SPF, DMARC and DKIM - 3 pillars for email security
The SMPT protocol was invested without any security measures in place. Since then we have added multiple layers of security measures to ensure that emails are not tampered with and that the sender is who they say they are. The 3 most important security measures are SPF, DKIM and DMARC.
How are emails sent? First let’s understand how emails are sent and how the sender is verified.
The sending server establishes a connection with the receiving server. Over TCP - spoofing the IP address is not possible. The sending servers sends a HELO command to the receiving server with a domain. This domain is checked via SPF. The sending servers sends the envelope containing the Internet Message Format email to the receiving server. The envelope contains (among other things): Envelope From Header - this is not necessarily the same as the From header in the email. Envelope To Header - this is not necessarily the same as the To header in the email. The receiving server verifies the Envelope From domain via SPF. The receiving server verifies the DKIM signature, the SPF alignment and the DKIM alignment. The receiving server evaluates the sender’s DMARC policy. The receiving server puts the email message (Internet Message Format) in the recipient’s inbox. Or quarantines or rejects it based on the DMARC policy. The email message has a different From header and To header than the envelope. This is what the user will see in the inbox. graph LR A[Sending Server] -->|1. Establishes connection| E[Receiving Server] C -->|Receives Envelope| D[Message with Headers] E -->|The Internet Message Format email is put in the inbox| F[Recipient's Inbox] subgraph H[Internet Message Format] I[Message From] J[Message To] K[Message Subject] L[Message Body] end subgraph C[SMTP Envelope] D B[SMTP From Header] G[SMTP To Header] H end A -->|2. Sends Envelope| C[SMTP Envelope] C -->|3. Receives Envelope| E[Receiving Server] SPF The point of SPF is to authorize IPs to send email under your domain. SPF only applies to the envelope from domain. It does not apply to the From header in the email, which is what the user sees.