Email Security Blog

DMARC 101 (Part I) – S/MIME, SPF, and DKIM

Mike Jones February 11, 2014 DMARC
Fallback Featured Image

In advance of MAAWG next week, we thought we’d go down memory lane and outline the history of email authentication that led to the creation of DMARC.

The first major effort to bring strong security to email was the S/MIME encryption and digital signing standard in the late 90’s, but despite a solid technical base and strong vendor support S/MIME did not achieve meaningful market penetration. This is largely due to the level of user action and involvement required to use S/MIME effectively, along with other logistics issues that make it difficult to deploy and manage. Starting in the mid-2000’s, a new set of security and authentication standards for email began to be used. There are two major standards that originated in that timeframe, solving two related aspects of the email security quandary. The first was the Sender Policy Framework, or SPF, standard. SPF allows email senders to specify which IP addresses are allowed to send email from a given domain, i.e. only IP 1.2.3.4 is allowed to send email from @fakedomain.com addresses, and to publish these policies in DNS records for the domains in question.

The second standard from this timeframe is DKIM, or Domain Keys Identified Mail. DKIM was created by merging two new technologies, Domain Keys (developed at Yahoo) and Identified Internet Mail (developed at Cisco). DKIM complements SPF by giving email senders a way to digitally sign all the outgoing email from a given domain, and publish in the DNS system the public key(s) necessary to validate those digital signatures. This lets the email recipient systems confirm that no changes have been made to the email since it was sent before delivering it to the end user’s inbox. Both SPF and DKIM share an important common attribute in that neither of them requires any change in behavior on the part of the end user. This made them much easier to deploy than S/MIME, and within a few years both SPF and DKIM were widely adopted. However, SPF and DKIM alone are not a complete solution to email authentication. There are a few elements of the equation missing even after an email sender has fully deployed both standards, and that is what led to the development of DMARC.

Stay tuned for Part II, coming up later this week!

Leave a Reply

Your email will not be published. All fields are required.

Agari Blog Image

June 26, 2019 Armen Najarian

Ticket to Fraud: Airline Industry Sees Increased Consumer Phishing Scams

For many, there are few things more satisfying than receiving an email confirmation for a…

Agari Blog Image

June 13, 2019 Fareed Bukhari

DMARC Adoption Worldwide Slows with Australia's ASX 100 Remaining Most Vulnerable

DMARC adoption rose a tepid 1% in the first quarter of the year, with the…

Agari Blog Image

May 23, 2019 Suela Vahdat

DMARC Remains Elusive with 86% of gov.uk Domains Open to Impersonation

More than three-quarters of UK government organisations haven't yet adopted Domain-based Message Authentication and Reporting…

Agari Blog Image

May 21, 2019 Armen Najarian

Why DMARC Could Make or Break Your B2B Email Marketing Programs

In B2B email marketing, nothing says amateur hour like a landing page with the words…

Agari Blog Image

April 17, 2019 Fareed Bukhari

The Time is Now: Underscoring the Importance of DMARC for State and Local Governments

Scammers know that impersonating a trusted government agency is an extremely effective way to trick…

mobile image