Email Authentication Protocols: SPF, DKIM, DMARC and BIMI Explained cover

·

Email Authentication Protocols: SPF, DKIM, DMARC and BIMI Explained

Email remains a primary target for attackers and spoofing and phishing attacks can cause significant financial and reputational damage to organizations. To combat these threats, email authentication protocols like SPF, DKIM, DMARC, and BIMI have been developed.

These authentication protocols all use DNS records associated with the domain name that is being used to send email.

Email Authentication Protocols

SPF (Sender Policy Framework)

SPF is a protocol that allows domain owners to specify which mail servers are authorized to send emails on behalf of their domain. This is achieved by adding a DNS record that lists the authorized IP addresses. When an email is received, the recipient's mail server checks the SPF record to verify that the email is coming from an authorized source.

Advantages:

  • SimplicitySPF is relatively simple to implement by adding a DNS TXT record specifying authorized IP addresses for sending emails.
  • Prevention of Spoofing – It effectively prevents unauthorized IP addresses from sending emails on behalf of the domain, reducing the risk of email spoofing.
  • Broad Adoption – Many email service providers support and check SPF records, enhancing its effectiveness.

Disadvantages:

  • Forwarding IssuesSPF can fail in scenarios where emails are forwarded because the forwarding server's IP may not be listed in the original domain’s SPF record.
  • IP Management – Managing IP addresses in SPF records can become cumbersome, especially for organizations with complex email infrastructures or multiple third-party email services.
  • Limited ProtectionSPF only verifies the sender's IP address and does not ensure the integrity of the email content.

It is important to note that SPF is designed to protect the identity of the envelope sender, also known as the "MAIL FROM" address. This is the address used in the SMTP (Simple Mail Transfer Protocol) transaction, which is typically not visible to the email recipient.

The verification process happens early in the email delivery process, at the time of the SMTP transaction and before the actual content of the message is received.

DKIM (DomainKeys Identified Mail)

DKIM adds a digital signature to each email, which is embedded in the email’s headers. This signature is generated using a private key that is kept secure by the sender's mail server. The corresponding public key is published in the domain's DNS records. When an email is received, the recipient's mail server uses the public key to verify the authenticity of the signature, ensuring that the email has not been altered in transit.

Advantages:

  • Content IntegrityDKIM ensures that the email content has not been altered in transit by adding a digital signature to the headers.
  • Non-IP-Based – Unlike SPF, DKIM does not rely on IP addresses, making it more resilient to issues related to email forwarding.
  • Enhanced Security – It provides an additional layer of security by authenticating the sender and ensuring the integrity of the message.

Disadvantages:

  • Complex Setup – Implementing DKIM can be more complex than SPF, requiring the generation and management of cryptographic keys and updating DNS records.
  • Key Management – Regularly rotating DKIM keys is essential for maintaining security, adding to the administrative overhead.
  • Compatibility Issues – Some older email systems may not fully support DKIM, potentially limiting its effectiveness.

It is important to note that DKIM protects the identity of the domain specified in the DKIM-Signature header, which is added by the sender's mail server. This domain is not necessarily the same as the visible From address but is often aligned with it for stronger security.

The verification process happens after the email is delivered, by the recipient's mail server, which uses the public key to validate the signature.

DMARC (Domain-based Message Authentication, Reporting & Conformance)

DMARC builds on SPF and DKIM by providing a framework for sending domain owners to publish policies on how to handle emails that fail SPF or DKIM checks. It also allows for reporting, enabling domain owners to receive feedback on their email authentication performance. DMARC policies can be set to monitor, quarantine, or reject emails that fail authentication checks.

To pass DMARC, at least one of the following conditions must be met with proper alignment:

  • SPF Alignment: The domain in the "From" header aligns with the domain in the SPF record, and the SPF check passes.
  • DKIM Alignment: The domain in the "From" header aligns with the domain in the "d=" tag of the DKIM-Signature header, and the DKIM check passes.

DMARC alignment is crucial for ensuring that the domains authenticated by SPF and DKIM are consistent with the domain in the email's "From" header, thereby enhancing email security and preventing spoofing.

Advantages:

  • Policy EnforcementDMARC allows domain owners to specify policies on how to handle emails that fail SPF or DKIM checks, improving overall email security.
  • Visibility and Reporting DMARC provides detailed reports on email authentication performance, helping organizations monitor and improve their email security.
  • Enhanced Trust – By publishing a DMARC policy, organizations signal their commitment to email security, enhancing trust with recipients.

Disadvantages:

  • Complexity – Implementing DMARC requires configuring both SPF and DKIM correctly, as well as creating and maintaining DMARC policies and records.
  • Initial Setup and Maintenance – Setting up DMARC requires careful planning and ongoing maintenance, including analyzing reports and adjusting policies as needed.
  • Potential Email Delivery Issues – Strict DMARC policies can lead to legitimate emails being rejected or quarantined if SPF or DKIM checks fail, requiring thorough testing and monitoring.

SPF, DKIM, and DMARC together provide a robust defense against email spoofing and phishing;

  • SPF ensures that emails are sent from authorized servers, making it harder for attackers to spoof email addresses.
  • DKIM ensures the integrity of the email content and confirms that the email has not been tampered with during transit.
  • DMARC enforces the application of SPF and DKIM and provides a feedback mechanism to improve and monitor email security.

When implemented correctly, these protocols significantly reduce the risk of email fraud. According to industry reports, domains protected by DMARC with a reject policy can block over 99% of fraudulent emails from being delivered.

BIMI (Brand Indicators for Message Identification)

BIMI is designed to enhance brand recognition and trust in email communications and allows brands to display their logos directly in recipients’ inboxes alongside authenticated emails. When an email passes all necessary authentication checks, the recipient’s email client or provider displays the sender’s brand logo in the inbox view, enhancing the visibility and credibility of the email and to enable the user to differentiate genuine emails from potential phishing attempts.

Advantages:

  • Enhanced Brand Recognition – BIMI allows brands to display their logos directly in recipients' inboxes, making emails instantly recognizable and maintain consistent brand imagery across different email clients and platforms.
  • Improved Trust – Recipients are more likely to trust emails that display a verified brand logo, reducing the chances of them marking legitimate emails as spam.
  • Phishing and Fraud Prevention – Displaying a verified logo helps distinguish legitimate emails from phishing attempts, enhancing security and educates users to look for brand logos as a mark of authenticity, thereby fostering safer email practices.

Disadvantages:

  • Implementation Complexity – Implementing BIMI requires correctly configuring SPF, DKIM, and DMARC first and requires regular updates and maintenance of DNS records and cryptographic keys.
  • Cost – Obtaining a Verified Mark Certificate (VMC), which is necessary for BIMI implementation, involves additional costs and requires that the logo must be a registered trademark in the jurisdictions where you plan to use BIMI.
  • Adoption – Not all email clients and providers currently support BIMI, which can limit its effectiveness and variations in how email clients display logos can affect the consistency of the user experience.

Adoption

Globally it is estimated that 80-85% of domains have SPF implemented, around 50-60% of domains have DKIM configured and approximately 20-25% of domains have DMARC records published. BIMI is still emerging, with adoption rates around 1-2% of domains.

Adoption is likely to increase quicker now as both Yahoo and Google have become a lot stricter in accepting messages that are not authenticated with SPF, DKIM and DMARC together.

Protect Your Domain

Whilst email authentication will not provide protection for “lookalike” domains (e.g. domains with typos or that use UTF-8 characters that look like ASCII characters), there is excellent evidence to suggest that it makes protected domains much less attractive to spoofers and much more resistant to phishing attacks, so our recommendation for maximum protection is to make sure you have set-up email authentication on ALL domains, regardless as to whether you use them for email or not as attackers will always look for the weakest link.

Read More

·

The biggest problem network abuse teams face on a daily basis is working through their reports. Network abuse is escalating...

·

Introduction In today’s online world, cybersecurity threats are everywhere. Having quick and up-to-date cyber threat information is like having a...

·

Editor’s note: This post was originally published in December 2018 and has been revamped and updated for accuracy and comprehensiveness.Today...