Introduction

In this course, I will understand what is the SPF, DKIM, DMARC and BIMI protocols and learn how to implments them. Then I will know how to test the records and the email deliverability.

Why email is insecure?

• Email is not encrypted, so any information sent via email is not protected from being intercepted by third-party attackers.
• Email is a "broadcast" communication medium.
• It's very easy for someone to create a fake email account and pose as another person.
• Email messages can be easily intercepted and read by third-party attackers.

Source: https://www.filemail.com/content/blog/why-email-is-not-secure/🔗

What are the solutions?

Destination servers set up "reputation" mechanisms. In particular on the IP address, the content of the message, and the domain name.

They can sometimes use "retry pattern" mechanisms to ask the sender to try again in a few minutes.

Consequences

These mechanisms degrade the deliverability of emails. Emails can take several minutes to arrive, go into SPAM, or worse, not arrive at all

SPF: Sender Policy Framework

“Sender Policy Framework (SPF) is a standard 🔗 for checking the domain name of the sender of an e-mail.”

How the SPF works?

Let's look at how the SPF works.
The SPF tells the destination server which IP addresses are allowed to send emails with the given domain name. To do this, you need to set up a domain name record.

How the SPF works?

SPF in details

Now, to create an SPF record, we use a TXT record. And no longer an SPF record

google.com. IN TXT "v=spf1 include:_spf.google.com ~all"

v=[version]
include: mean include an iplist
~: mean SOFTFAIL
all: mean all the ip address
						

How to configure SPF?

Read the DOC!

The configuration of SPF depends on many parameters. Build your SPF by searching
the documentation on the internet and
adapt it to your needs.

There are plenty of company articles making SPF, DKIM and DMARC a business. You can read their article or the text of the RFC 7208🔗

Recommendations

To help you, you can follow these steps:

1. Find the IP's of the sending servers, contact your email provider (in our future example, we will use the ionos server's)
2. Create the SPF and add the DNS record
3. Test the SPF record: mxtoolbox.com/spf or app.dmarcanalyzer.com/dns/spf

DKIM: DomainKeys Identified Mail

DKIM is a standard🔗 used to authenticate the domain name of an email sender.

How the DKIM works?

An organisation generates an asymmetric key pair. The private key can be stored on the sending servers, or in email campaign scripts. The private key is stored in a DNS record.

How the DKIM works?

Practice!

Generation of the DKIM keys

In order to sign the emails, we need an asymmetric key pair. Be careful with permissions!

Generate the private key:

openssl genrsa -out dkim_private.pem 2048

Adding the DNS record

Now we need to add the public key to a TXT record. But first we need to choose a "domain key" or "selector". For example, the accounting department:

accounting._domainkey.ilogus.dev. TTL_AUTO \
IN TXT "v=DKIM1;k=rsa;t=s;p=[PUBLIC-KEY]"

v: version
k: key algorithm
t: flag
p: public key in base64

Pratice!

Generate the public key and convert it to base64:

openssl rsa -in dkim_private.pem -pubout \
-outform der 2>/dev/null | openssl base64 -A

Then, publish the DNS record.

Don't forget to test your DNS record with an online tool: mxtoolbox.com/dkim.aspx or app.dmarcanalyzer.com/dns/dkim

DMARC: Domain-based Message Authentication, Reporting, and Conformance

DMARC: Definition

“A DMARC policy allows the sender to indicate that its emails are protected by SPF and/or DKIM and tells the recipient what to do if these authentication methods fail.”

Do you get it?

In other words, the sender tells the destination server how to handle the email, whether or not SPF and or DKIM will pass. In addition, you can receive reports to check that all is well

How to set it up?

Cloudflare has an article that explains it very well : Cloudflare: dns-dmarc-record

Let's take the following example:

IN TXT "v=DMARC1; p=quarantine; 
adkim=r; aspf=r; rua=mailto:[email protected];"

p: policy (quarantine, reject, none)
adkim: what to do with dkim (s mean strict / r mean relaxed)
aspf: what do do with spf (s mean strict / r mean relaxed)
rua: URI to send reports (mailto IS important)

DKIM Verification

Once SPF and DKIM are already configured it is very easy to configure DMARC, but don't forget to check!

mxtoolbox.com/dmarc.aspx or marcadvisor.com/fr/dmarc-check/

BIMI: Brand Indicators for Message Identification

BIMI Definition:

BIMI coordinates e-mail publishers and domain name owners to enable the owners to display their logos directly in their customers' e-mail boxes, i.e. next to the sender's name

But what is this?

In vulgar terms, BIMI is the ability to put a simple "logo" next to the sender. But not really... A bit like with certificates, company logos can be signed, like with a "Certification Authority". Of course, we can send self-declared logos but with less importance.

How to proceed?

For self declared, it is very simple, you have to add a URL of a logo in a TXT record. on the other hand... for it to be accepted everywhere, you will first have to file a trademark application including the logo, then buy to a company that issues certificates to sign your logo. This is called Verified Mark Certificates (VMC)

BUT... The price?

One YEAR of Verified Mark Certificates (VMC) is around 1500$

Let's try without VMC

Upload on a CDN🔗 your logo in SVG.

Then, you can create the DNS record:

IN TXT "v=BIMI1; l=https://ilogus.dev/logo.svg"

Email testing

Test email parameters

Now that you have configured SPF, DKIM, SPF and maybe BIMI, you have to test each parameter with a dedicated tool. But you can test each at once! Use for exemple: mxtoolbox.com/deliverability

Test email content

As we saw in the introduction, email servers also analyze the content of the email to determine if it is good or bad. If you plan to send emails formatted in HTML, use the mail-tester.com tool. It includes the security settings and many others!

Thank you for your attention / reading

Feedback / questions

[email protected] Ilo Gus#9999