” is not as easy as flipping a switch. But what is DMARC? What does it do? To understand DMARC, you need to understand SPF and DKIM.

DMARC, DKIM, and SPF are email security tools that work together to protect you from phishing by verifying that emails are legitimate and not from imposters. Here’s how they work in simple terms:

SPF (Sender Policy Framework): This checks if the email is sent from an authorized server. It’s like a guest list for your email domain. When an email arrives, the receiving server checks the sender’s domain against a list of approved servers (set in the domain’s SPF record). If the server isn’t on the list, it might be flagged as suspicious or rejected. This stops phishers from faking your domain using unauthorized servers.

DKIM (DomainKeys Identified Mail): This adds a digital signature to your emails, like a tamper-proof seal. The signature is created using a private key (kept secret by the sender) and verified by the recipient using a public key (stored in the domain’s DNS). If the signature matches, it proves the email came from the real sender and wasn’t altered. Phishers can’t fake this signature without the private key, making it harder to impersonate you.

DMARC (Domain-based Message Authentication, Reporting, and Conformance): This is like a boss that oversees SPF and DKIM and decides what to do with suspicious emails. It checks if an email passes SPF and DKIM and if the sender’s domain aligns with the “From” address (to catch spoofing). You set a DMARC policy (in your DNS) to tell servers what to do with emails that fail these checks: monitor, quarantine, or reject. This stops phishing emails pretending to be from your domain from reaching inboxes.

How They Protect You:

Phishing Prevention: Phishers often fake the “From” address to trick you (e.g., pretending to be your bank). SPF and DKIM verify the sender’s identity, and DMARC ensures only emails passing these checks get through.

Trustworthy Emails: Legit emails from your bank or services pass these checks, so you’re less likely to fall for fakes.

Domain Protection: If you own a domain, these tools stop scammers from using it to send phishing emails, protecting your reputation.

Example: Imagine you get an email claiming to be from “support@yourbank.com.” SPF checks if the sending server is allowed by yourbank.com. DKIM verifies the email’s signature matches yourbank.com’s key. DMARC ensures the “From” address aligns with these checks. If any fail (e.g., a phisher used a fake server), DMARC might block the email, keeping you safe.

Is your DMARC record set-up and configured correctly? Contact Mile High Cyber today to find out.

Terry Bradley
Previous

Why Real Hackers Beat Robots: The Case for Human-Led Penetration Testing
Next

Are Macs More Secure Than Windows PCs? A Fresh Look at the Debate