Understanding SPF, DKIM, and DMARC: Why Companies Often Overlook DKIM Setup
August 2024
In the realm of email security, SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting & Conformance) play crucial roles in protecting organizations from email spoofing and phishing attacks.
Despite their importance, many companies struggle to implement these protocols correctly, particularly DKIM. In this discussion, we’ll explore the roles of SPF, DKIM, and DMARC, and why the absence of DKIM is a common oversight.
The Roles of SPF, DKIM, and DMARC
Let’s do a refresh on what these are all about.
SPF (Sender Policy Framework)
Purpose: SPF helps prevent spammers from sending messages on behalf of your domain. It allows domain owners to specify which mail servers are permitted to send emails for that domain.
Implementation: By publishing an SPF record in the DNS, organizations can define a list of authorized IP addresses. However, a common pitfall is creating overly broad SPF records, which can inadvertently leave an organization vulnerable to spoofing.
DKIM (DomainKeys Identified Mail)
Purpose: DKIM adds a digital signature to emails. When an email is sent, the originating mail server generates a unique hash of the message content and attaches it to the email header. The recipient's mail server can verify the signature using the public key published in the sender's DNS.
Importance: DKIM not only authenticates the sender but also ensures that the email content hasn't been altered in transit.
DMARC (Domain-based Message Authentication, Reporting & Conformance)
Purpose: DMARC builds on SPF and DKIM by allowing domain owners to publish policies on how to handle emails that fail authentication checks. It provides reporting mechanisms to monitor and improve email authentication.
Here is a very mechanical flow chart of how these all work in the context of mail flow
Why DKIM is often overlooked
From the above flow chart you can take away the DKIM check and processing continues as normal, and this is the reality for even the largest of organizations that have not implemented DKIM today.
Despite the clear benefits of DKIM, many organizations neglect to, or outright refuse to set it up. Here are some common reasons as to why:
Lack of Awareness
Many organizations are simply unaware of DKIM and its importance. While SPF is often discussed in the context of email authentication, DKIM remains underappreciated.
Perceived Complexity
Implementing DKIM requires generating cryptographic keys and configuring DNS records, which can seem daunting, especially for smaller organizations with limited IT resources.
Misconceptions about SPF
Some organizations mistakenly believe that having a robust SPF record is sufficient for email authentication. However, SPF alone does not prevent email spoofing effectively, especially when records are not specific.
In all fairness, we have seen more than one organization and the impact of incorrectly implementing DKIM is quite impactful, Afterall, you are disrupting the email flow of your organization…not a good look.
The Impact of Incorrectly Configured DKIM Records
While setting up DKIM may be essential in the opinion of some, it’s equally important to configure it correctly. An incorrectly configured DKIM record can have serious repercussions on email deliverability and overall mail flow:
Email Rejection
If a DKIM record is misconfigured—such as incorrect syntax, missing keys, or an incorrect public key—receiving mail servers may reject the email entirely. This can prevent important communications from reaching their intended recipients.
Failure of Authentication Checks
When DKIM signatures cannot be validated, the emails may fail DMARC checks. This can result in the emails being marked as spam or quarantined, disrupting the flow of legitimate communications.
Negative Impact on Sender Reputation
Consistent issues with DKIM validation can harm an organization’s sender reputation. Mail providers may start to view the domain as untrustworthy, leading to broader deliverability issues across all email communications.
The Impact of a loose SPF record
If DKIM is a bit daunting for you, at the very least, a review of your SPF records should be done.. the basic questions of if it is setup, and importantly how loose it is.
We have put together a nifty little widget here that will report the status of your SPF, DMARC, DKIM records.
How many of these do you have enabled? Is the SPF record specific enough?
While SPF is a critical component of email security, it is essential that organizations implement it correctly. Here’s why overly broad SPF records can be problematic:
Wide IP Ranges Increase Vulnerability
Organizations sometimes include a wide range of IP addresses or entire third-party services in their SPF records to accommodate various email-sending services. This can leave the door open for spoofing attacks, as it allows unauthorized servers to send emails on behalf of the domain.
Compromised Trust
If a wide-ranging SPF record permits too many senders, it can undermine the trustworthiness of the organization’s email. This can lead to legitimate emails being flagged as spam or, worse, malicious actors successfully spoofing the domain.
Inadequate Protection Against Phishing
A broad SPF record does not provide the granular control necessary to prevent phishing attacks. Attackers can exploit these gaps, leading to a significant risk of brand damage and financial loss.
SPF, DKIM, and DMARC are essential components of a comprehensive email security strategy. While SPF is a good starting point, relying solely on it can create vulnerabilities, especially if the records are too broad. Organizations must not overlook DKIM, as it adds a vital layer of authentication and integrity to email communications. However, they must also ensure that DKIM records are configured correctly to avoid disrupting mail flow.
Developed by Email Security Professionals and Data scientists with decades of experience to make life easier for customers and MSPs alike, Sabiki Email Security is a cloud-native 'built-for Microsoft 365' SaaS solution that protects your organization from Phishing, Spam and targeted scams using the power of a dynamic AI feedback loop engine. Powered by a 'Dynamic' Machine Learning engine in combination with next-generation contextual and behavioral analysis capabilities, Sabiki Email Security provides an incredible level of granularity in engine customization with seamless onboarding and operation.