- Canada's Leading Web Hosting and Domain Name Provider

Putting Together the Email Security Puzzle: SPF, DKIM, and DMARC

Email security is more important than ever before. If you’ve seen a few spam messages get through your email inbox, just remember: that’s after your server has already successfully stopped 99.9% of the spam hitting your inbox.

Thankfully, there are robust email security protocols that have made email an incredibly secure medium of communication. Here are the three frameworks you need to know about:

What is SPF?

Sender Policy Framework’s main job is to prevent domain spoofing — when someone sends a message from a domain different from their real one. It works like a big public list that tells everyone where you send your email from. If an email goes out from that domain and the email address is not on this registry, this immediately tells email servers to treat that email with suspicion: it’s very likely spam.

SPF is a TXT record on the server that your email domain uses. Having SPF in place for your email domain stops other people from being able to spoof emails as coming from your domain. When someone receives an email from an email domain that uses SPF, the receiving server goes and retrieves the SPF from the sender’s domain — if the email address is present, then the email is approved as legitimately coming from that domain. Having SPF enabled also makes your email (and, by extension, your business) appear more reputable to the world. 

What is DKIM?

DomainKeys Identified Mail does the same as SPF — tries to verify that the email address sending the message legitimately comes from a particular domain, but also that an email message has not been altered by a third party that intercepted it. DKIM uses a digital signature that lives in the header of the email and is encrypted. The email recipient can verify the digital signature by comparing it to a public key registered in the DNS. If there’s a match, the receiving server knows that the message has not been altered since it left the sender’s email server.

What is DMARC?

Domain-based Message Authentication, Reporting & Conformance builds on the widely deployed SPF and DKIM protocols. It works by adding linkage to the author (“From:”) domain name, published policies for recipient handling of authentication failures, and reporting from receivers to senders, to improve and monitor protection of the domain from fraudulent email.

A DMARC policy allows a sender to indicate that their messages are protected by SPF and/or DKIM, and tells a receiver what to do if neither of those authentication methods passes – such as junk or reject the message. DMARC removes guesswork from the receiver’s handling of these failed messages, limiting or eliminating the user’s exposure to potentially fraudulent & harmful messages. DMARC also provides a way for the email receiver to report back to the sender about messages that pass and/or fail DMARC evaluation.

Because these protocols are so useful, they have become near-universal, and any email server not using them is behind the times. At CanSpace, we configure all these records for new hosting accounts by default, to ensure clients’ emails do not end up in spam folders. If you have any questions about your CanSpace email domain, or if you’re thinking about moving your email and/or website to CanSpace, contact us to find out more!

CanSpace Team

CanSpace Solutions is Canada's leading domain name registrar and web hosting provider. Keep an eye on our blog for expert information on domain names, websites, and running a business online.