A Comprehensive Guide: Difference Between SPF and DKIM

DKIM, and SPF represent more than technical email setup. If ignored or incorrectly configured, they negatively impact inbox placement and cost organizations revenue.

In short, all three methods are ways Internet Service Providers (ISPs) authenticate email. Is the sender really who they say they are?

Many types of transactions require authentication: a patient needing treatment, a driver needing a license, a customer paying with a credit card, a passenger boarding an airplane. In order to proceed, you must prove your identity with a passport, a Social Security card, proof of health insurance, or some other form of identification. Not sure if you have either? Tools are available online for SPF, and DKIM checks.

The world of deliverability works the same. In order to get through the gates of ISP filters, you need to prove that you are a legitimate sender. How do you prove you are not sending on behalf of someone else and that your identity has not been compromised? By utilizing SPF and DKIM.

What Is DKIM?

DKIM stands for DomainKeys Identified Mail. It is an email authentication method designed to detect email spoofing and phishing by allowing the sender to digitally sign their emails. DKIM works by adding a digital signature to the header of an email message. This signature is generated using a private key, and the recipient can verify its authenticity using the sender’s public key, which is published in the DNS (Domain Name System) records.

Here’s a brief overview of how DKIM works:

1. Signing: When an email is sent, the sending mail server adds a digital signature to the email header using a private key associated with the sender’s domain. This signature includes information about the message and is generated using a cryptographic hash function.
2. DNS Record: The public key used for verification is stored in the sender’s DNS records as a DKIM record. This record contains the public key and information about the cryptographic algorithms used.
3. Verification: When the recipient’s mail server receives the email, it retrieves the public key from the sender’s DNS records using the information in the DKIM signature. It then uses this public key to verify the signature in the email header.
4. Authentication Result: If the signature is valid, the email is considered authentic, and the recipient can be more confident that it was sent by the claimed sender without being altered in transit. If the signature is invalid or missing, it may indicate that the email could be fraudulent, and the recipient’s mail server can take appropriate action, such as marking the email as suspicious or rejecting it.

Why is DKIM important?

DKIM proves three things:

1. The content of an email has not been tampered with.
2. The headers in the email have not changed since the original sender sent and there is no new “from” domain.
3. The sender of the email owns the DKIM domain, or is authorized by the owner of that domain.

What does DKIM do, exactly? DKIM uses an encryption algorithm to create a pair of electronic keys — a public key and a private key. Your ESP should create these keys for you.

The private key remains on the computer on which it was created. The first key’s encryption can only be decrypted by the other key. A sender will post the “public” key in the DNS record and list its location in the DKIM signature with the “d=” domain and the “s=” selector. The owner of the DNS keeps the private key secret and stores it in the sending email server. If the information in the decrypted signature matches the information it received in the unencrypted header, it knows the header has not been tampered with during transmission and reception.

What is SPF?

SPF stands for Sender Policy Framework. It is another email authentication method used to prevent email spoofing and phishing. SPF allows domain owners to specify which mail servers are authorized to send emails on behalf of their domain. This is achieved by publishing SPF records in the DNS (Domain Name System) for the domain.

Here’s how SPF works:

1. Publishing SPF Records: The domain owner publishes SPF records in their DNS configuration. These records contain information about the authorized mail servers that are allowed to send emails on behalf of the domain. The records specify IP addresses or hostnames of these authorized servers.
2. Receiving Email: When an email is received, the recipient’s mail server checks the SPF record of the sender’s domain by querying the DNS. It looks for information about which servers are allowed to send emails for that domain.
3. SPF Check: The recipient’s mail server compares the IP address of the sending server with the information in the SPF record. If the sending server’s IP address is listed as an authorized sender, the email passes the SPF check.
4. Authentication Result: Depending on the SPF check result, the recipient’s mail server can take appropriate action. If the SPF check passes, the email is considered authentic. If the check fails, the server may treat the email as suspicious or reject it, depending on the SPF policy configured by the domain owner.

SPF is a “proposed standard” that helps protect email users from potential spammers. Email spam and phishing often use forged “from” addresses and domains. Therefore most consider publishing and checking SPF records as one of the most reliable and simple to use anti-spam techniques. If you have a good sending reputation, a spammer might attempt to send an email from your domain in order to piggyback off your good sender reputation with ISPs. But properly set up SPF authentication shows the receiving ISP that even though the domain may be yours, the sending server has not been authorized to send mail for your domain.

An SPF record in a top domain (i.e., cpanelresellerwebhosting.in) will automatically authenticate any subdomains (i.e., mail.cpanelresellerwebhosting.in), even when it may not contain its own SPF record.

SPF vs DKIM

Now that you know what is SPF and DKIM, let’s talk about the differences. SPF identifies IP addresses in order to determine which senders are permitted to send mail to a domain. DKIM instead identifies senders using an encryption key with a digital signature to ensure that mail is safe. DKIM or SPF both have their own pros and cons.

When implementing a DMARC record, you have 3 policy options. These policies inform the recipient server how to treat mail sent from you that is not DMARC compliant. Please note that the recipient server is not required to treat mail as requested.

1. None: Treat all mail sent from your domain as it would be without any DMARC validation.
2. Quarantine: The recipient server may accept the mail but should place it somewhere other than the recipient’s inbox (usually, the spam folder).
3. Reject: Completely reject the message.

A successful DMARC implementation would slowly ramp up from different percentages of quarantine to ultimately fully reject. A successful practice also requires the sender to monitor DMARC reports regularly. These reports would inform of any phishing attempts to your domain, or if your own mail is being rejected for failing DKIM or SPF.

Conclusion

In conclusion, SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) are both email authentication methods designed to enhance the security of email communication by preventing email spoofing, phishing, and unauthorized use of domain names. While they serve similar purposes, they operate in slightly different ways and can be used in conjunction for a more comprehensive email authentication solution.