Email Security Blog

DMARC 101 (Part I) – S/MIME, SPF, and DKIM

Mike Jones February 11, 2014 DMARC
Fallback Featured Image

In advance of MAAWG next week, we thought we’d go down memory lane and outline the history of email authentication that led to the creation of DMARC.

The first major effort to bring strong security to email was the S/MIME encryption and digital signing standard in the late 90’s, but despite a solid technical base and strong vendor support S/MIME did not achieve meaningful market penetration. This is largely due to the level of user action and involvement required to use S/MIME effectively, along with other logistics issues that make it difficult to deploy and manage. Starting in the mid-2000’s, a new set of security and authentication standards for email began to be used. There are two major standards that originated in that timeframe, solving two related aspects of the email security quandary. The first was the Sender Policy Framework, or SPF, standard. SPF allows email senders to specify which IP addresses are allowed to send email from a given domain, i.e. only IP is allowed to send email from addresses, and to publish these policies in DNS records for the domains in question.

The second standard from this timeframe is DKIM, or Domain Keys Identified Mail. DKIM was created by merging two new technologies, Domain Keys (developed at Yahoo) and Identified Internet Mail (developed at Cisco). DKIM complements SPF by giving email senders a way to digitally sign all the outgoing email from a given domain, and publish in the DNS system the public key(s) necessary to validate those digital signatures. This lets the email recipient systems confirm that no changes have been made to the email since it was sent before delivering it to the end user’s inbox. Both SPF and DKIM share an important common attribute in that neither of them requires any change in behavior on the part of the end user. This made them much easier to deploy than S/MIME, and within a few years both SPF and DKIM were widely adopted. However, SPF and DKIM alone are not a complete solution to email authentication. There are a few elements of the equation missing even after an email sender has fully deployed both standards, and that is what led to the development of DMARC.

Stay tuned for Part II, coming up later this week!

Leave a Reply

Your email will not be published. All fields are required.

Agari Blog Image

April 17, 2019 Fareed Bukhari

The Time is Now: Underscoring the Importance of DMARC for State and Local Governments

Scammers know that impersonating a trusted government agency is an extremely effective way to trick…

Agari Blog Image

February 26, 2019 Armen Najarian

Retail Trails Other Sectors in Adopting DMARC for Phishing Prevention

Recent research by the Agari Cyber Intelligence Division finds that the retail industry is dead…

Person Looking at DMARC Protected Email

February 19, 2019 Fareed Bukhari

DMARC Adoption Up, But 85% of Fortune 500 Remains Vulnerable to Brand Hijacking

Adoption of Domain-based Message Authentication, Reporting, and Conformance (DMARC) has seen modest growth in recent…

Agari Blog Image

October 16, 2018 Fareed Bukhari

One Year Later: Federal Mandate for Email Authentication Huge Success

Responding to BOD 18-01, agencies rally to complete the fastest sector-wide adoption of DMARC One…

Agari Blog Image

October 16, 2018 Patrick Peterson

DMARC: A 12-Month Triumph for DHS—and the Nation

Today is the deadline set by the Department of Homeland Security for all executive branch…

mobile image