Over the last few years we have seen increased adoption of the DMARC protocol by anyone who wants to prevent email impersonation. DMARC uses SPF and DKIM, but none of these protocols are visible to the end user. This year we will see the BIMI protocol help showcase your logo next to your legitimate emails. This not only brings confirmation that an email is a legitimate one but also drives brand awareness in the ever-growing crowd of emails which is an end user's inbox.

What are SPF and DKIM

SPF (Sender Policy Framework) and DKIM (Domain Key Identified Mail) are authentication protocols.


SPF is a record that sits on the top level of your DNS and lists the IP's that are approved to send on behalf of the given domain. It contains a policy statement that can recommend that a receiving server block any emails from IP's not in the list.

DKIM utilises asymmetric encryption and hashes to ensure that an email hasn't been modified. The user controls a public key that sits on the _domainkey subdomain.

Why SPF and DKIM Aren't Enough

While DKIM can verify that an email isn't the exact email that was sent, and SPF can even recommend that a receiving server reject an email based on the IP. Neither of these are effective at spoofing prevention.

The main reason for this is the header that is checked for each protocol.

SPF checks the record found at the domain in the return-path header, DKIM checks the key found at the d= domain (Found within the DKIM header).

Both of the above protocols can be set to check any domain.

In an email, the major domain of the sender if the domain found in the From: header, this header determines the big name at the top of emails, the address that the end-user will actually see if they check who sent the email.

Given the above, your email domain could be impersonated, they could make the From: yourdomain.com and the return-path and d= theirdomain.com.
Provided the SPF and DKIM records at theirdomain.com were correctly configured; The email would pass both SPF and DKIM, meaning your domain was successfully impersonated and both protocols passed. None of the records are yourdomain.com are even checked.

SPF and DKIM have their purposes, but neither alone are enough to prevent imitation.

The solution

DMARC (Domain-based Messaging, Authentication, Reporting and Conformance) is the solution.

DMARC, similar to SPF, has a policy that can be set to tell a receiving server to reject emails that do not pass it's check. DMARC's check is more robust though.

The DMARC check is built upon SPF and DKIM. If either DKIM or SPF passes, DMARC checks for alignment between the From: and the relevant domain checked for that protocol.

By simply cross-referencing these domains with the From: domain DMARC requires proof from the public DNS that the organisation approves the service to send on behalf of the domain.

By setting the DMARC policy to p=reject an organisation can recommend to receiving servers to drop any emails set on behalf of their domain that don't pass the alignment check. This will stop all imitation attempts where the receiving server is correctly implementing DMARC.

A DMARC policy being implemented is a requirement for BIMI.

Did this answer your question?