SPF, DKIM, and DMARC Explained
I found myself reading RFC 733 today as I had no idea how long BCC emails had been around. Turns out, it's a long time (November 21, 1977). In fact, that is when the "Standard for the Format of ARPA Network Text Messages" was ratified so a whole lot of other things were included in that RFC that are still used in email today, not just BCC emails.
Some things that weren't proposed in 1977 for obvious reasons are SPF, DKIM, and DMARC. We'll be talking about those today! (If you're curious like I was what those RFCs are anyway, I linked them so you can check those out too).
SPF - Sender Policy Framework
- Apple sends an email to your Gmail inbox. This email leaves Apple's email server bound for one of Google's email servers.
- Upon reaching Google's email server, Google's server checks the domain contained in the envelope sender (in the header of the email).
- Google's server checks the DNS records of email.apple.com and determines that the sending IP address (sending email server) is authorized to send email from email.apple.com. Hence we can see in the email header spf=pass along with the IP address of the sending email server, and the statement that the IP address is a permitted sender.
- As a result of SPF passing, Google's email server will not mark the email as spam ultimately helping it reach your inbox. This isn't the only check it will perform but we'll get to the rest later.
v=spf1 include:_spf-txn.apple.com include:_spf-mkt.apple.com include:_spf.apple.com ~all
|v||spf1||The SPF record version|
|+||include||_spf-txn.apple.com||Pass||The specified domain is searched for an 'allow'.|
|+||include||_spf-mkt.apple.com||Pass||The specified domain is searched for an 'allow'.|
|+||include||_spf.apple.com||Pass||The specified domain is searched for an 'allow'.|
|~||all||SoftFail||Always matches. It goes at the end of your record.|
- "include" statements can have hostname or IP address values (or both!)
- The "~all" in Apple's case could just have easily have been "-all" if they wanted (or not included it at all). The difference being that "~" tells the receiving email server that if SPF fails, the email should be marked as suspicious. "-" tells the receiving email server that if SPF fails, the email should be rejected.
- Instead of (or in addition to) "include" SPF records can contain other ways of designating permitted senders such as "a" and "mx".
DKIM - DomainKeys Identified Mail
- Apple sends an email to your Gmail inbox.
- Before the email leaves the Apple email server, the email body is hashed, and the body plus select email headers are digitally signed (hashed then encrypted with a private key).
- Upon reaching Google's email server, Google's server checks the domain contained in the envelope sender/MAILFROM (in the header of the email).
- Google's email server, upon checking the DNS records of Apple, sees that Apple has published a public key as a TXT record.
- Google's email server takes this public key, decrypts the digital signature in Apple's email, and verifies that the hash Apple provided matches the value Google gets when they hash the received email. If the values match, DKIM passes!
v=DKIM1; k=rsa; h=sha256; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAy4V3QZgjpUK3HSijzU+uGQlfBx8N40Ese/TaM0P8BES/kTKJS7OvtEfmA+ihMYcwh+vpvjK7aBIpV2CT49QnC/lXm8KwXad64VF18pgaCiuOW4rxC2L687Gn2BHEekcbl5FozRa716DLXpo07j5IX5sdvKPi6KylnmyOmjD/NqfvbLZf/lRlTb9pXf1N3fLu+W25vaotR4ZQpbrMQkKIANDafdL4KvPmfFOfYuZYiLpQfHfuJYok0aROsS5as1cEthN9MnkdSBAJHLG/f63+jNLgSC9x77YBWH2gPIDIqEanPVPFPJjs0yNh1zCWJUma9ihNXNwBP9GDclt042thAwIDAQAB
|v||DKIM1||Version||Identifies the record retrieved as a DKIM record. It must be the first tag in the record.|
|k||rsa (Length: 2048 bits)||Key Type||The type of the key used by tag (p).|
|h||sha256||Hash Algorithms||A colon-separated list of hash algorithms that might be used.|
|p||MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAy4V3QZgjpUK3HSijzU+uGQlfBx8N40Ese/TaM0P8BES/kTKJS7OvtEfmA+ihMYcwh+vpvjK7aBIpV2CT49QnC/lXm8KwXad64VF18pgaCiuOW4rxC2L687Gn2BHEekcbl5FozRa716DLXpo07j5IX5sdvKPi6KylnmyOmjD/NqfvbLZf/lRlTb9pXf1N3fLu+W25vaotR4ZQpbrMQkKIANDafdL4KvPmfFOfYuZYiLpQfHfuJYok0aROsS5as1cEthN9MnkdSBAJHLG/f63+jNLgSC9x77YBWH2gPIDIqEanPVPFPJjs0yNh1zCWJUma9ihNXNwBP9GDclt042thAwIDAQAB||Public Key||The syntax and semantics of this tag value before being encoded in base64 are defined by the (k) tag.|
DMARC - Domain-based Message Authentication, Reporting & Conformance
- Apple sends their email to Google's email server. Apple has all the necessary SPF, DKIM, and DMARC DNS records published.
- Google's email server receives the email from Apple and runs through the SPF and DKIM checks.
- Google's email server now checks DMARC. It does this by:
- Looks up the DMARC policy of the letter sender / FROM domain (remember this is the one users can see in the email).
- Verifies if DKIM passed.
- Verifies if SPF passed.
- Verifies if the domain in the letter sender / FROM field "aligns" with the domains that SPF and DKIM check. In other words, does the sending email address that's visible to the user match the email address in DKIM's (d) parameter and SPF's envelope sender/MAIL FROM.