In our work we manage some email servers. We keep ourselves updated to serve our clients always the best technologies, E-mails are still very important in everyday life, especially in the work environment, so care must be taken to keep this system operational and secure at all times
As we can see in the photo of this post, today there are a lot of useful e-mail standards, we are going to talk about the most important ones for a small company.
Sender Policy Framework (SPF) is a method aimed at reducing spam and fraud for email.
DomainKeys Identified Mail (DKIM) is a method to cryptographically sign email.
Domain-based Message Authentication, Reporting and Conformance (DMARC) is an email authentication and security policy protocol.
Mail Transfer Agent Strict Transport Security (MTA-STS) is an email security standard for secure delivery of email to your domain.
These are some of today's key email standards, if you would like to learn more about these and other standards, we suggest you visit the MailHardener site, a tool we use to keep our clients' domains under control.
This service allows you to keep track of the implementation of all email standards, over time, and to receive aggregated reports on email deliverability, inbound and outbound, bear in mind that not all servers will respond with such reports
SPF allows domain owners to publish a policy about which senders are allowed to send email for that domain. Recipients use SPF as one of their spam detection methods.
This is very useful because if a person sends emails from other servers, not from our organisation, in our name, they would be seen as spam, actually DKIM and DMARC complete the job to check with more controls if this is true.
SPF therefore identifies the servers from which emails are sent on behalf of our organisation.
With DKIM the sending email service adds a cryptographic signature to the email headers using the sender's private key. This signature is used by the receiving service to determine if the sender, and the email content, are to be trusted.
In a nutshell, a field is added to the email where a cryptographic signature is inserted using the private key, from our outgoing server, the server that will receive our emails will ask our DNS for the public key and do a cryptographic check on the email signature.
DKIM guarantees that the email is authentic (from the originating server) and that the server is authorised to send and sign emails.
DMARC extends SPF and DKIM validation by adding a third validation known as alignment. It is intended to mitigate the weaknesses that exist in both DKIM and SPF. DMARC allows domain owners to specify a policy on how the receiver should treat email from the domain.
DMARC takes care of alignment, SPF and DKIM checks, checks that the domain or subdomain is authorised, via the DMARC policy
DMARC is a versatile email hardening technique that solves common weaknesses with SPF and DKIM. DMARC also allows a domain administrator to monitor email traffic send on behalf of the domain, and identify deliverability issues.
We suggest reading about it in detail in MailHardener.com
| SPF result | DKIM result | DMARC result |
|---|---|---|
| unaligned | unaligned | unaligned (DMARC policy) |
| unaligned | aligned | aligned |
| aligned | unaligned | aligned |
| aligned | aligned | aligned |
The DMARC policy instructs the receiver on how to treat received emails that fail alignment. There are 3 possible values: None , Quarantine , Reject
With MTA-STS you let senders know that your email server accepts secure email delivery using SMTP over TLS (STARTTLS), and that email should not be delivered over an insecure SMTP connection.
MTA-STS mitigates Man-In-The-Middle DNS and SMTP downgrade attacks that would allow an attacker to read or manipulate email in transit.
We were able to quickly see how each of the standards worked, but we still needed to check that the configurations we had made were correct.
A reliable tool is certainly MailHardener, as described above, but there are other tools available for even greater certainty.
A very interesting, innovative and useful tool is Learn and Test DMARC, which allows us to send an email and see the reasoning of the receiving server and the corresponding checks.
Another useful tool is: HARDENIZE - Automated Discovery and Monitoring, a more comprehensive tool that allows you to control the settings of mail servers, dns and webservers.
Although the article is not very specific and leaves out many technical aspects, we hope you have enjoyed it and have at least learnt about some useful tools for email standards checking.