Understanding the SPF, DKIM and DMARC

Sender Policy Framework (SPF): Provides sender authentication for  5321.mailfrom address also known as P1 address and specifies the mail servers that are allowed to send emails as your domain.

The recipient MTA will query the SPF against the domain received in the 5321.mailfrom address. and will validate if the connecting IP (client-ip) is included in the SPF. 

To check the SPF record using the Powershell for any domain, run the cmd like below.

>Resolve-DnsName lab365.in -Type txt | ? {$_.strings -match "SPF"} 
Name                                     Type   TTL   Section    Strings
----                                     ----   ---   -------    -------
lab365.in                                TXT    1800  Answer     {v=spf1
                                                                 include:spf.protection.outlook.com -all}

SPF authentication details from message header:

Received-SPF: pass (google.com: domain of labadmin@lab365.in designates 2a01:111:f400:fea4::60a as permitted sender) client-ip=2a01:111:f400:fea4::60a;

as you can see the above SPF authentication result is equal to pass, as the client-IP was found on the SPF as permitted sender.

For troubleshooting purposes, you can also check if an IP is included in the SPF or not using the MX toolbox.

use the format as domain:ipaddress

SPF Limits: There can be only one SPF record for a domain, also SPF has a limit of a maximum 10 DNS resolutions, so when you are adding any a or include in your SPF always check for a total DNS lookup.

We can check the number of the DNS lookup in the SPF using various tools available but I use fraudmarc

DomainKeys Identified Mail (DKIM): DKIM adds an encrypted signature to the header of all outgoing messages. 

Email servers that get the DKIM signed messages do the following to validate the message.
  • Perform a TXT lookup for the domain available in the signature, recipient MTA will construct the domain as ( "s=" + "._domainkey." + "d=")
  • If the DNS record exists fetch the public key to decrypt the value in "b=" tag
  • Recalculate the hash value and match it with the has value in (bh=) tag, hash value is calculated using the properties included in the "h=" tag
  • if hash and domain from the decrypted data matches with the signature domain "d=" tag DKIM authentication is considered as pass.
Sample DKIM signature:

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; 
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ZisySaiReOmLL3p/IWVjnoBmcj8BuGC1YbdMAOLLHFs=; b=nvY2glLpQBOKnoGx8ewSu09EeufB0EI9tqjjZvg1P4SrtYRY12Aqwo6koqyyb

To check the dkim record get the s= value called selector from the DKIM-Signature and run the following cmd to fetch the dkim record. dkim keys are published under the "_domainkey" subdomain so the DNS query will be run against the "Selector" + "_dmainkey" + "domain" example below.

>Resolve-DnsName selector2._domainkey.lab365.in -Type txt                                                                                                  
Name                           Type   TTL   Section    NameHost
----                           ----   ---   -------    --------
selector2._domainkey.lab365.in CNAME  3600  Answer     selector2-lab365-in._domainkey.brocode.onmicrosoft.com

Name      : selector2-lab365-in._domainkey.brocode.onmicrosoft.com
QueryType : TXT
TTL       : 3600
Section   : Answer
Strings   : {v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6zwJ/L9U6D+AkKu/A4WvM3pHi1EtroHwEHwOzJ+WftL0VSrDGR0vLY3F0FzD37wA6kfs9X6+ufGHH/sMg/9p
            hVWiUtZ4kJM6dNYj75VT6BFu1XXYTGrltHg4niiHXN3YGibgsyLfzBahPQL/J9XNXFaKyPsyxoX5F/VKlHeizdl1rMeeeWS6yU4clqusbRDYz, ttf5VuhLegUognoOd1fyOIXvdUfWhygZ0FNK

Why you should enable DKIM for a third-party service and not use SPF?

I recommend using the dkim over SPF as there could be only one SPF record for an organization domain, whereas dkim keys are published under a separate hostname called selector, and can be published many without any limit.

Also if SPF is published the entire IP range is whitelisted, which can be bad if the sender systems are compromised attackers can spoof your domain from the compromised systems.

Domain-based Message Authentication, Reporting, and Conformance (DMARC): Checks the SPF and DKIM alignment based on the 5321.from address also known as P2 address, the message needs to align with either SPF or DKIM to be marked as dmarc pass.  P2 address is what recipients see as mail received from in the mail client.

Authentication-Results: mx.google.com;
       dkim=pass header.i=@lab365.in header.s=selector2 header.b=nvY2glLp;
       spf=pass (google.com: domain of labadmin@lab365.in designates 2a01:111:f400:fea4::60a as permitted sender) smtp.mailfrom=labadmin@lab365.in;
       dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=lab365.in

Above authentication, results are from google, where the dmarc is passed as the header.from=lab365.in domain matches with the SPF and dkim smtp.mailfrom and header.i domain. if non of those would have matched then the recipient MTA will check the policy defined in "p=" tag in the header.from domain, dmarc record to take any action on it.

To check the policy using Powershell use the cmd below. 

Pattern which is used to construct the DMARC TXT record DNS lookup: <"_dmarc."  +  "header.from domain">

>Resolve-DnsName _dmarc.lab365.in -Type txt                                                                                                                
Name                                     Type   TTL   Section    Strings
----                                     ----   ---   -------    -------
_dmarc.lab365.in                         TXT    3600  Answer     {v=DMARC1; p=quarantine; pct=100;
                                                                 rua=mailto:labadmin@lab365.in; aspf=s;

Why to setup a DMARC record?: DMARC provides the following.

  • Spoof protection for your domain with the help of SPF and DKIM records.
  • Forensic reports for the dmarc failed messages are sent back to the email address in ruf= tag, these emails can be used to further investigate and fix these issues causing the dmarc to fail.
  • Aggregate reports are sent back as an XML attachment to email addresses in rua= tag.
There are many third-party dmarc report provider which provides hand full of information that admins can use to take further decisions. The following statistics can be prepared with these reports.
  • Total messages DMARC complient 
  • Total messages DMARC Non-Complient
  • Total messages forwarded
  • Total Unknown (host without any PTR record)
This completes my post on SPF, DKIM, and DMARC, Please feel free to post leave your comments and feedback.