SPF + DKIM + DMARC = Enhanced email security

Fifty years after its invention and 30 years after its use became widespread, email remains an indispensable tool for communication. According to recent research, more than 350 billion email messages are sent every day—that’s nearly 40 per person, per day, for all 8 billion people on the planet.

However, the widespread use of email also makes this form of communication a prime target for cyber criminals seeking to exploit vulnerabilities for malicious purposes. Email inboxes contain so much sensitive information that they’ve become prime threat vectors for phishing attacks, ransomware infections, malware distribution, and data breaches.  

That’s why email security is so essential. Its effectiveness, however, can vary widely—especially depending on the type of email service you use. And when the conversation about email security progresses from practical application to technical strategy, it can become one of the most complex issues in the IT landscape.

How does email security work?

Email security encompasses a wide range of technologies and protocols designed to protect the integrity, confidentiality, and authenticity of communications. Two key components are DKIM (Domain-Keys Identified Mail) and DMARC (Domain-based Message Authentication, Reporting, and Conformance).

SPF is a type of DNS TXT record that lists all the servers authorized to send emails from a particular domain. A DNS TXT (“text”) record lets a domain administrator enter arbitrary text into the Domain Name System (DNS). Think of SPF records like a guest list that is managed by a door attendant. If someone is not on the list, the door attendant will not let them in.

DKIM is a digital signature mechanism that allows an organization to cryptographically sign outgoing emails, verifying their authenticity and ensuring that they haven’t been tampered with during transit. Email servers of message recipients can then use this signature to verify the sender’s domain and detect any attempts at email spoofing or phishing.

DMARC adds another layer of security on top of DKIM by providing email authentication and reporting capabilities. It enables domain owners to specify how their emails should be handled by recipient servers, including policies for email authentication failures and reporting mechanisms to monitor email activity and potential abuse.

What does that mean for everyday email users? 

With the new requirements as of 2024 from Yahoo and Gmail - even small businesses will not be required to leverage, at a minimum, SPF and DKIM, if they want to avoid having their emails flagged as spam or potentially end up blocked by those providers. By also adding a DMARC record - you complete the trifecta and have ensured your organization is meeting best practices and limiting potential issues. If you leverage 3rd party software for mass mailing (think Mail Chimp, Constant Contact, HubSpot, SendGrid, etc) you will need to ensure, if you are using your own domain to send those emails, that you have these records in place. If you just using Office 365 or Google Workspace just for work based emails, you'll still need to ensure you have SPF and DKIM in place.