Search Close
Email Security Blog

DMARC 101 (Part I) – S/MIME, SPF, and DKIM

Mike Jones February 11th, 2014 DMARC
Fallback Featured Image

In advance of MAAWG next week, we thought we’d go down memory lane and outline the history of email authentication that led to the creation of DMARC.

The first major effort to bring strong security to email was the S/MIME encryption and digital signing standard in the late 90’s, but despite a solid technical base and strong vendor support S/MIME did not achieve meaningful market penetration. This is largely due to the level of user action and involvement required to use S/MIME effectively, along with other logistics issues that make it difficult to deploy and manage. Starting in the mid-2000’s, a new set of security and authentication standards for email began to be used. There are two major standards that originated in that timeframe, solving two related aspects of the email security quandary. The first was the Sender Policy Framework, or SPF, standard. SPF allows email senders to specify which IP addresses are allowed to send email from a given domain, i.e. only IP 1.2.3.4 is allowed to send email from @fakedomain.com addresses, and to publish these policies in DNS records for the domains in question.

The second standard from this timeframe is DKIM, or Domain Keys Identified Mail. DKIM was created by merging two new technologies, Domain Keys (developed at Yahoo) and Identified Internet Mail (developed at Cisco). DKIM complements SPF by giving email senders a way to digitally sign all the outgoing email from a given domain, and publish in the DNS system the public key(s) necessary to validate those digital signatures. This lets the email recipient systems confirm that no changes have been made to the email since it was sent before delivering it to the end user’s inbox. Both SPF and DKIM share an important common attribute in that neither of them requires any change in behavior on the part of the end user. This made them much easier to deploy than S/MIME, and within a few years both SPF and DKIM were widely adopted. However, SPF and DKIM alone are not a complete solution to email authentication. There are a few elements of the equation missing even after an email sender has fully deployed both standards, and that is what led to the development of DMARC.

Stay tuned for Part II, coming up later this week!

Leave a Reply

Your email will not be published. All fields are required.

October 16, 2018 Fareed Bukhari

One Year Later: Federal Mandate for Email Authentication Huge Success

October 16, 2018 Patrick Peterson

DMARC: A 12-Month Triumph for DHS—and the Nation

August 10, 2018 Patrick Peterson

Half of Federal Agencies Racing to Meet DMARC Active Enforcement Deadline

July 17, 2018 AJ Shipley

5 Big Myths about DMARC, Debunked

July 2, 2018 Armen Najarian

Brand Impersonation Scams Skyrocketing—is DMARC Email Security the Answer?

mobile image