From Jargon to Genius: Cracking the Code of SPF & DKIM DNS Records

After writing my DMARC Reports: Your Secret Weapon Against Domain Fraud (And How to Read Them) post, I realized that I hadn’t really looked at SPF and DKIM records too much. I had read how you could be protecting your brand from email spoofing with SPF and DKIM records but hadn’t explored them very much. I figured that it made more sense to dig a little deeper into what SPF and DKIM records are as well as how they work.

Demystifying SPF Records: Your Firewall Against Email Spoofing

Imagine a world where anyone could send emails pretending to be you, potentially damaging your reputation and scamming unsuspecting recipients. That’s the nightmare scenario email spoofing poses, but fear not! SPF records stand guard as your valiant digital shield.

What are SPF records?

SPF, short for Sender Policy Framework, is a type of DNS record that specifies which email servers are authorized to send emails on behalf of your domain. It’s like a whitelist for email senders, ensuring only trusted sources can use your domain name.

How do SPF records work?

When an email arrives claiming to be from your domain, the recipient’s server checks your SPF record. This record lists the IP addresses of authorized servers, as shown in the example below:

v=spf1 a mx ~all

• v=spf1 specifies the SPF version.
• a includes all IP addresses associated with your domain’s A records.
• mx includes all IP addresses associated with your domain’s MX records (mail servers).
• ~all tells the recipient to consider the email unauthenticated if it doesn’t come from any of the listed sources.

Benefits of using SPF records

• Prevents email spoofing: By restricting who can send emails from your domain, you significantly reduce the risk of spoofing attacks.
• Improves email deliverability: Email providers are more likely to deliver emails from domains with SPF records, as they’re considered more trustworthy.
• Protects your brand reputation: Spoofing attacks can damage your brand image. SPF helps prevent this by ensuring only authorized emails are sent from your domain.

Setting up SPF records is simple:

1. Access your domain registrar’s control panel.
2. Navigate to the DNS management section.
3. Add a new TXT record with the name _dmarc.yourdomain.com.
4. Copy and paste your SPF record string into the value field.
5. Save your changes.

Example SPF record in practice

As noted in my DMARC Reports: Your Secret Weapon Against Domain Fraud (And How to Read Them) post, I focused on my inkedwith.com domain as an example. I’ll continue this example by showing my SPF records for this domain here. You can pretty quickly figure out that this domain is handled by Google so I needed to add SPF records for their mail servers. Google has a really nice step-by-step guide called Help prevent spoofing and spam with SPF that will walk you through generating the record.

Since I’m only using Google for my Email, I was able to create a TXT record with the following

"v=spf1 include:_spf.google.com ~all"

DKIM: The Digital Signature Guarding Your Email Identity

Think of DKIM as your invisible, yet powerful, bodyguard in the ever-treacherous world of email. While SPF tells an email recipient who’s allowed to send emails from your domain, DKIM ensures the message hasn’t been tampered with along the way.

DKIM stands for DomainKeys Identified Mail. It acts like a digital signature, attached to your emails, proving their authenticity and protecting you from email impersonation attempts.

How does DKIM work?

1. You set up your DKIM record: This record, added to your DNS, holds your public key, like a digital lock.
2. Emails get signed: Your email server uses your private key (the counterpart to the public key) to sign each outgoing email with a unique digital signature.
3. Verification on arrival: When an email reaches the recipient’s server, the server retrieves your public key from the DKIM record and verifies the signature.
4. Spoofing attempts foiled: If the signature matches, the email is deemed authentic. If not, it gets flagged as potentially fraudulent.

Benefits of using DKIM records

• Reduced email spoofing: DKIM makes it extremely difficult for attackers to impersonate your domain, protecting your brand reputation.
• Improved email deliverability: Emails with valid DKIM signatures are more likely to be delivered to inboxes as they’re considered more trustworthy.
• Enhanced sender identification: Recipients can trust that emails claiming to be from you are indeed yours, increasing confidence and engagement.

Setting up DKIM records isn’t complex

1. Choose a DKIM provider or utilize your email service’s built-in DKIM functionality.
2. Generate your private and public keys.
3. Add your public key to a DKIM record in your DNS, similar to SPF.
4. Configure your email server to sign outgoing emails with your private key.

Example DKIM record in practice

Once again Google has a really nice step-by-step guide called Increase security for outgoing email with DKIM that will walk you through generating the record. In addition to generating DKIM records for Google, I needed to generate records for Shopify. Shopify has a step-by-step guide called Setting up your email that walks you through Email setup which includes how to generate the proper DKIM records.

Since I’m using both Google and Shopify, I have a couple DKIM records in my domain. These are all subdomains of the subdomain _domainkey.inkedwith.com

google._domainkey.inkedwith.com	TXT	“v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAs30XlnCz8CYO52sfghF5iubcuIZ3a+Z3yYPeRGgHn9GUKvO7B084fFbfOGvZy4vi9rS1h7LIx32A+wfrq8RtrhRzhkFNqt9HIpyi27X3Zxv39tYNGQRgIIoWCtdqa9OlcqXWYxnOJwIkgZj6yrZBKAJ1OU1cCo0BpH0sZIrdb7TbL20s7ex33bTwv7FSGTh07” “4Jme/19mAQijQatYuFeLgAKfmAORhgsDMw1nhtabQJxR0GM4bJ710zl5c1FQ8J/ZUsqctfhnmaUgM+ynm5ouzRa3wcA7h4DeOTIL9Mp8mXVD4LwOg5GrVJh4ImeuGqt6OsBj47Dey3woVlvSZ3XGwIDAQAB”
g66._domainkey.inkedwith.com	CNAME	dkim1.14dd3ea22e83.p945.email.myshopify.com.
g662._domainkey.inkedwith.com	CNAME	dkim2.14dd3ea22e83.p945.email.myshopify.com.
g663._domainkey.inkedwith.com	CNAME	dkim3.14dd3ea22e83.p945.email.myshopify.com.

TXT vs. CNAME for DKIM: Understanding the Options

While both TXT and CNAME records can be used for DKIM, they differ in how they point to the public key:

TXT Records

• Direct publication: The public key is published directly within the DNS record itself.
• Advantages:
  • Simpler setup, especially for smaller domains.
  • Full control over the key within your DNS management.
• Example:selector1._domainkey.yourdomain.com TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4..."

CNAME Records

• Pointing to a key server: The record points to a separate domain (key server) that hosts the public key.
• Advantages:
  • Easier key management for large domains with multiple email providers.
  • Simplifies key updates, as they’re handled by the key server.
• Example:selector1._domainkey.yourdomain.com CNAME key1._domainkey.mailprovider.com

Key Considerations for Choosing Which Record Type to Use

• Ease of management: TXT records are generally simpler for smaller domains, while CNAME records can be easier for larger or more complex setups.
• Key management preferences: If you prefer direct control over your keys, TXT records are suitable. CNAME records offer centralized management through a key server.
• Email provider requirements: Some providers may mandate a specific format.
• DNS provider limitations: Some DNS providers may have restrictions on record types or lengths.

Recommendations

SPF records are just one piece of the email security puzzle. Consider using DKIM (DomainKeys Identified Mail) for additional protection. Be sure to regularly monitor your SPF record for accuracy and update it as needed. By implementing SPF records, you take a crucial step towards securing your email and safeguarding your online reputation.

DKIM works best in conjunction with SPF. They form a powerful duo against email spoofing. Be sure to monitor your DKIM reports for any anomalies that might indicate suspicious activity. By utilizing DKIM, you empower yourself to take control of your email identity and keep your online communications secure.

You should always make sure your DKIM records are properly configured, no matter what format you use. This ensures effective email authentication and protection against spoofing attacks.

• Start with TXT: Experts often recommend starting with TXT records for simplicity and flexibility.
• Switch to CNAME if needed: If key management becomes challenging or your provider requires it, consider switching to CNAME records.
• Consult with your provider: Always refer to your email service provider’s guidelines for their preferred DKIM record format.

So, go forth and conquer the email spoofing menace with these powerful tools at your disposal.