Email Authentication Methodology

dmarc1

DMARC (Also SPF and DKIM)

Posted June 22, 2024

DMARC (Domain-based Message Authentication, Reporting & Conformance) is an email authentication protocol that works in tandem with the SPF and DKIM protocols.

  • All 3 protocols are a type of a DNS record, and below we will be exploring the differences that help seperate and validate each protocol.

emailauth

DMARC

The following examples show syntax that may show up in MX records or email headers.

Example v=DMARC1; p=reject; adkim=s; aspf=s; rua=mailto:example@third-party-example.com;
Example v=DMARC1; p=none; rua=mailto:dmarc-aggregate@mydomain.com; ruf=mailto:dmarc-afrf@mydomain.com; pct=100
  • v=DMARC1; Specifies the version of DMARC being used.

  • p=reject; Designates the rejection policy. In this case if an Email fails DMARC authentication, it will be outright rejected. ( also see other Policy Tag Values )

  • adkim=s; aspf=s; Both adkim and aspf, specify the alignment mode for SPF and DKIM, which can be set to “s” or “r” for strict and relaxed modes respectively. ( also see powerDMARC Aligment modes) (a=alignment )

  • rua=mailto:example@third-party-example.com; The Mail To address is where the aggregated reports for DMARC activity will be sent. I.E validation results, failure or pass.

What are some roadblocks that DMARC and email authentication in general, have to overcome?

  • Not being a high priority for companies.
  • Complex mail enviroments with 3rd party vendors, contractors, and service providers. (Some necessary communication between companies forces companies to allow email communication without this authentication)
  • The latter results in a hearty mix of incoming messages, which can fail to meet business needs and standards.
  • Factors such as the reciever’s configuration vs the senders configuration. (Not enough validations between senders and recievers.)

SPF

SPF (Sender Policy Framework) is another email protocol that allows the owner of a domain to publish a record. This record allows sub domains to send email on the behalf of the publisher.

When an email is recieved, the record is then cross checked (by the recipient) to check the SPF alignment.

Ex 1 myemailserv.com. “v=spf1 include:_spf.google.com include:sendgrid.net ip4:192.0.2.0/24 -all”
Ex 2 myemailserv.com. “v=spf1 ip4:172.10.200.4 ip6:2001:df7:0:2345:0:345:8:1 include:_spf.google.com include:mailgun.org include:amazonses.com -all”
Ex 3 myemailserv.com. “v=spf1 mx a include:_spf.mail.yahoo.com ~all”
  • myemailserv.com. Specifies the Domain.

  • “v=spf1 include:_spf.google.com include:sendgrid.net ip4:192.0.2.0/24 -all”

  • v=spf1 specifies the SPF version used.
  • include:_spf.~.com indicates that an organization’s servers and subdomains are authorized to send emails on behalf of rule since it authorizes and includes that specific domain. (google -> gmail or amazon -> amazonses)
  • -all specifies that any emails from mail servers not explicitly listed should be rejected and not recieved. (Fail)
  • An ~all tag would specify that any emails from a server or IP address, that is not listed in the SPF record will be accepted, although marked.

(also see EasyDMARC for more detail and other types of fail policies.)

DKIM

DKIM (DomainKeys Identified Mail):is implemented by using public key on sent mail to validate with a senders private key in an association with the DNS record. Essentially it is a signature generated for each email sent outbound that validates the domain an email is claiming to be sent from.

Example DKIM Header:

v=1; a=rsa-sha256; d=example.com; s=big-email; h=from:to:subject; bh=uMixy0BsCqhbru4fqPZQdeZY5Pq865sNAnOAxNgUS0s=; b=LiIvJeRyqMo0gngiCygwpiKphJjYezb5kXBKCNj8DqRVcCk7obK6OUg4o+EufEbBtRYQfQhgIkx5m70IqA6dP+DBZUcsJyS9C+vm2xRK7qyHi2hUFpYS5pkeiNVoQk/Wk4wZG4tu/g+OA49mS7VX+64FXr79MPwOMRRmJ3lNwJU=

v=1; shows which version of DKIM is in use.

a=rsa-sha256; is the option for analgorithm used to compute the digital signature, or b, as well as generate the hash of the email body, or bh. In this example, RSA-SHA-256 is in use (RSA using SHA-256 as the hash function for the digital signature, and SHA-256 for the body hash).

d=example.com; is the domain name of the sender.

s=big-email;is the selector that the receiving server should use to look up the DNS record.

h=from:to:subject; lists the header fields that are used to create the digital signature, or b. In this case, the from, to, and subject headers are used. If Bob sent an email to Alice using the example.com domain and the subject line was “Recipe for cheesecake,” the content used here would be “bob@example.com” + “alice@example.com” + “Recipe for cheesecake”. (This content would also be canonicalized — put into a standardized format.)

bh=uMixy0BsCqhbru4fqPZQdeZY5Pq865sNAnOAxNgUS0s=; is the hash of the email body. A hash is the result of a specialized mathematical function called a hash function. This is included so that the receiving email server can compute the signature before the entire email body loads, since email bodies can be any length and loading it may take a long time in some cases.

b=xxxxxxxx is the digital signature, generated from h and bh and signed with the private key.

(for more information see: DKIM Headers)