,

What are DKIM, DMARC and SPF? How they affect email delivery?

what-is-dkim-dmarc-spf-rdns

Whenever we talk about email delivery to inbox first thing that pops up in our mind is email security protocols, which are none other than DKIM, DMARC, and SPF. They play key important role inbox delivery. In order to understand what role they play, let’s understand how receiving server concludes a particular email is spam or not. Though there are hundreds of factor which affect inbox delivery but in this article, our discussion is limited to email security protocols.

How do mail servers block spam?

When email is sent out receiving mail servers need to confirm identity of the sender.

What this means, for example, you use Zimbra mail server to send email to Gmail. Here, Google’s mail server will check some information about your Zimbra mail server.

If it’s eligible, Gmail will allow email to arrive. Conversely, Gmail will block your mail or put it in the Spam folder.

So what is this information? That is DKIM, SPF and DMARC.

Let’s understand these protocols one by one starting with DKIM.

What is DKIM?

The very first question is what is DKIM?

According to information from Zimbra, DKIM has the following definition:

DomainKeys Identified Mail (DKIM) lets an organization take responsibility for a message that is in transit. The organization is a handler of the message, either as its originator or as an intermediary. Their reputation is the basis for evaluating whether to trust the message for further handling, such as delivery. Technically DKIM provides a method for validating a domain name identity that is associated with a message through cryptographic authentication

Understand simply. DKIM helps the receiving mail server confirm that the email is fake or not fake. Spoofing mail domain names to send fake emails is very common, so DKIM as a tool helps mail server to distinguish real mail and fake mail.

How to create DKIM key?

You can create or more specifically generate DKIM in many ways. This has already been discussed extensively.

How to use DKIM?

After you have generated DKIM key, go to domain registrar and then create a TXT entry into DNS records

Host recordTypeValue
TXT

Note: Notice the double quotes in the Value section.

How to verify DKIM data

After you have created the DNS record for DKIM of the mail domain, you need to verify that it is correct. There are several online tools that let you verify your DKIM record

A very useful tool for email system administrators is MXToolbox.

Now go to the DKIM check link and type the following information.

  • Domain Name: just type domain mail domain to this box.
  • Selector: type the key to this box, the key look like 5FB56121-7BDF-21E9-8459-20D59831E3AB in Zimbra and postal-xhee82 in Postal SMTP. It could be different in some other DKIM as well. Look at the Host record column above, remove the text phrase ._domainkey and the rest is the key.
check-dkim-for-mail-server

And the results should be green as image below, which shows that you have successfully set DKIM for your mail domain.

dkim-test-result-mxtoolbox-verify

What is an SPF?

Right, first, we need to know what SPF is? Why do we need to configure it?

According to Zimbra, SPF defines:

Sender Policy Framework (SPF) is an email validation system, designed to prevent unwanted emails using a spoofing system. To check this common security problem, SPF going to verify the source IP of the email and compare it with a DNS TXT record with a SPF content.

So, like DKIM, SPF help the receiving mail system confirm whether the email sent is real or fake?

Validating through the contents of the DNS record contains the IP of the mail server.

You can look at the image below and find out more information about it at this page.

So can you understand why we need to configure it?

That’s because every email that your mail server sends, other mail servers around the world will check for SPF information before deciding whether to put it in inbox or spam or block mail.

How to Create SPF record for mail server?

You can take help of online SPF record generator. MXToolbox provides a tool called SPF Record Generator. You only need to declare your information in the data fields.

  • Step 1: type domain mail domain to box name Domain Name or URL and press button Check SPF Record.
mxtoolbox-spf-generator

Step 2: Fill all data fields in SPF WIZARD to get final dns record.

create-spf-record

At the “How strict should should the SPF Policy be?”

You have 4 choices (this explanation is based on information from Zimbra):

  1. --: do not choose anything
  2. Strict: will only mark the email like pass if the source Email Server fits exactly, IP, MX, etc. with the SPF entry
  3. Neutral: without policy
  4. Soft Fail: allows to send the email, and if something is wrong will mark it like softfail

Usually, we will choose number 4.

How to use SPF record?

Based on the content Suggested Record, you need to create a record with the following content:

Host recordTypeValue
@TXT“v=spf1 a mx a:mail.yourdomain.com ip4:192.168.10.10 ~all”

Note: Put content Value of SPF records in double quotes

How to check whether SPF record is set correctly ?

You open the SPF test tool on MXToolbox. Enter your domain and click SPF Record Lookup button.

The returned result should look like the image below. Every Test step is green.

verify-spf-record

What is DMARC?

According to information from Zimbra, we define DMARC as:

DMARC, which stands for “Domain-based Message Authentication, Reporting & Conformance”, is a technical specification created by a group of organizations that want to help reduce the potential for email-based abuse by solving a couple of long-standing operational, deployment, and reporting issues related to email authentication protocols.

It seems a little confusing to you, but you should understand it simply. DKIM combined with SPF, and now DMARC, all of these technologies are primarily to make sending emails from your mail server more reliable.

Other mail servers around the world will trust your system, they will distinguish whether your email is fake or not.

Take a look at the image below, the source image from Zimbra. You can understand what DMARC will do in the process of receiving emails.

If the DMARC of the email is sent to the pass, the mail will be put into the inbox, otherwise, it may be put into spam or returned.

How to create DMARC Record ?

DMARC record is rather easy to create compared to DKIM or SPF. You can either create it manually or online.

To create online visit this website. After that enter your domain and select the options as shown in the image below, then click the Get DMARC Record button.

generate-dmarc-record-online

At last you will get the result as image below. You need to pay attention to the following 3 contents:

dmarc-record-dns-entry
  • DMARC record for: yourdomain.com
  • Record should be published at _dmarc.yourdomain.com
  • v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com; ruf=mailto:dmarc@yourdomain.com; sp=quarantine

To create manually, just copy the above record and replace dmarc@yourdomain.com with your admin email address like postmaster@yourdomain.com or, if already have created dmarc@yourdomain.com then you can use that as well.

How to use DMARC record?

Now we will create DNS record for DMARC for your mail domain.

Host recordTypeValue
_dmarcTXT“v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com; ruf=mailto:dmarc@yourdomain.com; sp=quarantine”

Note: Notice the double quotes in the Value section.

How to check the DMARC record is correct or not ?

Now go to the DMARC test page, enter your domain in the Domain Name box and click the DMARC Lookup button.

If you have set up exactly what I instructed, the results will be correct and the test fields are green.

What is reverse DNS?

When you build mail server, you have to configure the DNS record to resolve the mail domain mail.yourdomain.com to the IP address of the server.

However, that may not be enough. Some companies around the world like AOL, they will reject your email if you don’t have a reverse DNS record.

Take a look at the image below, and you’ll know what the reverse dns record is.

reverse-dns-lookup

The rDNS (reverse dns) record allows IP resolution to be a domain name, which helps confirm your mail server correctly.

Where do we need to configure rDNS?

  1. You need to configure rDNS in the hosting provider. Most of the hosting provider let you create rDNS yourself but some of them but for some like AWS, Oracle, Google, Azure you will to ask them.

Conclusion

Email security protocols plays important role in inbox delivery. Unless you have all protocols in place email is bound to go in spam/junk. Therefore, you must pay attention to these protocols.

4 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *