Welcome to End Point’s blog

Ongoing observations by End Point people

SPF, DKIM and DMARC brief explanation and best practices

Spam mail messages have been a plague since the Internet became popular and they kept growing more and more as the number of devices and people connected grew. Despite the numerous attempts of creation of anti-spam tools, there's still a fairly high number of unwanted messages sent every day.

Luckily it seems that lately something is changing with the adoption of three (relatively) new tools which are starting to be widely used: SPF, DKIM and DMARC. Let's have a quick look at each of these tools and what they achieve.

What are SPF, DKIM and DMARC

SPF (Sender Policy Framework) is a DNS text entry which shows a list of servers that should be considered allowed to send mail for a specific domain. Incidentally the fact that SPF is a DNS entry can also considered a way to enforce the fact that the list is authoritative for the domain, since the owners/administrators are the only people allowed to add/change that main domain zone.

DKIM (DomainKeys Identified Mail) should be instead considered a method to verify that the messages' content are trustworthy, meaning that they weren't changed from the moment the message left the initial mail server. This additional layer of trustability is achieved by an implementation of the standard public/private key signing process. Once again the owners of the domain add a DNS entry with the public DKIM key which will be used by receivers to verify that the message DKIM signature is correct, while on the sender side the server will sign the entitled mail messages with the corresponding private key.

DMARC (Domain-based Message Authentication, Reporting and Conformance) empowers SPF and DKIM by stating a clear policy which should be used about both the aforementioned tools and allows to set an address which can be used to send reports about the mail messages statistics gathered by receivers against the specific domain [1].

How do they work?

All these tools relies heavily on DNS and luckily their functioning process, after all the setup phase is finished, is simple enough to be (roughly) explained below:


  • upon receipt the HELO message and the sender address are fetched by the receiving mail server
  • the receiving mail server runs an TXT DNS query against the claimed domain SPF entry
  • the SPF entry data is then used to verify the sender server
  • in case the check fails a rejection message is given to the sender server

Source [*]


  • when sending an outgoing message, the last server within the domain infrastructure checks against its internal settings if the domain used in the "From:" header is included in its "signing table". If not the process stops here
  • a new header, called "DKIM-Signature", is added to the mail message by using the private part of the key on the message content
  • from here on the message *main* content cannot be modified otherwise the DKIM header won't match anymore
  • upon reception the receiving server will make a TXT DNS query to retrieve the key used in the DKIM-Signature field
  • the DKIM header check result can be then used when deciding if a message is fraudulent or trustworthy

Source [*]


  • upon reception the receiving mail server checks if there is any existing DMARC policy published in the domain used by the SPF and/or DKIM checks
  • if *one or both* the SPF and DKIM checks succeed while still being *aligned* with the policy set by DMARC, then the check is considered successful, otherwise it's set as failed
  • if the check fails, based on the action published by the DMARC policy, different actions are taken

Source [*]

The bad news: limits and best practices

Unfortunately even by having a perfectly functional mail system with all the above tools enforced you won't be 100% safe from the bad guys out there. Not all servers are using all three tools shown above. It's enough to take a look at the table shown in Wikipedia [2] to see how that's possible.

Furthermore there are some limits that you should always consider when dealing with SPF, DKIM and DMARC:

  • as already said above DKIM alone doesn't grant in any way that the sender server is allowed to send outgoing mail for the specific domain
  • SPF is powerless with messages forged in shared hosting scenario as all the mail will appear as the same coming IP
  • DMARC is still in its early age and unfortunately not used as much as hoped to make a huge difference
  • DMARC can (and will) break your mail flow if you don't set up both SPF and DKIM before changing DMARC policy to anything above "none".

Please work through the proper process carefully, otherwise your precious messages won't be delivered to your users as potentially seen as fraudulent by a wrong SPF, DKIM or DMARC setup.

What's the message behind all this? Should I use these tools or not?

The short answer is: "Yes". The longer answer is that everybody should and eventually will in future, but we're just not there yet. So even if all these tools already have a lot of power, they're not still shining as bright as they should because of poor adoption.

Hopefully things will change soon and that starts by every one of us adopting these tools as soon as possible.

[1] The lack of such a monitoring tool is considered one of the reasons why other tools (such as ADSP) in past have failed during the adoption phase.
[2] Comparison of mail servers on Wikipedia


Jon Jensen said...

Good explanations of complicated email details, Lele! These things would ideally just work behind the scenes but it's good for even less-technical people to have some idea of how things fit together.

On the pedantic side, I want to note that there is a specific SPF DNS record type, and the generic TXT record type is only a transitional fallback that some far future day shouldn't need be used for SPF anymore.

As you noted, DKIM uses TXT records now. I haven't seen any proposals to add a specific DKIM record type to DNS.

Emanuele 'Lele' Calo' said...

I used the TXT record as a referral cause the SPF record has been deprecated sine last August. [1]

But thanks for pointing out its existence otherwise people finding it would have been clueless of how to use/manage it.

For the moment I still always create the very same record *both* in TXT and SPF, but overtime it'll make sense to switch permanently (again) only to the TXT record.


Jon Jensen said...

Thanks for the pointer, Lele. I had not heard that the SPF record type is being phased out!

It's kind of sad that everyone went to the trouble to support a specific record type so you don't waste time fetching TXT records that may not have anything to do with SPF, and yet now it won't be used, but SPF record types will continue to be supported in DNS! So it goes, I guess.

I read the details here:

Lavanyam:) said...

I have a scenario with 3rd party vendors... Our company has a lot of 3rd party mail services. I have set up the dmarc with p - none and SPF records were updated with known sending servers. Could you please clarify a statement which I read in site about making 3rd party vendors Dmarc compliant.
1. Either add their sending servers to our spf records
2. Or share your DKIM private key to them

My question is, SPF checks for envelope from address so when the vendor sends mails on behalf of us, the from address will be our company address and envelope from will be his company. So then how will SPF pass? SPF will check the dns server of envelope from? Is my understanding right?

Secondly, DKIM checks from address or envelope from address? How does it work when we share the private key

lucas said...

I know this post is old. But I'm helpless.
I have administrated 2 Google Apps for 9 years already and the last year I started to configure SPF, DKIM and DMARC and SPAM just got worse. I get many impersonations (sending emails with my domain that doesn't exist), many DMARC fake reports and so on.
I've re-checked and it's correctly configured.
My feeling is that using those 3 have worsened. Why I think that? Because my 2ยบ Google Apps account didn't have any of this and I hadn't this kind of spam. Since I've transferred my domain from google to another registar and setup the SPF, DKIM and DMARC it start right away with those nasty spams.
Am I crazy?