Understanding and Managing SPF, DKIM, and DMARC for Enhanced Security
What Are SPF, DKIM, and DMARC?
-
SPF (Sender Policy Framework): This is a DNS record that specifies which mail servers are authorised to send emails on behalf of your domain. It helps prevent unauthorised entities from sending emails as your domain (email spoofing).
-
DKIM (DomainKeys Identified Mail): This mechanism uses cryptographic signatures to verify that the content of an email has not been altered in transit and that the sender is legitimate.
-
DMARC (Domain-based Message Authentication, Reporting, and Conformance): This policy builds on SPF and DKIM, providing instructions to email providers on handling messages that fail authentication checks. It also generates reports to help monitor and improve email security.
Why These Are Crucial for Security
- These mechanisms protect the organisation from phishing attacks, email spoofing, and brand abuse.
- Without these protections, attackers can impersonate the organisation, potentially harming customers, partners, and employees while compromising trust in the organisation’s brand.
- A strong DMARC policy (e.g., “reject”) ensures that emails failing authentication are blocked, safeguarding against malicious emails being delivered.
DNS Records Delegation to Sendmarc
These configurations have been delegated to Sendmarc to streamline and centralise the management of SPF, DKIM, and DMARC records for all organisation domains. This delegation ensures proper setup and ongoing monitoring of email authentication.
Vital: DNS records related to SPF, DKIM, and DMARC must not be directly modified though your DNS provider (e.g., Azure, Gandi, Cloudflare, AWS, etc.). Direct changes can disrupt email delivery, compromise security and eventually be ignored.
DNS Records for Sendmarc Delegation
Below are examples of DNS records that should be present in your DNS zone to delegate configuration to Sendmarc:
-
SPF Record:
v=spf1 redirect=_<random string>.sdmarc.net
-
DKIM Record: All records are delegated to the Sendmarc platform by configuring name servers for the _domainkey sub-domain.
_domainkey IN NS ns1.sendmarc.net.
_domainkey IN NS ns2.sendmarc.net.
-
DMARC Record:
_dmarc.example.com IN CNAME _d<random string>.sdmarc.net
-
TLS (Transport Layer Security):
_smtp._tls IN CNAME example.com._smtp._tls.sdmarc.net
_mta-sts IN CNAME example.com._mta-sts.sdmarc.net.
mta.sts IN CNAME mta-certs.sendmarc.com.
These records must remain untouched to ensure proper functioning and alignment with Sendmarc’s monitoring and enforcement capabilities.
Requesting Modifications in the Sendmarc Platform
When subscribing to email services such as SendGrid, Salesforce Marketing Cloud, HubSpot, or others, modifications to the SPF, DKIM, or DMARC records may be required. To make such changes:
Submit a Request:
- Contact the IT/Security Team.
- Provide details of the service requiring integration, including:
- Service name.
- Required DNS records (if provided by the vendor).
- Expected usage (e.g., bulk email campaigns, transactional emails).
Verification and Implementation:
- The IT/Security Team will verify the request.
- Approved changes will be implemented directly within the Sendmarc platform to ensure compliance and maintain security integrity.
Key Takeaway
Maintaining proper SPF, DKIM, and DMARC configurations is critical to the organisation’s email security. By centralising management through Sendmarc and following the outlined procedures, we can prevent email-based threats and ensure reliable communication channels.