As a customer success engineer at OnDMARC I help organisations with DMARC every day and often get asked the same questions by lots of different people. So I’ve collated all the answers into one article to give you all the information you need to know to get started as well as how to troubleshoot.
Which part of the email does each protocol focus on?
SPF focuses on the “domain” found in an email header that has many names, Return-Path, MAIL-FROM, Bounce address, Envelope from. In this article we will refer to it as the Return-Path. If this header is missing, SPF falls back and looks at the “HELO/EHLO” hostname and checks for an SPF record there.
Don’t forget — the Return-Path header is a technical header that is not visible to the end user. Unless they know how to display the headers of an email in their mail client they won't see it.
DKIM focuses on the “DKIM-Signature” header.
Don’t forget — this header again is not visible to the end user unless they know how to display the headers of the email they have received.
DMARC focuses on the domain found in the “From or Header from” header which is visible to the end user. In this article we will refer to it as “From”.
Now that we know what headers each protocol looks at, what is actually contained in those headers and what is checked?
SPF — This verifies if an email was sent by an authorised sender by checking a list of authorised IP addresses you publish in your DNS. The receiving server will take the domain found in the Return-Path header and check for an existing SPF record. It checks the SPF record to see if the sending IP address of the email is actually contained in the SPF record. If the IP address is contained in the SPF record that means that it is authorized to send emails. This means that SPF PASSED. If the IP address is not in the SPF record then SPF FAILS.
The overall logic is:
If the sending IP address is contained in the SPF record = SPF PASS
If the sending IP address is not contained in the SPF record = SPF FAIL
DKIM — the receiving server will check the DKIM-Signature header which contains the selector (s=) and signing domain (d=) which are tags used to look up the public key. Once retrieved, the public key is used to validate the email message. If validation is successful then DKIM PASSES and if the validation process is unsuccessful then DKIM FAILS.
The overall logic is:
If validation is successful = DKIM PASS
If validation is unsuccessful = DKIM FAIL
DMARC — the receiving server will check if either SPF or DKIM PASSED, then it will check if the Return-Path domain used by SPF and/or the “d=” domain used by DKIM align with “From” domain, and finally it will extract the DMARC policy published by the domain found in the “From” address and comply with the policy.
The overall logic is:
If SPF PASSED and ALIGNED with the “From” domain = DMARC PASS, or
If DKIM PASSED and ALIGNED with the “From” domain = DMARC PASS
If both SPF and DKIM FAILED = DMARC FAIL
DMARC not only requires that SPF or DKIM PASS, but it also requires the domains used by either one of those two protocols to ALIGN with the domain found in the “From” address. Only then will DMARC PASS.
What’s the difference between Strict vs Relaxed alignment?
Strict alignment means that the Return-Path domain or the signing domain “d=” must be an exact match with the domain in the “From” address.
Relaxed alignment means that the Return-Path domain or the signing domain “d=” can be a subdomain of the “From” address and vice versa.
If you’re interested in learning more please click on the button below.
What happens if DMARC fails?
If DMARC fails then the receiving server would typically comply with the policy that you have specified in your DMARC record.
If you are in report-only mode (p=none) the email will be accepted by the receiving server and scanned by other filtering criteria.
If you are in quarantine mode (p=quarantine) the email will be quarantined and typically sent to the spam folder of the recipient.
If you are in reject mode (p=reject) the receiving server will abort the connection with the sending mail server and the email will never reach the end user.
Irrespective of the policy, the metadata for the email will be logged along with the status of the authentication results and forwarded to your DMARC report processor.
SPF troubleshooting and top tips
- Make sure that you have an SPF record in your Return-Path domain.
- Make sure that you have an SPF record in your HELO/EHLO domain in case of bounces where the Return-Path domain is empty.
- Make sure there is a single SPF record per domain.
- Make sure that the SPF record syntax is correct.
- Make sure that your Return-Path domain aligns with the From domain.
- Make sure that your authorised senders are part of the SPF record.
- Make sure that unauthorised senders are not in your SPF record.
- Make sure that you do not go over the 10 DNS lookup limit imposed by SPF. If you have gone over the 10 DNS lookup limit you will have to consider using a feature such as OnDMARC’s Dynamic SPF
9. Make sure that deprecated SPF record mechanisms such as the “ptr” mechanism are not used in your SPF record.
DKIM troubleshooting and top tips
- Make sure that the sending systems you use support DKIM.
- Make sure that the emails are DKIM signed.
- Make sure that the signing domain aligns with the “From” domain.
- Make sure that you use a DKIM key size over 1024 bits (a 2048 bit key is advisable)
- Make sure, where possible, that the DKIM selectors you choose closely identify the sending service so you can distinguish between them.
- Make sure to revoke any keys that have been compromised.
- Make sure that the DKIM keys you manage are rotated on regular basis.
- Make sure that the DKIM key syntax is correct.
- Make sure that there exists a public key for each corresponding private key that signs your emails.
DMARC troubleshooting and top tips
- As DMARC is based on both SPF and DKIM and the domains used by those two protocols, you will have to make sure that the Return-Path domain for SPF is either an exact match or a subdomain of the “From” domain. The same applies to the signing domain used by DKIM.
- Make sure that the DMARC record syntax is correct.
- Make sure that you have configured all of your systems correctly with SPF and DKIM before moving to a reject policy as your emails will be lost.
- Make sure that you use a system or third-party provider such as OnDMARC to receive DMARC reports so that you can make sense of those reports and discover any systems that are misconfigured.
- Monitor the status of each of your sending sources and make sure that any changes to SPF and DKIM are identified. OnDMARC has this feature as a core part of its product.
So that’s all from me for now, I hope it’s helped you to understand more about DMARC and why it’s such a vital part of your cybersecurity infrastructure.
Instantly test your SPF configuration
OnDMARC’s free tool Investigate lets you verify your SPF set up to ensure they actually authenticate your emails correctly.