SPF and DKIM don't stop spoofing: why you need DMARC
- Matteo
- 6 min. read
- DMARC is a mechanism that lets organizations enforce that their emails are delivered to recipients only if they’re properly authenticated and actually coming from your domain.
- A common misconception is that SPF and DKIM are enough to prevent spoofing attacks, but they’re not.
- DMARC ensures that SPF and DKIM identifiers are aligned with your domain, thus preventing attacks. DMARC also allows to define a policy to apply on failure and supports the generation of reports.
There’s a fact that most people don’t fully realize, and it’s that electronic mail is unauthenticated by design: anyone can spin up an SMTP server (the software that is responsible for sending emails behind the scenes) and send emails from any domain.
In fact, in SMTP there’s no built-in mechanism to verify the identity of who’s sending an email, so anyone can send a message pretending to be someone else. This can be prevented by setting up email authentication (SPF and DKIM) and, most importantly, DMARC.
In short, DMARC is a mechanism that lets organizations express that they want their emails delivered to recipients only if the messages are properly authenticated and actually coming from your domain name, fixing some SPF and DKIM shortcomings.
Let’s dive into this topic in more detail.
It all starts with SPF and DKIM
When you configure email sending on a custom domain, one of the first things you’ll do is setting up SPF and DKIM, which are the two authentication mechanisms on which DMARC relies.
Both of these are relatively recent (SPF as we currently know it was formalized in 2014, DKIM in 2011) but are essential to achieve DMARC compliance.
In summary, this is what SPF and DKIM do:
- SPF checks whether the sending domain explicitly authorizes the sending SMTP server to send email for that domain. If it doesn’t, it means that someone is using an unauthorized SMTP server to spoof the domain.
- DKIM provides a mechanism to digitally sign and verify the contents of an email message. It ensures that the integrity of a message is preserved (i.e. it wasn’t modified while being transmitted through the network) but also serves as an authentication mechanism: if a DKIM signature, which is tied to a domain, is valid, we know that only the domain owner could have created that signature (unless something very bad happened).
A common misconception is that SPF and DKIM are enough to prevent spoofing: after all, if you ensure that the sending server is authorized to send from your domain, and in addition to that you also have a valid cryptographic signature that only the domain owner can generate, you have just proven that an email message is legitimate.
Unfortunately there’s a catch: SPF and DKIM alone do not prevent spoofing, unless DMARC is also configured.
SPF and DKIM aren’t enough
The reason why SPF and DKIM alone do nothing to prevent spoofing is that when we reason about spoofing we think about the From
address, while SPF and DKIM use different identifiers.
The From
address is the one that you see in your email inbox, the address that we commonly refer to as the email sender.
SPF and DKIM do not look at the From
address, at all! Here’s what they do instead:
- SPF is a mechanism that works at the SMTP level, since its purpose is to validate if a mail server is authorized. Therefore, it runs its checks not on the
From
address but on another address that is often calledEnvelope From
. This address is to be found outside the actual email message: it’s what SMTP servers use to communicate.- It’s trivial for an attacker to use a valid
Envelope From
they control, while spoofing theFrom
address, and SPF wouldn’t catch that!
- It’s trivial for an attacker to use a valid
- DKIM signatures have a similar issue: they are tied to a domain, but the signature domain has nothing to do with the
From
domain. It can really be anything.- It’s trivial for an attacker to generate a valid DKIM signature for a domain they control, but this would do nothing to prove that the
From
address is valid.
- It’s trivial for an attacker to generate a valid DKIM signature for a domain they control, but this would do nothing to prove that the
You might have grasped where we’re going: if we ensure that all these identifiers are aligned to the From
address, we can solve this issue and easily detect if an email is spoofed. That is indeed DMARC’s core.
What DMARC does
DMARC is the acronym for Domain-based Message Authentication, Reporting, and Conformance and was formalized in 2015.
It mainly does three things:
- DMARC provides an algorithm to verify alignment of authentication mechanisms. In practice:
- If SPF checks pass, it verifies that the
Envelope From
domain is aligned with theFrom
domain (with a level of strictness that you can decide). - For valid DKIM signatures, it checks that the DKIM signature domain is aligned with the
From
domain (you can apply different levels of strictness here too). - If at least one of these two alignment checks passes, DMARC says OK. Otherwise it fails and we say that the message is not DMARC compliant (or not DMARC aligned).
- Be careful you get this right (there’s lots of incorrect information on the web): you can get a successful DMARC result by achieving either SPF alignment or DKIM alignment. You can have both, but you don’t need both. This is an essential property that prevents “incorrect” failures when an email is forwarded by a server.
- If SPF checks pass, it verifies that the
- DMARC defines a DNS record format that can be used to specify the level of alignment strictness and the action that should be taken when DMARC alignment fails, i.e. the DMARC policy.
- The DMARC policy can be
none
(do nothing, accept the email message),quarantine
(move the email to spam) orreject
(refuse to deliver the email message). In practice, each email provider interprets the policy in its own way so you shouldn’t take this literally.
- The DMARC policy can be
- DMARC also provides a way to get visibility into DMARC checks and the actions taken by mail servers. This is where DMARC reporting comes into play: in the DMARC DNS record you can specify an inbox address that will receive XML reports from mail servers periodically.
Why you need DMARC
Overall, there are a few reasons why you would want to set up DMARC:
- Prevent email spoofing, i.e. unauthorized people sending emails from your domain. This is especially important to ensure that your users aren’t tricked into phishing campaigns. It also helps preserve the email sending reputation of your domain and avoid ending up in the spam folder.
- Comply with email providers requirements: in 2024, Google and Yahoo started requiring DMARC on incoming mail from high-volume senders. If you send emails to Gmail addresses, you may be affected by this. Even if you aren’t, this is likely just Google’s and Yahoo’s first step in a path to enforce DMARC checks on all incoming email, and organizations must prepare in advance.
How to achieve DMARC compliance
Setting up DMARC is something that needs to be done carefully, to avoid causing rejections on destination email servers.
The typical way to do it is to set up DMARC without enforcing it, while monitoring if your emails are getting through with DMARC reports.
One way to simplify DMARC compliance is by using DMARCwise, a DMARC monitoring and analysis tool. You can start for free here, or you can read our Guide to DMARC compliance to learn more.