Email Authentication - SPF, DKIM, and DMARC
About 2 min read
Email authentication is a mechanism that combines three protocols, SPF, DKIM, and DMARC, to verify that the sending domain of an email is legitimate. The email protocol (SMTP) has made sender spoofing easy ever since its original design in 1982, making it a breeding ground for phishing and business email compromise. In February 2024, Google and Yahoo made SPF/DKIM/DMARC configuration mandatory for bulk senders, transforming email authentication from a "recommended" practice into "required" infrastructure.
The Roles of the Three Protocols
It lists in a DNS TXT record the IP addresses allowed to send email from this domain. The receiving server verifies whether the sending IP is included in the SPF record and, if not, judges the source to be illegitimate. It is a mechanism that verifies the envelope sender (Return-Path).
The sending server attaches a digital signature to the email header and body. The receiving server verifies the signature using a public key published in DNS, confirming that the email has not been tampered with and was sent from a legitimate domain. It plays a role similar to the wax seal on a letter.
Based on the verification results of SPF and DKIM, it defines a policy for how to handle emails that fail authentication. There are three levels: none (monitoring only), quarantine, and reject. It also has the ability to send reports of authentication results to domain administrators.
Overview of the Authentication Flow
The 2024 Mandate by Google / Yahoo
Starting in February 2024, Google and Yahoo made the following mandatory for domains that send more than 5,000 messages per day.
- Passing either SPF or DKIM (all senders)
- Passing both SPF and DKIM and setting a DMARC policy (bulk senders)
- Including a one-click unsubscribe link (marketing emails)
- Keeping the spam complaint rate below 0.3%
As a result of this mandate, emails from domains that have not configured email authentication are now either sorted into the spam folder in Gmail and Yahoo Mail or rejected outright. From the perspective of phishing countermeasures as well, configuring email authentication is a basic defensive measure that protects an organization's credibility.
BIMI - The Rise of Brand Logo Display
BIMI (Brand Indicators for Message Identification) is a mechanism that allows domains that have already set a DMARC enforcement policy (quarantine or reject) to display their brand logo in the inbox. Gmail, Apple Mail, and Yahoo Mail support it. Because the logo is displayed, recipients can visually judge that an email is legitimate, improving resistance to spear phishing. Adopting BIMI requires obtaining a VMC (Verified Mark Certificate), which costs several hundred thousand yen per year, so at present it is mainly large enterprises and organizations that prioritize brand protection that use it.
Common Misconfigurations and Pitfalls
- The DNS lookups for the SPF record exceed 10. When many external services are used, the chain of include directives reaches the limit and SPF stops functioning
- The DKIM key length remains at 1024 bits. 2048 bits or more is recommended, and some receiving servers judge a 1024-bit signature as weak
- Leaving the DMARC policy at p=none. It is effective as a monitoring phase, but since it does not actually reject emails it provides no defensive effect. You should analyze the reports and gradually migrate from p=quarantine to p=reject
- SPF breaks during email forwarding. Because the forwarding server's IP is not included in the original SPF record, configuring ARC (Authenticated Received Chain) may become necessary
Referring to the articles on protecting email accounts and AI-generated phishing as well will give you a complete picture of email security.Email security books on Amazon are also recommended for learning the implementation details.
Was this article helpful?