Many people view SPF, DKIM, and DMARC as the equivalent of organizational antispam protection. You will see these terms all the time on audits and insurance questionnaires related to antispam. However, no one asking these questions seems to understand that these technologies alone do nothing to protect you from spam.
Let’s unpack each term and then look at antispam as a whole.
Sender Policy Framework (SPF)
SPF is a way to ensure that the email sent to you is actually sent by the domain it claims (such as vc3.com). If an organization uses the Sender Policy Framework, they explicitly document on a sort of public list that the email servers sending their email are allowed to send that email. Your email software then checks the source of the email with this list. If it’s confirmed, then the email is deemed safe. If not, then the email is deemed suspicious.
To use an analogy, think of SPF like receiving a package from a friend from a physical address and that friend texted you to confirm they sent the package from that address. With this security check, it’s highly unlikely that the package was sent from someone other than your friend from a different address. However, to continue the analogy, some friends may not text you to confirm—and so you may receive some packages from friends without any confirmation those packages came from their address. Similarly, an email from an organization not using SPF isn’t necessarily spam—it’s just that you can’t confirm with certainty that it came from their email servers.
SPF alone is not antispam. For example, a spammer can still spoof the From line in an email and not get flagged by SPF because the protocol cannot form any logical connection between a spoofed name and the domain sending it. In other words, if a spammer sets up SPF correctly, the protocol will identify that the email comes from a legitimate source. However, SPF doesn’t flag the false information in the From line, which can trick you.
DomainKeys Identified Mail (DKIM)
The intent behind DKIM is the same as SPF but uses a slightly different approach. Instead of focusing on authorized email servers like SPF, DKIM is a digital signature that works like a digital “handshake.” The sender digitally signs the email and the receiver confirms the digital signature. When this “handshake” happens, it indicates that the email was sent from the correct domain and that the contents of the message (such as the From field, subject line, body of the message, etc.) were not altered in transit.
A good analogy would be to think of a spy novel. Imagine two spies exchanging a message but needing to confirm it’s authentic. One spy says one part of a code phrase and the other spy completes the other part. Only those two know this code, and so they know the message they exchange is legitimate. While a crude example, it essentially captures the essence of this DKIM digital handshake. It gives you the confidence through a near-impossible-to-crack digital signature that a message has not been corrupted.
So why is DKIM alone not antispam? First, other parts of the email not identified in the DKIM digital signature could be altered in transit. Second, a spammer could share a legitimate DKIM digital signature from their domain and then spoof the From line. For example, I might send out emails from my spam servers with correct DKIM digital signatures that your email program confirms—but then I can attempt to trick you by using your CEO’s name in the From line.
Domain-based Message Authentication, Reporting and Conformance (DMARC)
DMARC is the simplest of the three terms to explain. Through DMARC, you tell the servers that receive your emails what to do if they fail the SPF and/or DKIM test. You can tell the servers to do nothing, to quarantine the email, or to reject the email. DMARC not only protects you from malicious and junk emails, but it also protects the reputation of your organization. For example, if a spammer is spoofing your organization and sending out emails as you, then your domain reputation would decrease if you did nothing. With DMARC, you proactively tell servers that receive your emails to reject or quarantine suspicious emails.
For an analogy, let’s say you’re working at a government office and require two proofs of ID for someone to receive a document. If someone brings only one proof, or if someone’s ID fails in some way (such as the addresses on the IDs not matching), then you would halt the process and either ask for additional information or refuse to hand over the document.
But even DMARC is still not antispam. Why?
A Holistic Antispam Strategy
SPF, DKIM, and DMARC are just one element of an overall set of antispam techniques. A combination of antispam software embedded in existing email platforms, customized settings, non-technical email policies set by your organization, and additional techniques overseen by IT professionals all contribute to an antispam strategy.
For example, in addition to SPF, DKIM, and DMARC, your antispam software, settings, and strategy may include:
- Scanning email attachments for viruses and malware
- Filtering out suspected spam based on known malicious IP addresses, invalid email addresses, and likely spam content
- Filtering out legitimate emails that are simply junk or unwanted
- Ensuring that outbound emails from your organization are not flagged as spam
- Managing false positives and negatives
- Using advanced techniques to stay ahead of the latest spammer tricks
Implementing these technologies involves more than just checking incoming messages for spam. It’s about being a good steward of your information. If you’re ticking SPF, DKIM, and DMARC off on a list and thinking they’re your antispam strategy, then you’re missing the big picture.
If you’re unsure about your antispam situation, then reach out to us today through the form below.