What are SPF, DKIM and DMARC records?
This guide provides an explanation of what SPF, DKIM and DMARC records are used for. In order to add these records to your hosting, please use this guide.
What is SPF?
To put it simply, SPF (Sender Policy Framework) is a way to stop hackers and spammers from sending out spoofing emails using your email address.
Don't they need my email password to do that? No. A password is only needed to see what emails an email address has received. Think about your mailbox (hopefully secured with a lock and key). Only a person with the right key (or password) can access your mailbox and read the letters inside. However, anyone could send a letter pretending to be from you, and write your address in the return field. Email is exactly the same in this regard.
How does SPF stop that? Think of SPF as your secretary. Whenever someone gets an email with your name on it, they call your secretary and ask them if that email came from you. If not, whoever receives the email will throw it in the junk.
In more technical terms, an SPF record lists IP addresses and domain names of the servers that are allowed to send email from your email address. When an email is sent, the receiving server records what IP address the email came from. It checks if that IP matches one in the SPF record, and if not the email is rejected. Potential hackers would need a password both to edit your SPF and to send email from servers you've authorised, so this prevents email spoofing.
SPF records often include records like spf.mailcluster.com.au. In this case, the IPs in this domain's SPF record are also included as permitted senders. These are often used by companies with changing mail clusters - rather than keeping thousands of SPF records updated when a change is made, the records for the mailcluster are altered instead.
What is DKIM?
DKIM (Domain Keys Identified Mail) is an email authentication technique that allows the receiver to check that an email was sent and authorised by the correct email account, and wasn't modified in transit.
This is done by generating a digital signature for the email. This DKIM signature is encrypted and added to the message. If the email is altered between the time that it is sent and received, the signature will no longer match. The email server receiving your email can check the signature in the email, and reject the email if it doesn't contain exactly the right signature.
As an example, if you send a letter containing your will to your lawyer, you may be worried that the letter could be could be intercepted and changed before it is delivered. To prevent this, you could fold and scrunch up the letter in a way that will produce a very specific pattern of creases that's impossible to recreate exactly. You could then send a secret communication to your lawyer describing the pattern in its finest details. If anyone was to open up the letter and make modifications, this would alter the pattern. When your lawyer receives the email, they would check to see if the pattern perfectly matches your description, and would reject the letter if it doesn't.
To generate a DKIM signature, some elements of the email (generally the message body, attachments and some default headers) are hashed. This creates a unique string (called a DKIM signature) that can only be reproduced by performing the same hashing function on the same text. If the message is changed even a small amount, a completely different text string will be generated. The DKIM signature is then encrypted using a Private key which is only known by the sender, and sent through in the email headers. A TXT record also needs to be attached to your domain with the Public key that allows the DKIM signature to be decrypted. This DNS record is known as a DKIM record.
When the recipient gets the email, they will detect the DKIM signature and query your server for the appropriate DKIM record. Using Asynchronous Encryption, they are able to reconstruct the DKIM signature. The email server will then perform exactly the same hashing function on the email and headers, and compare the result to the DKIM signature. If the two match, the email could not have been modified in transit.
Logging into cPanel is required to edit your DKIM record. It is also impossible to replicate the encryption without access to the Private key, so the fact that the message could be decrypted by your Public key proves that it originated from your server.
Note: DKIM does not encrypt the message contents, but does provide authentication to your recipients that your emails are being sent from you and have not been altered.
Do I really need it? Unlike SPF, DKIM is only directly useful for the most important and private emails you send. However, it's important in the global fight against spam and junk mail. By having DKIM enabled, the receiving server has one more method to verify that your email isn't spam, and will be more likely to let it into the users inbox rather than their junk folder. Plus, it's easy to set up and once set you can forget about it.
What is DMARC?
While it's a complex tool, the basic function of DMARC (Domain-based Message Authentication, Reporting & Conformance) is to answer the question: "What happens if emails I send out fail an SPF or DKIM check?" DMARC tells a server whether to accept or reject emails that fail SPF/DKIM checks, and allows you to specify how you are notified of those failures.
Do I need it? DMARC does not provide a security increase, as unlike SPF and DKIM it does not provide a way to authenticate your mail. However, DMARC is still a very useful tool for two reasons. Firstly, when a hacker spoofs your email they typically do this for a number of days/weeks, and the recipient's server will send you bouncebacks of every spoofed email sent. These come through as legitimate emails which can fill up your mailbox. DMARC provides options for how these bouncebacks are handled. Secondly, if you're sending important emails out, a DMARC record can let you know if the email didn't reach one of its intended recipients.