SPF and DKIM Are NOT Enough: DMARC Is a Must!

February 23, 2017

By Shehzad Mirza


One question that has come up often during discussions of DMARC is “We have SPF and DKIM implemented, so do we really need DMARC?”

The answer is YES! You still need DMARC!

Why?  The main reason is that SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) on their own (or even together) contain various weaknesses.  However, when both are combined with DMARC, both protocols are enhanced and more secure.  DMARC is not a silver bullet, but utilizing it will make an organization’s email domain much more secure.

SPF is a policy which defines which mail servers are authorized to send email on behalf of an organization.  These typically are an organization’s mail server.  In most cases, IT staff are not aware of what other departments might be doing when it comes to email. For example, the marketing team could be using a cloud PR tool or a cloud survey to send mail using the organization’s email domain.  SPF should prevent any of those systems from sending messages, as well as spammers and phishers.  However does it actually work?  An SPF policy does not generate reports, the only way to determine if SPF is working is to send mail from authorized and unauthorized mail servers.  The result will show that mail is being sent by unauthorized mail servers as well as authorized systems.  The mail recipient organization could define what to do with the messages from unauthorized systems, however, this is tricky. How does the recipient know which servers are authorized or unauthorized?

DKIM is designed to add a digital signature to every message that is sent by an organization’s mail server.  The purpose of this signature to allow for the recipient to confirm that the message is coming from an authenticated domain.  This digital signature is not visible to the sender or recipient.  The only way to confirm the DKIM signature is present is by looking at the message headers (something which more end users are not familiar with).  If the DKIM signature is not visible, then how does an organization check for it?  It’s not reasonable for a user or IT staff to check each message header to the digital signature.  Some mail gateways do have a feature to check incoming messages for DKIM signatures.  However, the DKIM checker option is typically to either accept or reject the messages.  If enabled, there is a possibility that any messages without DKIM signatures are rejected, and it is up to the recipient to make that determination, not the sender.

Ok, now the question should be “I can use both, right?”  Yes, you could use both, but the flaws mentioned above still exist.  Additionally, there is nothing indicating that SPF should work with DKIM, or that DKIM should work with SPF.

This is where DMARC comes into play.  DMARC is the policy that will define SPF and DKIM (the A or Authentication in DMARC) and must work together using the policy level defined by your organization (which is the C or Conformance in DMARC), as well as add a reporting feature (the R or Reporting in DMARC).

If you are interested in learning more about DMARC, please feel free to check dmarc.globalcyberalliance.org, sign up for one our free monthly webinars, or contact us at gca-dmarc@globalcyberalliance.org for a one on one discussion.

The author, Shehzad Mirza, is the Director of Operations (NYC Office) at the Global Cyber Alliance. You can connect with Shehzad on LinkedIn.