Validating email senders
Email is one of the most heavily used platforms for communication online, and has been for a while.
Most people using email expect that they can see the who sent the email by looking at the sender field in their email client, but in reality the Simple Mail Transfer Protocol (SMTP) that defines how emails are exchanged (as specified in rfc 5321) does not provide any mechanism for validating that the sender is actually who he claims to be.
Not being able to validate the origin of an email has proven to be a really big problem, and provides venues for spammers, scammers, phishers and other bad entities, to pretend to be someone that they are not. A couple of mechanisms has later been designed on top of SMTP to try and add this validation layer, and I'll try to cover some of the more widely used ones here.
Since we're talking about online technologies, get ready for abbr galore!
Table of contents:
- Sender Policy Framework (SPF)
- DomainKeys Identified Mail (DKIM)
- Domain Message Authentication Reporting & Conformance (DMARC)
Sender Policy Framework (SPF)
The Sender Policy Framework (SPF) is a simple system for allowing mail exchangers to validate that a certain host is authorised to send out emails from a specific host domain. SPF builds on the existing Domain Name System (DNS).SPF requires the domain owner to add a simply TXT record to the domain's DNS records, which specifies which hosts and/or IPs are allowed to send out mails on behalf of the domain in question.
An SPF record is a simple line in a TXT record on the form:
v=spf1 <[ip4:[ip4:...]] [host: [host:...]]>
For example:
v=spf1 ip4:192.0.0.0/24 host:example.com ~all
When an email receiver receives email the process is:
- Lookup the sending domain's DNS records
- Check for an spf record
- Compare the spf record with the actual sender
- Accept / reject the email based on the output of step 3
For more details check out the SPF introduction or check your domain's setup with the SPF checker.
DomainKeys Identified Mail (DKIM)
DomainKeys Identified Mail (DKIM) is another mechanism for validating whether the sender of an email is actually allowed to send mails on behalf to the sender. Similarly to SPF, DKIM builds on DNS, but DKIM uses public-key cryptography, similar to TLS and SSL which provides the basis for HTTPS.In practice DKIM works by having the sender add a header to all emails being send which a hashed and encrypted version of a part of the body, as well as some selected headers. The receiver then reads the header, queries the sending domain's DNS for the public key to decrypt the header, and checks the validity.
For more details, WikiPedia provides a nice DKIM overview.
Domain Message Authentication Reporting & Conformance (DMARC)
Domain Message Authentication Reporting & Conformance (DMARC) works in collaboration with SPF and DKIM. In it's simplest form, DMARC provides a rules for how to handle messages that fail their SPF and/or DKIM checks. Like the other two, DMARC is specified using a TXT DNS record, on the formv=DMARC1;p=[none|quarantine|reject];rua=[REPORTING EMAIL];ruf=[REPORTING EMAIL]
For instance
v=DMARC1;p=none;ruf=email@example.com;rua=email@example.com;
This specifies that the record contains DMARC rules (v=DMARC1), that nothing special should be done to emails failing validation (p=none), that any forensic reports should be sent to email@example.com (ruf=email@example.com) and that any aggregate reports should be sent to email@example.com (rua=email@example.com).
Putting DMARC in "none"-mode is a way of putting DMARC in investigation mode. In this mode the receiver will not change anything regarding the handling of failing mails, but error reports will be sent to the email adresses specified in the DMARC DNS rules. This allows domain owners to gather data about where emails sent from their domains are coming from, and allows them to make sure all necessary SPF and DKIM settings are aligned properly, before moving DMARC into quarantine mode, where receivers are asked to flag mails failing their checks as spam, or reject mode, where failing emails are rejected straight away.
For a bit more detail, check out the DMARC overview or check the validity of your current setup using the DMARC validator.