Written by Rafael Silva

SPF, DKIM, and DMARC Best Practices

SPF, DKIM, and DMARC Best Practices

https://ift.tt/tk83CHq

The Ultimate SPF / DKIM / DMARC Best Practices 2022

Reduce spoofing and phishing, build and maintain a solid reputation, and increase email deliverability with SPF, DKIM, and DMARC.

3 min read

The Ultimate SPF / DKIM / DMARC Best Practices 2022

The internet is evolving, and so are email security best practices. Unfortunately, these recommendations can contradict each other over time due to outdated information and superseded security standards. That’s why we’ve created the ultimate best practice guide for SPF, DKIM, and DMARC. We’ve included explanations and links to the official documentation and are dedicated to keeping this guide up-to-date and following the recommendations from the M3AAWG and cyber security specialists worldwide.

SPF

  • Publish SPF records for EHLO and RFC5321.MailFrom domains
  • SPF records should end with ~all
  • SPF record should not exceed the 10 DNS lookup limit
  • SPF records should not authorize more sources than necessary
  • RFC5321.MailFrom domain should align with RFC5322.From domain where possible
URIports detects unused SPF sources and offers suggestions for improvement

DKIM

  • Sign all outbound emails with a domain that aligns with the RFC5322.From domain
  • Use the rsa-sha256 signing algorithm for creating signature hashes
  • Use a minimum of 2048-bit key length
  • Rotate keys at least every six months

DMARC

  • The policy should be set to reject where possible (p=reject), quarantine (p=quarantine) otherwise
  • The policy must omit the pct element, or it must have a value of 100
  • The policy should include the rua tag for monitoring email channel health

💙

DMARC Monitoring. Reinvented. Get detailed insight into your email channel with the URIports DMARC Analyzer.

Read more

Conclusion

Implementing SPF, DKIM, and DMARC according to the best practices above will result in an optimal configuration that prevents third parties from spoofing your domain while simultaneously building the best possible reputation and guaranteeing legit emails reach their destination.

If you are still in the early stages of DMARC implementation, start with a p=none policy and use URIports to monitor your email traffic through DMARC reports. After you’ve allowlisted all aligned sources in your SPF and made sure that all legit sources sign and align with DKIM, you should upgrade to p=reject as soon as possible.

Still confused?

We’ve written a blog post and created a FREE tool called LearnDMARC to help you better understand these mechanisms by visualizing the communication between servers when an email is delivered. You can also use it to test your current SPF, DKIM, and DMARC setup.

Sources

RFC7489 Domain-based Message Authentication, Reporting, and Conformance
RFC7208 Sender Policy Framework
RFC6376 DomainKeys Identified Mail Signatures
RFC8301 Cryptographic Algorithm and Key Usage Update to DKIM
M3AAWG Best Practices for Implementing DKIM
M3AAWG Email Authentication Recommended Best Practices
M3AAWG DKIM Key Rotation Best Common Practices

via URIports Blog

November 11, 2022 at 01:05AM