Email Security - jibingl/CCNA-CCNP GitHub Wiki
| Stands for | Purpose | |
|---|---|---|
| DKIM | DomainKeys Identified Mail | Adds a cryptographic signature (digital signature) to your emails, guaranteeing that the message was not forged or altered. |
| SPF | Sender Policy Framework | Specifies which mail servers (IPs/domains) are allowed to send email on behalf of your domain. |
| DMARC | Domain-based Message Authentication, Reporting & Conformance | Uses SPF and DKIM to determine the authenticity of a message. It provides instructions to receiving servers on how to handle failed emails |
How DKIM works
-
DNS TXT Record (Sender Side)
- The sender's domain publishes a DNS TXT record for DKIM containing a public key.
-
Email Signing (Sender Side)
- The sender domain mail servers digitally sign (digital signature) outgoing emails using the private key.
- This signature is included in the email headers as a "DKIM-Signature" field.
-
Verification (Recipient Side)
- The recipient’s mail server extracts the "DKIM-Signature" from the email message.
- It retrieves the public key from the sender’s DNS record and then validates the signature.
- If valid, the message is considered authentic and untampered.
- If invalid, the message is rejected or flagged as spam.
Example DKIM Record
default._domainkey.example.com TXT "v=DKIM1; k=rsa; p=MIIBIjANBgkqh..."
Notes v=DKIM1DKIM version. k=rsaEncryption algorithm used. p=MIIBIjANBgkqh...Public key for verifying signatures.
How SPF works
-
DNS TXT Record (Sender Side)
- The domain owner creates a DNS TXT record for SPF.
- The SPF record lists authorized mail servers (IPs/domains) that can send emails from the domain.
-
SPF Validation (Recipient Side)
- When an email is received, the recipient’s email server checks the “MAIL FROM” field.
- The recipient’s serve compares the sending mail server’s IP/domain with the list in the SPF record.
- If match an authorized sender, the email passes SPF.
- If not listed, the email fails SPF and may be rejected or marked as spam.
Example SPF Record
v=spf1 ip4:192.168.1.1 include:_spf.google.com -all
Notes v=spf1Specifies SPF version. ip4:192.168.1.1Authorizes this specific IP to send emails for the domain. include:_spf.google.comAllows Google's mail servers (e.g., Gmail) to send emails for the domain. -allHard fail; reject emails from unauthorized sources.
How DMARC works
-
Publish a DMARC Policy (Sender Side)
- A DMARC policy is added as a TXT record in the domain’s DNS.
- The policy defines what action the recipient should take if an email fails SPF or DKIM.
- It also provides an email address for reporting authentication failures.
-
Email Validation
- When an email is received, the recipient's mail server checks SPF and DKIM.
- Based on the DMARC policy, the recipient server rejects or quarantines the failed emails, or takes no action but monitor only.
-
Reporting
- The domain owner receives reports about authentication failures, which help analyze unauthorized email activity.
Example DMARC Record
_dmarc.example.com TXT "v=DMARC1; p=reject; rua=mailto:[email protected]; ruf=mailto:[email protected]; fo=1"
Notes v=DMARC1Specifies DMARC version. p=rejectReject emails that fail SPF/DKIM. Other actions are p=quarantineandp=none.rua=mailto:[email protected]Sends aggregate reports (summary of DMARC failures). ruf=mailto:[email protected]Sends forensic reports (detailed reports for failures). fo=1Requests reports if either SPF or DKIM fails.