Sender Authentication with DKIM and SPF

Sender authentication technologies like DomainKeys Identified Mail (DKIM) and Sender Policy Framework (SPF) not only help control spam but also improve deliverability of legitimate messages. Consequently, these systems are of interest to both email administrators and email marketers.

What is sender authentication? In the most general sense, sender authentication measures the validity of a message source, and this information is used by recipient servers to improve filtering and handling. Passing results should indicate the message is of reputable origin; negative results may mean further scrutiny through spam filtering or message blocking. 

Both SPF and DKIM attempt to validate the authenticity of a message sender by looking at the sending domain and qualifying that the server sending the message is legitimate.  However, SPF and DKIM each approach this task differently and have their own unique methodologies and implementations.

The primary objective of SPF is to control forged email. SPF is a relatively simple system that utilizes text entries in the domain’s DNS allowing domain owners to specify what servers are permitted to send mail on behalf of a particular domain.  SPF depends on the recipient server utilizing SPF lookups to validate that messages are authentic. Most server side spam filters like SpamAssassin perform SPF lookups when filtering incoming mail.

DKIM, on the other hand, “lets an organization take responsibility for a message while it is in transit,” as stated on the website. Compared to SPF, DKIM is a more advanced system utilizing cryptographic authentication to verify a signature assigned to a message on the sender’s server.  DKIM requires configuration support on the SMTP server in addition to DNS entries that must be made on the sender’s domain. 

Unlike Sender Policy Framework (SPF) which authenticates a message at the envelope level using the Return-Path header, DKIM validates a message using the From header.  Because spammers commonly forge both of these headers, utilizing SPF and DKIM is good practice ensuring that a message originates from a valid server and is signed by an authorized handler for the domain.

Setting up SPF simply requires adding a text entry to your domain’s DNS.  Most hosts or DNS providers can provide the necessary information to make this entry. In addition, there are several SPF wizards on the Internet and tutorials explaining SPF syntax. If you send from multiple servers, it is important to be sure to include all of these servers in your SPF entry.

DKIM configuration is a bit more complicated than SPF and requires server side components to handle the DKIM signature.  Most email hosting providers support DKIM and can assist you with setting up DomainKeys for your domain and making the necessary text entries in your DNS to enable DKIM signing.

, ,