Email Handling

DomainKeys Identified Mail (DKIM)

What is DKIM

• It’s an authentication technique that allows the receiver to check that an email was sent and authorized by the owner of that domain.
• The receiver checks that the email is signed with a valid DKIM signature.
• This verifies that the email hasn’t been modified.

DKIM Header

DKIM-Signature:

 v=1; a=rsa-sha256; d=example.net; s=newyork;
 c=relaxed/simple; q=dns/txt; t=1117574938; x=1118006938;
 h=from:to:subject:date:keywords:keywords;
 bh=MTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTI=;
 b=dzdVyOfAKCdLXdJOc9G2q8LoXSlEniSbav+yuU4zGeeruD00lszZ
          VoG4ZHRNiYzR

• How to add a DKIM signature
• Adding DKIM requires changing some details of your DNS records. 
• How this is done is covered with larger email providers like:
                       MailChimp                    AWeber
                       SendGrid                        Gmail
                       Sendinblue                   Mailjet
                       Outlook & Office 365               

Manually Creating DKIM records

• Create a Txt Record on the DNS Server

     Type:     TXT
     Name: [selector/key]._domainkey.[Domain].
     value:   v=DKIM1; p=[YourPublicKey]
     Selector:              [key]

• Example

     Type:     TXT
     Name:  key001._domainkey.tel99.com.
     value:   v=DKIM1; p=[YourPublicKey]
     Selector:              key001

How to test DKIM

• DKIM records have to be validated online
• There are many sites that do testing like MXToolbox or Mail-tester.com

Sender Policy Framework (

What is SPF

It is a protocol that helps mail servers  decide whether to receive or reject an incoming email based on its source address/domain.
This is done using information in TXT records that lists authorized IP addresses. 
If the email has been sent from one of these addresses, it can be accepted as legitimate.

What’s in an SPF Record

Simple SPF record

v=spf1 mx a include:<domain> ip4:x.x.x.x -all

Example:

v=spf1 mx a include:smtp.emailacct.com include:smtp.sendgrid.net ip4:24.34.6.87/32 ~all

Create SPF Record

• Create a TXT record in DNS

Example SPF Record:
Type:   TXT
Name:  @
Value:  v=spf1 mx a include:mail.example.com -all
 

Domain-based Message Authentication Reporting and Conformance (DMARC)

What is DMARC

• DMARC was the result of collaboration between engineers from Microsoft, PayPal, Yahoo! and Google.  
• Uses DKIM and SPF to perform more advanced checks on emails that are received.
• SPF validates that the source of the email is authorized.
• DKIM uses a digital signature to authenticate the email. 
• The receiving server is able to recreate the values with a public key and compare it 
• against the signature received. 
• If the values don’t match, the DKIM check fails.
• The DMARC record instructs the incoming server as to what action to take with an email that has failed. 

DMARC and Failed Emails

• DMARC has 3 choices with failed emails

1. ‘None’ – directs that the email should be treated as if no DMARC was set up (a message can still be delivered, put in spam or discarded based on the other factors). 
2. ‘Quarantine’ – allow the email but it’s not to be delivered to an inbox (usually, such messages go into the spam folder).
3. ‘Reject’ – discard the message that fails the check.

• A receiving server will send reports for failed DMARC verification with data about the failures. 
• This is so you can analyzing the performance of your messages and to keep you aware of any phishing and spam attempts.
• This helps you to be proactive when issues occur.

DMARC Record

A sample DMARC record:

v=DMARC1; 
p=reject; 
rua=mailto:dmarc-rua@square.com,mailto:dmarc_agg@vali.email,mailto:postmast…; ruf=mailto:dmarc-ruf@squareup.com

Recap

• SPF checks that the IP address the email comes from is authorized
• DKIM checks the message using keys for signature-verification
• DMARC provides 
  • instructions on what to do when an email fails
  • Provides reporting back to the source about issues