SPF, DKIM, and DMARC
This is a basic description of the three authentication methods added to a domain’s DNS to improve email security.
SPF
Short for Sender Policy Framework, SPF is a record added to your domain’s DNS that lists all the domains/servers that can officially send from your domain.
If a domain/server that is not included in your SPF record tries to send an email from your domain it will be treated as a spoofed email.
DKIM
DomainKeys Identified Mail is a method of key cryptography that verifies an email’s contents. A public key is stored in your domain’s DNS record, while a private key is kept secret by the domain administrator.
When an email is sent, the private key is used to create a signature for your message which includes a hash of the email.
When an email is received, the incoming mail server will see the sending domain in the email’s signature and look up that domain for its public key. That public key will then be used to validate the hash in the signature which verifies that email came from the correct domain and that the message was not altered in transit.
DMARC
Domain-based Message Authentication, Reporting, and Conformance is the enforcement of both SPF and DKIM. When an email is received, the domain in the FROM field of the header is looked up to determine which checks need to be applied and what policies will be enforced if they fail.
When alignment for both SPF and DKIM are set, an email has the best validation for authenticity (correct sending domain) and integrity (the message is unaltered).
If either check is failed, then DMARC will tell the receiving server what to do with the message.