Securing Email

Securing your email is a critical part of protecting yourself and your business from scams and losses. The FBI IC3 2024 Annual Report identified Business Email Compromise and Phishing/Spoofing as one of the biggest problems causing a combined $2.8 billion in losses in 2024 alone.

One of the best ways to protect yourself and those you interact with is to secure and authenticate emails you send. Without tools like SPF, DKIM, and DMARC to authenticate your your messages, scammers can send messages that appear to come from you without having access to your account or server.

I have you covered; below are Protocol Summaries, Implementation Guides, and additional resources that will help you configure and protect your email and brand identity.

Don't send email from your domain?

If you don't send email from your domain, you only need two DNS records that reject all email sent from your domain:
SPF: TXT @ "v=spf1 -all"
DMARC: TXT _dmarc.yourdomain.com "v=DMARC1; p=reject"
(note that yourdomain.com should be the domain you're modifying, as in _dmarc.maxwellcti.com)

Email 101: Email Authentication

Let's cover the basics if this is your first time looking into this or you need a refresher.

Email is one of the oldest protocols of the internet, and has been around since at least 1980.^[1] Back in those days, there wasn't a lot of concern about verifying who was sending the email, just that it got to where you sent it. Because of this, there were no authentication protocols built into it; just send and receive. Without verification, you (and attackers) can send an email as anyone else without having access to their accounts.

What is spoofing?

Emails that impersonate another email address are called spoofing emails. Changing the display name for an email is easy, and doesn't impact email authentication. You've probably received many emails over the years claiming to be from businesses

Securing Email-1.png

Common spoofing attacks take a variety of forms:

Impersonating people within or partnered with your organization to intercept and redirect funds, gain access, or get people to install malware.
1. "Dear HR, I changed my bank recently; please send all paychecks to..."
2. "Accounts payable, please use the updated routing number below..."
3. "This is your IT department; please download the urgent security patch below..."
Send you an email as you to make you more likely to click the link.
1. This often looks odd, and our natural curiosity as humans leads to more clicks.
Using your domains reputation to make unrelated scam emails more likely to be delivered.
1. Domains build up reputation over time, and an older domain with a long history of email traffic is more likely to be delivered than a new domain setup yesterday.
2. This hurts your domain's reputation and makes it more likely that real emails will be sent to spam.

How does authentication work?

Since 1980, we've come up with three protocols to help authenticate email; SPF, DKIM, and DMARC. Combined, they are used to identify servers that are permitted to send email on your behalf, signing certification to authenticate legitimate email, a define a policy for emails that fail authentication.

It is critical for all three protocols to be configured correctly to ensure real emails get delivered.

SPF was the first protocol released, and it includes both a basic authorization and policy process. It lists sources which are allowed to send email, and says what to do with everything else. The policy component was replaced with DMARC, but some email hosts still rely on SPF for authentication.

DKIM signs emails sent from your approved servers and provides recipients with a public key to verify the signature. This ensures that the emails are not changed in transit and makes sure that any routing problems don't lead to authentication failures.

DMARC checks if the SPF and DKIM authentication checks passed, then confirms that they match (or align with) the sending domain, and if at least one of them both passes and is in alignment, marks the email as legitimate. If an email fails both SPF and DKIM checks, then DMARC tells the recipient server what to do with the email; nothing (none), send it to junk (quarantine), or do not deliver it to the mailbox (reject). It also provides addresses for receiving servers to send DMARC Reports, which include details on what emails they've received and whether they passed or failed authentication. The reports are not very easy to read by themselves, but can be interpreted by services or scripts.

The broader email ecosystem

Email authentication doesn't happen in a vacuum. In lieu of consistent SPF/DKIM/DMARC configurations, many companies rely on heuristic analysis of emails to determine if they are phishy or not. Additionally, the policies set forth in SPF and DMARC are more like guidelines, and while many email hosts comply with them, some have made decisions not to reject emails based on DMARC policies alone. This means that even if you have a well-defined policy set to reject inauthentic mail, some mail hosts could still deliver them to mailboxes.^[2]

Additionally, Google, Yahoo, Apple Mail, and Microsoft require all domains which send more than 5,000 emails in a day to have a valid DMARC policy.^[3] While a policy of none technically meets the requirements, it still leaves you and your domain vulnerable to spoofing.

Protocol Summaries

SPF

SPF (Sender Policy Framework) is a mechanism that identifies email servers that are authorized to send email from your domain.
- Uses a TXT record^[4] on your DNS host/nameserver
- Recipients perform a DNS lookup to confirm the sender.
- If there is no DMARC record present (or the receiving server is not configured to check DMARC), then mail will be authorized or denied based on the SPF record policy.
Receivers perform an SPF Lookup by comparing the incoming mail's sending server to the list of authenticated senders in the SPF record.^[5]
- If the email comes from an authorized sender, the email will pass the SPF lookup.
  - DMARC would check for SPF Alignment by comparing the SMTP MAILFROM and the email's "From:" fields to make sure they match.
- If the sender is not authenticated, then the email either fail or softfail the SPF lookup.
  - This means the email will rely on DKIM to pass DMARC and could result in undelivered mail.
    - SPF alignment often fails in cases where email is automatically forwarded (e.g., from a professional account to a personal account, or if the email is sent to a distribution list), so it is best to have both SPF and DKIM enabled where possible.
- If the SPF record is missing, most receivers will treat is as a none or neutral result.
  - This means that the receiver's policies will play a bigger role in whether the email is delivered or not.
Each sending mail server/domain must be identified
- This can be directly via IP or through a domain/DNS lookup
  - SPF is limited to 10 DNS lookups, and is evaluated all at once.
    - Going over 10 causes a PermError.
  - TempError is often caused by a transient (e.g. temporary) DNS lookup error.
    - It can be caused by recipient policies or a DNS lookup timeout; there may not be much you can do, but you should still check your record to make sure it's well below 10 look ups.^[6]
  - Once the SPF record is validated, the receiving email server matches the sending email server's address against the SPF record, stopping at the first match and corresponding action (pass, softfail, etc.)
Use subdomains for third-party services where possible.
- Configuring a unique subdomain (like newsletter.example.com) for email marketing services can help you stay below the 10 lookup limit with a separate SPF record isolates reputation harm from from misconfigured vendors.
- It is not recommended to add marketing services, like Mailchimp or Sendgrid, to your main SPF record
  - Marketers use tons of servers to send mail to get around spam filters, and because of this, SPF DNS lookups often reach their limit before getting to the root IP and fail authentication.
SPF Authorizes a list of approved senders and provides weak^[7] Authentication by comparing the sending IP against the list of approved senders.

DKIM

DKIM (Domain Keys Identified Mail) is a mechanism that authenticates all messages sent from a domain using asymmetric key cryptography.
- DKIM uses two keys; a private key used for signing, and a public key for verification
- The administrator publishes the public key to the DNS record
- The sending server signs all out-bound messages by using the private key to generate a hash from the message headers and body.
- Recipients verify the signed email against the public key
The DKIM key is shared via a TXT record
- DKIM records are differentiated with key selectors, and each email server requires its own public/private key pair.
  - You may have multiple DKIM records with different key selectors.
  - Because authentication occurs by key pair, tools like MxToolBox often require the selector to test and validate the correct key.
- Can also be configured as a CNAME record^[8] which points to the actual DKIM TXT record.
  - CNAMEs are often used by service providers to allow them to manage and regularly cycle keys without bothering clients.
- When rotating keys, you’d publish selector1._domainkey and selector2._domainkey simultaneously, switch signing to the new key, then remove the old record after clients have refreshed.
Only servers with access to the private key are able to generate a valid signature, and proves the message was sent from an authorized sender.^[9]

DMARC

DMARC (Domain-based Message Authentication, Reporting, and Conformance) is a mechanism that tells a receiving email server what to do based on the SPF and DKIM authentication checks.
- DMARC checks whether the domain passes the SPF and DKIM authentication checks and that the email's "From" field is aligned with the SPF and DKIM authenticated domains.
  - DMARC only checks for alignment if the authentication passes first.
- If an email's "From" domain is aligned with either the SPF or DKIM authenticated domains, then it can be delivered.
DMARC Alignment requirements can be "Relaxed" or "Strict"
- Relaxed means email from a matching root-level (or organization level) domain will align
  - e.g., marketing.example.com will align with example.com
- Strict means that the domain in the email must exactly match the authenticated domain
  - e.g., marketing.example.com would fail to align with example.com
Delivery aggregate and failure reports can be sent to designated email addresses for review
- These reports are critical for troubleshooting and setup.
  - failure/forensic reports are not generated by many mailbox providers for GDPR/privacy regulation compliance, so you may be stuck with aggregate reports
- DMARC can also be configured in purely an audit mode without SPF and DKIM; no action is taken, but you get reports on who is sending emails on your domain's behalf and whether they succeed for fail authentication.
- Reports can be analyzed using DMARC Report Analyzer, which can ingest and process manually downloaded reports or connect automatically to an email account to download reports.
  - If you do not have an easy way to process these reports or create an account to receive them, services like DMARC Report^[10] offer free report monitoring for a single domain and up to 10,000 email reports per month.
  - Additionally, Cloudflare offers free DMARC report management for domains configured with their service.
There will most likely only be one DMARC TXT record on your DNS host.
- Like SPF, it applies to all emails sent from your domain, and not to specific hosts like DKIM
- The sp tag can be used to apply a different policy action on subdomains
  - However, if you want more granularity (like different aggregate/failure report addresses), you can add another record for that subdomain.
DMARC verifies authentication by requiring alignment with either SPF or DKIM, specifies a policy instructing receivers how to handle unauthorized senders, and generates XML reports sent to the domain owner for Accounting.

Note

If you are reviewing old records, you might see a DKIM record with v=DKIM1; o=~. This is an outdated and unused spec; it can be deleted without issue.^[11] ^[12]

Extras

I'm not covering these protocols in this guide, but you may see them referenced elsewhere and might be interesting for you to investigate.

BIMI

BIMI (Brand Indicators for Message Identification) allows you to visually brand email sent by authenticated servers by adding your logo to the profile icon in recipient email clients.
Most major email providers (e.g., Gmail) require a trademarked image, verified with a PEM certificate.

MTA-STS and TLS-RPT

MTA-STS (Mail Transfer Agent Strict Transport Security) is a mechanism by which all email sent to and from your email server is sent over TLS connections.
TLS-RPT (TLS Reporting) is a standard that allows reporting of any encryption issues, and is helpful in triaging MTA-STS issues.

Implementation

Below is an implementation plan and syntax guides for each protocol. To ensure a smooth roll-out, I encourage you to plan your steps carefully and make sure your syntax is correct.

Note

Many experts recommend configuring SPF and DKIM records at least 48 hours before DMARC,^[13] ^[14] but I don't think this is efficient.

Even though all email sent during this period will show as "failed authentication," setting up DMARC in audit mode (with p=none) as the first step will provide you with more information sooner about who is sending email on your organization's behalf. This can help you correct your SPF and DKIM records more quickly, and there is no risk of email delivery failure. You just need to be absolutely certain that DMARC is set to p=none so no action is taken on emails that fail authentication.

Implementation Plan

Configure DMARC to generate delivery reports
1. Create two email accounts dedicated to DMARC aggregate reports and failure/forensic reports
  1. For example, dmarc_aggregate@example.com and dmarc_failures@example.com
2. Add the following DMARC policy to each domain you are managing (adding the appropriate addresses you created earlier):
  1. v=DMARC1; p=none; rua=mailto:[aggregate report email address]; ruf=mailto:[failure report email address]; fo=1
    1. This policy takes no action on emails which fail authentication and requests that reports are sent to your designated email addresses.
  2. If DMARC reports are going to be sent across different domains,^[15] then make sure you create a TXT DMARC report record (described below) on the receiving domain saying which domains are allowed to send DMARC reports.
    1. For example, if you want example.com to send DMARC reports to aggregate@contoso.com, you would need to create a DMARC report record on contoso.com's DNS name server.
  3. fo=1 will generate DMARC forensic reports for either SPF or DKIM failures, which can be helpful when troubleshooting problems during setup.
    1. Obligatory reminder that most providers do not send forensic reports, so fo and ruf can be ignored if desired.
3. Note: Some providers require SPF and DKIM records before you can create a DMARC record, even in audit mode.
Configure one SPF record for each domain that identifies non-marketing mail senders
1. Most mail providers have a tool to generate SPF records, or will have one available for you to copy and paste; review it and make sure it has everything you need and is strict enough for your risk appetite.
  1. Some email servers don't handle DMARC records, so try to use -all on your primary domains to reduce the likelihood of spoofing.
2. Do not add email marketers like Mailchimp or Sendgrid to your SPF record; this will cause DNS lookups to exceed 10 hops and cause authentication failures.
3. If you use an email marketing service provider, create a subdomain and set the last tag as ~all and not -all to reduce the chance authentic messages are rejected as spam.
  1. Using a subdomain, like newsletter.example.com, to send email newsletters or marketing material allows you to create a unique set of SPF records for that subdomain.
  2. Unique subdomains also preserves the domain reputation for your primary domain and makes it easier to identify and isolate delivery problems.
Configure DKIM records for every sending host
1. Each sender (Microsoft Exchange, Gmail, Mailchimp, etc.) will have instructions on how to add DKIM records to your name server.
Review DMARC reports
1. It can take 48 to 72 hours for reports to start coming in.
  1. This is because DMARC records usually check for updates every 24 hours, and for global propagation it can take double that time.
  2. If you are not seeing aggregate reports after 48 hours, check the record to make sure there aren't any typos. The resources below can really help.
2. These reports are XML documents and are frequently zipped before being attached
  1. Over the next couple of weeks to couple of months,^[16] review these reports to see how mail is being delivered.
    1. MxToolBox has an online DMARC Report Analyzer which converts the reports into an (online only) spreadsheet.
    2. If you're comfortable running scripts, DMARC-Report-Analyzer is a Python-based analyzer which can download files directly from your report inboxes and format them into a spreadsheet.
3. Check to make sure that all authentic mail is passing SPF and DKIM authentication, and adjust your SPF and DKIM records as necessary.
  1. This is also a great way to uncover shadow IT and rogue service providers.
Update SPF and DKIM records as needed
1. Chances are you will have missed a service during your initial setup or there's a misconfiguration.
2. There is also a chance you will see inauthentic or malicious mail getting delivered.
  1. The forensic/failure reports give you a lot of information about the email, including the sender, subject, and recipient, so you can reach out to the recipient if necessary.
Enforce DMARC policy
1. Once you are confident that authentic email won't fail authentication, change the p= tag in DMARC to quarantine or reject to begin blocking unauthenticated mail.
  1. Quarantine tells receiving servers to send failed email to junk, which can be helpful if you want to ensure that all legitimate email be delivered, but spoofing email will also get delivered to junk, increasing the chances of a victim falling for an attack.
  2. As mentioned before, it will take up to 48 hours for the changes to fully propagate.
2. You can also add a pct= tag to only apply the policy to a percentage of unauthenticated mail
  1. For example, pct=30 would only apply the policy to 30% of messages who fail SPF and DKIM authentication checks.
3. You can now remove the fo=1 tag from the DMARC record because you should have a very good idea about how your mail is authenticated and you only care about if mail isn't being delivered.
4. Here's an updated version of the DMARC record we created earlier after ensuring that all authentic email is being delivered.
  1. v=DMARC1; p=reject; rua=mailto:[aggregate report email address]; ruf=mailto:[failure report email address]

SPF Implementation

The syntax guide on Open-SPF is phenomenal, but for simplicity, here's an example of a sub-optimal SPF record.

SPF Qualifiers

SPF uses qualifiers to indicate whether a source is permitted or unauthorized. They're also used to enforce policy if there's no accompanying DMARC record or if the receiving server is not equipped to handle DMARC policies.

+ = Pass, the email originating host is allowed to send.
This is the default, and does not need to be explicitly written out.
- = Fail, the originating host is not allowed to send and messages should be rejected.
~ = SoftFail, originating host is not officially allowed to send, but authentic mail may be sent from it.
? = Neutral, or no policy.

Name: @
Type: TXT
TTL: 3600
Value: v=spf1 +a mx ip4:123.45.67.89 a:contoso.com include:spf.example.com ~include:olddomain.com -all

The SPF record is first checked as a whole to ensure it is a valid record and falls below the 10 maximum DNS lookups. Then the record is processed in order, and once the email is matched to a qualifier, it stops getting processed. Let's break it down.

Name: @
1. @
  1. Designates the domain to which the SPF record applies; @ is the current top-level domain (e.g., example.com)
  2. Can also use a subdomain, like mail or mail.example.com, with the exact formatting dependent on your DNS name server.
Type: TXT
1. This is a text record (as opposed to A, CNAME, etc.)
TTL: 3600
1. The time to live is 1 hour (3600 seconds)
2. This is an expiration date for the SPF record, and helps DNS servers maintain up-to-date records.
Value: v=spf1 +a mx ip4:123.45.67.89 a:contoso.com include:spf.example.com -all
1. v=spf1
  1. SPF version 1
  2. There is currently only one version.
2. +a
  1. The + qualifier passes emails which match this sender
    1. Because the + is the default qualifier, is not normally explicitly stated, and will not be stated in further records.
  2. The a tells the recipient to check the current domain's DNS for A records (e.g., IPv4 addresses) and mark them as designated senders
  3. Note: dmarcian recommends avoiding a entries as they are often unnecessary and increase the number of lookups.^[17]
3. mx
  1. Check the current domain's DNS for MX records and mark them as designated senders
    1. Note: Since the default mechanism is +, it does not need to be explicitly written out
  2. The mx mechanism resolve to the A/AAAA records, which can trigger additional lookups.
    1. Note: dmarcian recommends avoiding mx entries as they are often unnecessary and increase the number of lookups.^[18]
4. ip4:123.45.67.89
  1. Designates the IP address 123.45.67.89 as an authorized sender
  2. Could also be used to designate an IP range (e.g., ip4:123.45.67.0/24)
  3. Note: Use ip6: to designate an IPv6 address or range.
5. a:contoso.com
  1. Checks contoso.com for A and AAAA records^[19] and designates them as authentic senders
6. include:spf.example.com
  1. Checks spf.example.com for its SPF record and includes that in the current SPF record lookup
  2. Be careful as this can bring you much closer to the 10 DNS lookup limit and cause a PermError
7. ~include:olddomain.com
  1. This marks emails from olddomain.com with a "softfail" qualifier, indicating that emails from that domain shouldn't be rejected outright, but possibly tagged as suspicious.
8. -all
  1. Fail all originating hosts that have not been matched to this point in the record
    1. Because this is the last entry, any email that is authenticated by one of the earlier entries will get through, and everything else will fail authentication
    2. This is similar to Firewall configurations where the last rule is often deny any any
  2. Because this is a Fail qualifier, it must to be manually written out as -
    1. ~all is also frequently seen in default configurations, and is used when transitioning between services or when using email marketing services (Mailchimp, Sendgrid, etc.) which do not get added to the SPF record.
  3. The last entry is always an all mechanism, which sets the qualifier for any email that doesn't match any earlier mechanism.

Honorable mention: `redirect`

If you manage multiple domains and subdomains that all point reference the same record and information, you can configure them to all point to the same SPF record with a redirect. This replaces the entire SPF record and does not count towards the DNS lookup limit, and can reduce the headache of managing multiple identical SPF records.

A subdomain that redirects to an "spf-primary" record would look like this: mailer.example.com txt "v=spf1 redirect=spf-primary.example.com"

Managing DNS Lookups and DNS Flattening

Going above 10 DNS lookups will cause a permanent error for your SPF record, preventing it from being used for authentication. Because most SPF records will point to external mail services whose structure could change without notice, it's important to stay as far below 10 as possible so you don't accidentally begin erroring out.

There are a few tools you can use to check the number of lookups you have:

SPF Surveyor - dmarcian
- Well organized and easy to read.
EasyDMARC SPF Checker
- Similar to dmarcian, though a little less clean.
SPF Record Lookup - DMARCLY
- Pretty spartan, but gets the job done.
- Recommends flattening, which is bad practice.

What can you do to reduce lookups?

Remove unnecessary and duplicate records
1. a and mx records are often unnecessary:
  1. a records identify domain-name lookup addresses, like store.example.com, and modernly the same IPs are not often reused for mail (especially with third-party email providers).
  2. mx records instruct sending domains where you receive email, and while intuitively it's the same place as where you send email from, this is often not the case (especially with third-party email providers).
2. Remove any old or unused vendors or mechanisms
Consolidate where possible
1. If there are overlapping SPF records for different services you use, you may be able to eliminate one of them. The tools listed above can help you find all sub-includes and IP ranges to determine eligibility.
Remove records from mass-marketing vendors
1. Mass-marketing vendors (like MailChimp or SendGrid) do not work well with SPF, and will dramatically inflate the number of lookups you will perform. It's better to just configure DKIM for them instead.
Use subdomains to split up certain senders
1. If certain groups or departments use automated systems to send email, you could create a subdomain for that group or purpose that isolates its records from the main domain.
  1. e.g., if you use Acme Invoices as your billing platform, you could create billing.example.com and configure it with just Acme Invoice's SPF records to remove it from example.com's SPF record.
Configure DKIM
1. Do the best you can, then configure DKIM; you technically only need either DKIM or SPF to pass DMARC, and configuring both can provide coverage if one or the other fails.

What is flattening, and why is it bad?

Flattening an SPF record is the process of condensing all DNS lookups (e.g., include:spf.example.com, a:contoso.com, etc.) into hard-coded IP addresses. This gets around the lookup problem by not requiring any lookups, and if you control the servers that send email, this could be just fine. However, if you rely on third-parties for your email needs, flattening will get you into trouble.

Third-party services may add, delete, or change their infrastructure without informing you. Using hard-coded IPs will open you up to bad-actors who take over the abandoned IPs, or cause legitimate email to fail authentication because the vendor added new IPs that are not part of your hard-coded SPF record. Unless you manage every part of your email infrastructure, it's best to avoid flattening.

DKIM Implementation: 3rd-Party Mail Provider

The process to configure DKIM is different for each email provider.

If your mail provider is also your DNS host, it's often as easy as checking a box. However, if your mail provider and DNS host are different, then you will be required to create specific DNS entries on the name server to authenticate. Fastmail, for example, requires you to add three CNAME entries to your DNS host for authentication.

Hint

You can use dig to inspect the DKIM record values and observe key key rotation.
Cycling through each record with the command dig @1.1.1.1 fm1._domainkey.maxwellcti.com TXT +short reveals that one record has the DKIM key, where the other two return "v=DKIM1; k=rsa; n=Intentionally_Left_Blank_As_Per_DKIM_Rotation_BCP; p="

While it's best to follow the instructions provided by your mail provider, here's a quick-and-dirty example of a DKIM record.

Name: mx01._domainkey
Type: TXT
TTL: 3600
Value: v=DKIM1; k=rsa; p=bG9sIHlvdSBhYnNvbHV0ZSBuZXJkLCB5b3UgZm91bmQgbWUhIEkgd2lzaCBJIGNvdWxkIGdpdmUgeW91IHNvbWV0aGluZywgYnV0IGFsYXM7IGhpdCBtZSB1cCBpZiB5b3Ugd2FudCB0byBjaGF0IQ==

Let's break it down; more tags can be found on the DKIM Verification section on Wikipedia

Name: mx01._domainkey
1. mx01
  1. This is the selector used to identify the correct key
  2. In this case, it appears to be the public key for the "MX01" mail server. The "MX02" mail server might have the selector mx02.
2. _domainkey
  1. This identifies the TXT record as a DKIM (Domain Key) entry
3. Note that you do not typically need to enter the root domain here; however, if you did a DKIM selector lookup for example.com, you would see the entry as mx01._domainkey.example.com
Type: TXT
1. This is a text record (as opposed to A, CNAME, etc.)
TTL: 3600
1. The time to live is 1 hour (3600 seconds)
2. This is an expiration date for the DKIM record, and helps DNS servers maintain up-to-date records.
Value: v=DKIM1; k=rsa; p=bG9sIHlvdSBhYnNvbHV0ZSBuZXJkLCB5b3UgZm91bmQgbWUhIEkgd2lzaCBJIGNvdWxkIGdpdmUgeW91IHNvbWV0aGluZywgYnV0IGFsYXM7IGhpdCBtZSB1cCBpZiB5b3Ugd2FudCB0byBjaGF0IQ==
1. v=DKIM1
  1. Specifies the DKIM version; at this point, it's always DKIM1.
2. ;
  1. The separator between values.
3. k=rsa
  1. The key type specifies the kind of encryption used to create the key-pair.
  2. The default is RSA.
4. p=bG9sIHl...
  1. The Base64-encoded public key.
  2. Most providers generate a 2048-bit key by default, and anything weaker (e.g., 1024 bits) is discouraged.

DMARC Implementation

Warning

Both SPF and DKIM must be configured before setting the DMARC policy to quarantine or reject. Failure to do so will result in undelivered mail.

Configuring DMARC is easy, but can cause you the most headaches because it's what authorizes email to be delivered, and a misconfiguration can stop your email in its tracks. Therefore, it's highly recommended that you first configure your DMARC policy to none to take no action on emails for the first couple of weeks, using the reports generated to make sure everything is getting delivered as expected, and then to add a quarantine or reject policy and maybe ramp up implementation through the pct tag.

Below is an example of a DMARC TXT record:

Name: _dmarc
Type: TXT
TTL: 3600
Value: v=DMARC1; p=quarantine; sp=reject; pct=100; aspf=r; adkim=r; rua=mailto:dmarc-reports@example.com; ruf=mailto:dmarc-failures@example.com; fo=1; ri=43200

Let's break it down.

Name: _dmarc.example.com
1. _dmarc
  1. Signifies this a DMARC TXT entry
2. Note that you do not typically need to enter the root domain here; however, if you did a DMARC lookup for example.com, you would see the entry as _dmarc.example.com
  1. Only one DMARC record needs to exist for the apex domain, but you can add more records for different subdomains to take different actions; for example, _dmarc.mailer.example.com
Type: TXT
1. This is a text record (as opposed to A, CNAME, etc.)
TTL: 3600
1. The time to live is 1 hour (3600 seconds)
2. This is an expiration date for the DMARC record, and helps DNS servers maintain up-to-date records.
Value: v=DMARC1; p=quarantine; sp=reject; pct=100; aspf=r; adkim=r; rua=mailto:dmarc-reports@example.com; ruf=mailto:dmarc-failures@example.com; fo=1;
1. v=DMARC1
  1. DMARC version 1; at present, there is only one version.
2. ;
  1. The separator between tags.
  2. Spaces and tabs can make entries more readable, but are completely optional.
3. p=quarantine
  1. The Policy applied to emails which fail their SPF and DKIM authentication checks
  2. There are three options:
    1. none: No action is taken
      1. Typically used while configuring email security and collecting reports.
    2. quarantine: Emails which fail authentication should be treated with suspicion and sent to the spam/junk folder
      1. This allows the recipient server to still receive and process unauthenticated mail, just treats them with suspicion
    3. reject: Instructs the receiving server to outright reject any mail that fails authentication.
      1. This is the most secure, but can also be the most problematic if a configuration changes or something goes wrong.
4. sp=reject
  1. The policy for subdomains; if sp is not stated in the record, then the policy described by p is inherited by its subdomains.
    1. Setting sp may be helpful to set a stricter policy if there are no subdomains, or a looser policy if configuring a subdomain for mail.
    2. Some receiving servers don't check the root domain for a DMARC policy to inherit; playing it safe and adding a DMARC record for your subdomains is not a bad idea.
  2. Creating a distinct DMARC policy for a subdomain (e.g., _dmarc.mailer.example.com) takes precedence over the sp policy designation.
    1. To reiterate, sp only applies to a subdomain if there isn't a more specific DMARC policy created for it.
5. pct=100
  1. The percent of unauthenticated emails to apply the policy to.
    1. e.g., pct=20 would only apply the p=reject policy to 20% of emails which fail authentication
  2. This is helpful during a slow rollout to make sure not all email flow stops.
  3. Default is 100, and does not need to be explicitly written.
6. aspf=r
  1. SPF alignment requirements
    1. r is relaxed, and only the root/organizational domain must match
      1. Relaxed is the default value for both aspf and adkim, and does not need to be explicitly stated
    2. s is strict, and domains must match exactly
7. adkim=r
  1. DKIM alignment requirements; see aspf for details.
8. rua=mailto:dmarc-reports@example.com
  1. Identifies the email address to which recipient servers should send delivery aggregate reports
  2. Each address must begin with mailto:, and multiple addresses can be specified if separated by a comma.
    1. e.g., rua=mailto:address1@example.com,mailto:address2@contoso.com
  3. Aggregate reports contain basic information and include successful and failed delivery information
9. ruf=mailto:dmarc-failures@example.com
  1. Identifies the email address to which recipient servers should send individual delivery forensic failure reports
  2. Forensic failure reports contain detailed information about failed deliveries to assist with triage and troubleshooting.
    1. However, most major providers highly redact or suppress ruf records for privacy and GDPR compliance.
10. fo=1
  1. The failure reporting option specifies what generates a forensic report .
    1. 0 is default, and only requests forensic reports on DMARC failure.
    2. 1 requests a report for any SPF or DKIM failure, which is helpful for triage and troubleshooting during initial setup.
    3. d generates a report only when DKIM authentication (not alignment)
    4. s generates a report when SPF fails.
  2. You can select multiple options with a colon (e.g., fo=0:d)
  3. Reminder: many mailbox providers don't send forensic/failure reports for GDPR compliance.
11. ri=43200
  1. The "report interval" is the time in seconds you request receivers to generate reports.
    1. The default is 24 hours (86400 seconds), and 12 hours as configured here.
  2. Most providers ignore this, and send reports every 24 hours or more based on their own infrastructure.
    1. "DMARC implementations MUST be able to provide daily reports and SHOULD be able to provide hourly reports when requested. However, anything other than a daily report is understood to be accommodated on a best-effort basis."^[20]

Sending Reports to a Different Domain

If you are sending DMARC reports to another domain for analysis, you will need to create a TXT record on that domain's name server to identify each sending domain.^[21]

For example:

Type: TXT
Name: sendingdomain.com._report._dmarc.receivingdomain.com
1. For example, if the MSP AcmeIT.com was configured to receive and manage DMARC reports for example.com, the record would be example.com._report._dmarc.acmeit.com
Value: "v=DMARC1"
1. Just indicates the version of DMARC

The TXT record name identifies the domain generating the report (sendingdomain.com), followed by ._report._dmarc and the domain receiving the reports (.receivingdomain.com).
The TXT record value just identifies the DMARC version ("v=DMARC1")

Warning

While you can use a * wildcard to simplify the record to *._report._dmarc.receivingdomain.com, allowing anyone to send email to your DMARC report inboxes, you probably shouldn't. Spam filters and firewalls don't typically inspect DMARC reports, and an attacker could exploit this to flood the inbox with bogus DMARC reports or inject malicious code into zipped attachments, which might get run automatically by report analyzing software.

Using dig to verify SPF, DKIM, and DMARC

When using dig to verify records and look up changes, only SPF can be searched generally; DKIM and DMARC searches must include the full name of the record.

In the examples, I rotated the DNS server I was querying to demonstrate that any DNS server could be used. Records for subdomains or named records above root (e.g., mail.example.com or _dmarc.example.com) will require their own dig queries.

SPF
1. dig @8.8.8.8 example.com TXT +noall +answer
  1. This will return all root TXT records, so you may get several irrelevant responses in addition to the SPF
DKIM
1. dig @1.1.1.1 mx01._domainkey.example.com TXT +noall +answer
  1. Returns the final DKIM record value, whether stored on your name server or redirected via a CNAME
2. dig @1.0.0.1 protonmail._domainkey.example.com CNAME +noall +answer
  1. Only returns the CNAME record on your server, if applicable.
DMARC
1. dig @8.8.4.4 _dmarc.example.com TXT +noall +answer
  1. This will return the DMARC record for example.com
2. dig @1.1.1.1 _dmarc.mail.example.com txt +noall +answer
  1. Returns the DMARC record for the subdomain mail.example.com

If the record exists and you entered the command correctly, you should get responses with all the information in the record being queried.

DMARC Report Analyzer

DMARC Report Analyzer is a tool written in Python that allows you to analyze all DMARC reports in a folder or inbox and generate a spreadsheet with the results.
I've forked a version and added^[22] various features, including more progress bars, an offline cache for the Spamhaus list of IPs, and an output CSV which includes more information that can be helpful when troubleshooting email authentication issues.

To install and use DMARC Report Analyzer, there is a helpful script in the Installation section to clone the repository to your local machine, create the local environment, install the requirements, and then run main.py. First, however, I recommend creating a scripts (or similar) folder somewhere to keep everything organized and then opening your Terminal from that folder.

The script expects you to have Python version 3 installed on your system and is currently written for Linux, but there is an option for Windows (which I haven't really tested).

If working on a Linux system, you will need to use a Python Virtual Environment to download and update the correct packages. This is easily managed with a shell script that performs the run/setup process.

#!/usr/bin/env bash
cd ~/scripts/DMARC-Report-Analyzer
# Optional
python3 -m venv env
source env/bin/activate
# Mandatory
pip install -r requirements.txt
python3 main.py

The final result is a spreadsheet with a summary of all of the reports it collected. You can use whois and grep to lookup the IP addresses to to find out where emails are coming from with the command whois [IP address] | grep "NetRange:\|CIDR:\|Organization:", and your output should look something like this:

DMARC Report Analyzer.png

Tools and Resources

Resources and tools

DKIM Test - DKIM Verify - DKIM Validator
- Straight-forward tool to test and analyze SPF, DKIM, and DMARC.
Learn and Test DMARC
- Great site for quickly testing mail.
- Note that the spoofing feature just walks you through what would happen if someone spoofed your domain, and does not generate an actual spoofed email.
MX Lookup Tool - Check your DNS MX Records online - MxToolbox
- MxToolBox is one of the best online toolkits you can use; I have cultivated links here for each kind of check you might want to perform.
- Network Tools: DNS,IP,Email - MxToolBox
- SPF Check & SPF Lookup - Sender Policy Framework (SPF) - MxToolBox
- DKIM Check- DomainKeys Identified Mail (DKIM) Record Lookup - MxToolBox
- DMARC Check Tool - Domain Message Authentication Reporting & Conformance Lookup - MxToolBox
- BIMI Record Check - BIMI Lookup Tool - Brand Indicators for Message Identification Tools - MxToolBox
- MTA-STS Lookup - Check domains for Inbound Transport Layer Security (TLS) Enforcement - MxToolbox
DMARC Domain Checker - dmarcian
- dmarcian offers another fabulous record checker with additional tools that break down SPF, DKIM, and DMARC records.
- Be warned, however, that it only returns one DKIM key and has trouble finding CNAME records.
Free Domain Analyzer Tool | PowerAnalyzer
- Can automatically detect/select the DKIM selector
- Checks BIMI and a few others with only a couple of clicks
DMARC Report Analyzer
- Local, Python-based DMARC report analyzer
- Can automatically log in to email accounts and download DMARC reports directly for analysis
Email authentication in Microsoft 365 - Microsoft Defender for Office 365 | Microsoft Learn
- Microsoft has a robust guide on configuring SPF, DKIM, and DMARC records for your organization.
Email Authentication Best Practices - Cisco
- I'm linking this document really just to rant; this "most optimal" "best practices" guide from Cisco is kind of crazy.
- It may be helpful for larger environments, but their implementation strategy feels backwards to me.
  - It takes 6 and a half months to get to the point where you're enacting policy, and you don't even setup a DMARC record until about the third month.
  - I think it's important, critical even, to be diligent when working with a production environment, and if you want to slow-roll deployment to make sure nothing goes wrong, all power to you, but to only start gathering live information half-way through deployment seems crazy to me.
GitHub - techsneeze/dmarcts-report-parser: A Perl based tool to parse DMARC reports from an IMAP mailbox or from the filesystem, and insert the information into a database. ( Formerly known as imap-dmarcts )

DNS Look-up tools

dig
nslookup
whois

Simple Mail Transfer Protocol - Wikipedia ↩︎
Although usually they at least get delivered to junk. ↩︎
Understanding Gmail and Yahoo DMARC Requirements - dmarcian ↩︎
There used to be an SPF record type, but that is no longer in use. ↩︎
More technically, the receiving server fetches the SPF TXT record from the sending domain in the SMTP MAILFROM field, and checks whether the sending IP address is listed in the record. ↩︎
dmarcian's SPF Surveyor is a great tool that identifies the number of lookups at each step. ↩︎
Since it does not cryptographically verify content like DKIM ↩︎
Canonical name, which functions as an alias and points to another address. ↩︎
So keep that private key safe, or an attacker could forge messages! ↩︎
This review offers a few others: Free DMARC Monitoring Tools: We Test Out 7 Options ↩︎
What is this extra _domainkey.? Should I kill it? : r/DMARC ↩︎
draft-allman-dkim-ssp-01 ↩︎
Recommended DMARC rollout - Google Workspace Admin Help ↩︎
cisco.com/c/dam/en/us/products/collateral/security/esa-spf-dkim-dmarc.pdf ↩︎
Like if you're an MSP supporting support for a client. ↩︎
Google recommends waiting at least a week, and that may be fine. ↩︎
SPF Best Practices: Avoiding SPF Record Flattening - dmarcian ↩︎
SPF Best Practices: Avoiding SPF Record Flattening - dmarcian ↩︎
Remember that A records are IPv4 addresses and AAAA records are for IPv6 addresses. ↩︎
RFC 7489 - Domain-based Message Authentication, Reporting, and Conformance (DMARC) ↩︎
DMARC - DMARC External Validation ↩︎
With the help of an LLM. ↩︎