October 23, 2019

E-mails and DMARC, DKIM, SPF (basics)

By pavel

E-mails, the “outdated” communication channel that still sticks around. If you wish to set up almost any account today (2019), you have to have an e-mail address or mobile number already in 99% of the cases. You would most likely have one already and there is a high a chance of it being from Google, Outlook.com or Yahoo. If you are from non-english speaking country, you will probably use a local provider in your own language, for example in Czech it would be Seznam, Centrum or Volny. Now these e-mails work ok, but are not the most suitable for running business. Why?

  1. it’s considered unprofessional to use “free” services for business and not having your own domain (eg. “frantaSysel@gmail.com” vs “franta@sysel.com”)
  2. you have very limited control of your data if any at all
  3. you are exposed to 3rd party advertisement
  4. you have no guarantee of the service and usually no backups in place
  5. you are dependend on sending e-mails only from the systems they support
  6. you cannot used advanced marketing tools (which requires .TLD name)
  7. you have no central management and ownership of multiple accounts

There is probably more reasons to fill the list, but you get the idea.

Now, seeing that you would have a domain name already (eg. myname.com), you might also have e-mail services enabled from your hosting provider.

E-mail services from hosting providers can be cheap, but also quite limited. They usually provide between 1-5GB per mailbox, which is very little if you compare it to a free GMail account with 15GB and offers additional services like GDrive, Photos, Apps etc. Another limitation is the interface and features you will get (understand “less”). Most of the providers (from my experience) use free open-source software Roundcube, which is probably the “best” on the market but still miles behind GMail in my opinion. On top of that, having a professional domain name and e-mail services enabled, you might start attracting spammers and fradulent actors to use your name or e-mail address for malicious activity. To minimise these, you will have to implement additional technologies such as SPF, DKIM and DMARC. You do not worry about these with free e-mail providers as they handle it themselves and what hacker wants to use e-mail address like “mightyJack45@gmail.com”, right? 

So what are these technologies in a nutshell? (very simplistic overview, use links for full details)

SPF – is a framework that uses a txt type DNS record, which helps identifying which hosts / servers can (is authorised) to send e-mails from your domain. Anything coming outside of listed servers should be considered as a spam (but not always is and there are other scenarious to consider). 

DKIM – is encryption based technology,  used for preventing tampering with e-mails, e-mail spoofing. Basically, what you sent should be the same as what the recipient sees upon this e-mail delivery. Again, there could be exceptions to this. 

DMARC – is a solution to a situations, where SPF and DKIM fail. Such as, your legit e-mail gets altered by an antivirus program before it is sent, or e-mails are forwarded etc. 

All of these tools help to prevent spam, but their problem is adoption. Some e-mail service provider do not use/implement them in their solutions. That means even if you have them implemented at your end and someone maliciously sends an e-mail on your behalf to lets say Alice, her client might not be built to support these checks and she might end up thinking the fradulent e-mail is legit. Regardless, it is a good practice to implement these tools and help fighting the spam problem. I would say, essential. 

Now if you need to choose a professional e-mail service, I worked with O365/Outlook.com, G-Suite, Proton-Mail to name few, but would be very happy to hear what you use and if it can be improved. Leave me a message on my LinkedIn or use the contact form