Email Protection Best Practices: SPF, DKIM and DMARC

zimbra-herbs

As Zimbra Collaboration is a central communication hub for your business, it needs to be protected and secured. Zimbra Collaboration contains multiple antispam features like SpamAssassin, Amavis-d, etc.

But, how do you protect against spoofing? How do we ensure outgoing emails are not going into the junk folder of recipients using other platforms like Google Apps, Outlook 365, etc. ?

Around an Email Server have always external security methods to protect the outgoing emails, like SPF, DKIM, DMARC, rDNS:

SPF & SenderID

Sender Policy Framework (SPF) is an email validation system, designed to prevent unwanted emails using a spoofing system. To check this common security problem, SPF going to verify the source IP of the email and compare it with a DNS txt record with a SPF content.

Zimbra-spf.png

Since it was derived from SPF, Sender ID can also validate the MAIL FROM. But it defines the new PRA identity to validate, and defines new sender policy record tags that specify whether a policy covers MAIL FROM (called MFROM by Sender ID), PRA, or both. For more information about SenderID, please visit OpenSPF.org.

DKIM

DomainKeys Identified Mail (DKIM), is a method to associate the domain name and the email, allowing to a person or company assume the responsibility of the email.

Zimbra-dkim.png

DKIM diagram, updated with the proper email flow, thank you Vinzenz.

 

DMARC

Domain-based Message Authentication, Reporting & Conformance (DMARC) is a technical specification created by a group of organizations that want to help reduce the potential for email-based abuse by solving a couple of long-standing operational, deployment, and reporting issues related to email authentication protocols.

DMARC standardizes how email receivers perform email authentication using the well-known SPF and DKIM mechanisms. This means that senders will experience consistent authentication results for their messages at AOL, Gmail, Hotmail, Yahoo! and any other email receiver implementing DMARC. We hope this will encourage senders to more broadly authenticate their outbound email which can make email a more reliable way to communicate.

Zimbra-DMARC.png

(inspired by dmarc.org)

rDNS

The reverse DNS (rDNS) resolution is a determination of the domain name that is associated to an IP. Some email companies like AOL, for example, will reject any email that doesn’t have a valid rDNS.

Zimbra-rDNS.png

You can find much more information in our Wiki

, , ,

7 Responses to Email Protection Best Practices: SPF, DKIM and DMARC

  1. Trein April 10, 2015 at 8:16 PM #

    Considering al the leaks and hacks that are taking place these days, i think this would be a good upgrade of the security.

  2. Glen Armes April 14, 2015 at 7:01 AM #

    nice work. Clear and precise; always enjoy your blogs Jorge.

    • Jorge de la Cruz
      Jorge de la Cruz April 24, 2015 at 5:07 AM #

      Thank you very much Glen, hope to see you soon.

  3. Vinzenz April 22, 2015 at 11:06 AM #

    Hi Jorge,

    does Zimbra implement DMARC on the receiving side, i.e., evaluate DMARC policy and send reports for incoming mails?

    On a side note, in the DKIM figure the server should of course publish the public key, not the private one ;-)

    Thanks,
    vinzenz

  4. Jorge de la Cruz
    Jorge de la Cruz April 23, 2015 at 11:27 AM #

    Hi Vinzenz,
    The Blog post was updated with the proper flow email, thank you.

  5. lavanyasvraman June 19, 2015 at 11:42 PM #

    I have a scenario with 3rd party vendors… Our company has a lot of 3rd party mail services. I have set up the dmarc with p – none and SPF records were updated with known sending servers. Could you please clarify a statement which I read in Dmarc.org site about making 3rd party vendors Dmarc compliant.
    1. Either add their sending servers to our spf records
    2. Or share your DKIM private key to them

    My question is, SPF checks for envelope from address so when the vendor sends mails on behalf of us, the from address will be our company address and envelope from will be his company. So then how will SPF pass? SPF will check the dns server of envelope from? Is my understanding right?

    Secondly, DKIM checks from address or envelope from address? How does it work when we share the private key