by IloGus - 23/04/2023
In this course, I will understand what is the SPF, DKIM, DMARC and BIMI protocols and learn how to implments them. Then I will know how to test the records and the email deliverability.
Source: https://www.filemail.com/content/blog/why-email-is-not-secure/๐
Destination servers set up "reputation" mechanisms. In particular on the IP address, the content of the message, and the domain name.
They can sometimes use "retry pattern" mechanisms to ask the sender to try again in a few minutes.
These mechanisms degrade the deliverability of emails. Emails can take several minutes to arrive, go into SPAM, or worse, not arrive at all
“Sender Policy Framework (SPF) is a standard ๐ for checking the domain name of the sender of an e-mail.”
Let's look at how the SPF works.
The SPF tells the destination server which IP addresses are allowed to send emails with the given domain name. To do this, you need to set up a domain name record.
Now, to create an SPF record, we use a TXT record. And no longer an SPF record
google.com. IN TXT "v=spf1 include:_spf.google.com ~all"
v=[version]
include: mean include an iplist
~: mean SOFTFAIL
all: mean all the ip address
The configuration of SPF depends on many parameters. Build your SPF by searching
the documentation on the internet and
adapt it to your needs.
There are plenty of company articles making SPF, DKIM and DMARC a business. You can read their article or the text of the RFC 7208๐
To help you, you can follow these steps:
DKIM is a standard๐ used to authenticate the domain name of an email sender.
An organisation generates an asymmetric key pair. The private key can be stored on the sending servers, or in email campaign scripts. The public key is stored in a DNS record.
In order to sign the emails, we need an asymmetric key pair. Be careful with permissions!
Generate the private key:
openssl genrsa -out dkim_private.pem 2048
Now we need to add the public key to a TXT record. But first we need to choose a "domain key" or "selector". For example, the accounting department:
accounting._domainkey.ilogus.dev. TTL_AUTO \
IN TXT "v=DKIM1;k=rsa;t=s;p=[PUBLIC-KEY]"
v: version
k: key algorithm
t: flag
p: public key in base64
Generate the public key and convert it to base64:
openssl rsa -in dkim_private.pem -pubout \
-outform der 2>/dev/null | openssl base64 -A
Then, publish the DNS record.
Don't forget to test your DNS record with an online tool: mxtoolbox.com/dkim.aspx or app.dmarcanalyzer.com/dns/dkim
“A DMARC policy allows the sender to indicate that its emails are protected by SPF and/or DKIM and tells the recipient what to do if these authentication methods fail.”
In other words, the sender tells the destination server how to handle the email, whether or not SPF and or DKIM will pass. In addition, you can receive reports to check that all is well
Cloudflare has an article that explains it very well : Cloudflare: dns-dmarc-record
Let's take the following example:
IN TXT "v=DMARC1; p=quarantine;
adkim=r; aspf=r; rua=mailto:[email protected];"
p: policy (quarantine, reject, none)
adkim: what to do with dkim (s mean strict / r mean relaxed)
aspf: what do do with spf (s mean strict / r mean relaxed)
rua: URI to send reports (mailto IS important)
Once SPF and DKIM are already configured it is very easy to configure DMARC, but don't forget to check!
BIMI coordinates e-mail publishers and domain name owners to enable the owners to display their logos directly in their customers' e-mail boxes, i.e. next to the sender's name
Definition by https://www.dmarc.fr/blog/qu-est-ce-que-bimiIn vulgar terms, BIMI is the ability to put a simple "logo" next to the sender. But not really... A bit like with certificates, company logos can be signed, like with a "Certification Authority". Of course, we can send self-declared logos but with less importance.
For self declared, it is very simple, you have to add a URL of a logo in a TXT record. on the other hand... for it to be accepted everywhere, you will first have to file a trademark application including the logo, then buy to a company that issues certificates to sign your logo. This is called Verified Mark Certificates (VMC)
One YEAR of Verified Mark Certificates (VMC) is around 1500$
Upload on a CDN๐ your logo in SVG.
Then, you can create the DNS record:
IN TXT "v=BIMI1; l=https://ilogus.dev/logo.svg"
Now that you have configured SPF, DKIM, SPF and maybe BIMI, you have to test each parameter with a dedicated tool. But you can test each at once! Use for exemple: mxtoolbox.com/deliverability
As we saw in the introduction, email servers also analyze the content of the email to determine if it is good or bad. If you plan to send emails formatted in HTML, use the mail-tester.com tool. It includes the security settings and many others!
[email protected] Ilo Gus#9999