Email Security
Chapter 80: Email Security - SPF, DKIM, DMARC
Section titled “Chapter 80: Email Security - SPF, DKIM, DMARC”Comprehensive Email Authentication
Section titled “Comprehensive Email Authentication”Why This Matters in DevOps/SRE
Section titled “Why This Matters in DevOps/SRE”Email authentication (SPF, DKIM, DMARC) is critical for email deliverability and security. Without proper configuration, your emails go to spam or can be spoofed. As a DevOps/SRE, you’ll configure these records, monitor authentication failures, and protect your domain from email spoofing.
┌─────────────────────────────────────────────────────────────────────────────┐│ EMAIL AUTHENTICATION IN DEVOPS │├─────────────────────────────────────────────────────────────────────────────┤│ ││ ┌─────────────────────────────────────────────────────────────────────┐ ││ │ AUTHENTICATION METHODS │ ││ │ │ ││ │ SPF: Authorizes specific IP addresses to send for your domain │ ││ │ DKIM: Cryptographic signature on email headers │ ││ │ DMARC: Policy for handling authentication failures │ ││ │ │ ││ └─────────────────────────────────────────────────────────────────────┘ ││ ││ ┌─────────────────────────────────────────────────────────────────────┐ ││ │ DEV OPS TASKS │ ││ │ │ ││ │ • Configure SPF DNS record │ ││ │ • Set up DKIM signing │ ││ │ • Publish DMARC policy │ ││ │ • Monitor authentication results │ ││ │ • Investigate failures │ ││ │ │ ││ └─────────────────────────────────────────────────────────────────────┘ ││ ││ ┌─────────────────────────────────────────────────────────────────────┐ ││ │ DELIVERABILITY IMPACT │ ││ │ │ ││ │ Without proper auth: │ ││ │ • Emails go to spam │ ││ │ • Domain flagged as suspicious │ ││ │ • Can be spoofed by attackers │ ││ │ │ ││ │ With proper auth: │ ││ │ • Better inbox placement │ ││ │ • Protected from spoofing │ ││ │ • Professional credibility │ ││ │ │ ││ └─────────────────────────────────────────────────────────────────────┘ ││ │└─────────────────────────────────────────────────────────────────────────────┘Real-world DevOps scenarios:
- AWS SES: Automatic SPF/DKIM when verified
- Office 365: Requires specific SPF include
- Google Workspace: DKIM signing with Google default
- DMARC reports: Analyzing aggregate reports for abuse
80.1 SPF (Sender Policy Framework)
Section titled “80.1 SPF (Sender Policy Framework)”How SPF Works
Section titled “How SPF Works”┌─────────────────────────────────────────────────────────────────────────┐│ SPF FLOW │├─────────────────────────────────────────────────────────────────────────┤│ ││ ┌─────────────────────────────────────────────────────────────────┐ ││ │ 1. Sender domain publishes SPF record in DNS │ ││ │ 2. Receiving server queries SPF record │ ││ │ 3. Checks if sender IP is authorized │ ││ │ 4. Returns Pass/Fail/SoftFail/Neutral/Fail │ ││ └─────────────────────────────────────────────────────────────────┘ ││ ││ DNS Record Format: ││ v=spf1 ip4:192.0.2.0/24 include:_spf.google.com ~all ││ ││ Mechanisms: ││ ┌─────────────────────────────────────────────────────────────┐ ││ │ +all Pass all (production) │ ││ │ ~all SoftFail (testing) │ ││ │ -all Fail (strict) │ ││ │ ?all Neutral │ ││ │ mx Authorized MX servers │ ││ │ a Authorized A records │ ││ │ include Include another domain's SPF │ ││ └─────────────────────────────────────────────────────────────┘ ││ │└─────────────────────────────────────────────────────────────────────────┘Configuration
Section titled “Configuration”# DNS TXT Record Examples
# Simple - only MX servers can sendexample.com. IN TXT "v=spf1 mx -all"
# With Google Workspaceexample.com. IN TXT "v=spf1 include:_spf.google.com ~all"
# Multiple sourcesexample.com. IN TXT "v=spf1 ip4:203.0.113.0/24 mx -all"
# Include multiple providersexample.com. IN TXT "v=spf1 include:_spf.google.com include:_spf.office365.com -all"
# With all mechanismsexample.com. IN TXT "v=spf1 mx a:mail.example.com ip4:203.0.113.0/24 -all"80.2 DKIM (DomainKeys Identified Mail)
Section titled “80.2 DKIM (DomainKeys Identified Mail)”How DKIM Works
Section titled “How DKIM Works”┌─────────────────────────────────────────────────────────────────────────┐│ DKIM FLOW │├─────────────────────────────────────────────────────────────────────────┤│ ││ ┌─────────────────────────────────────────────────────────────────┐ ││ │ 1. Domain generates public/private key pair │ ││ │ 2. Public key published in DNS ( TXT record) │ ││ │ 3. Outgoing mail signed with private key │ ││ │ 4. Receiving server fetches DKIM key from DNS │ ││ │ 5. Verifies signature │ ││ │ 6. Result: Pass/Fail/None │ ││ └─────────────────────────────────────────────────────────────────┘ ││ ││ DKIM Header: ││ DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; ││ d=example.com; s=mail; h=from:to:subject; ││ bh=...; b=... ││ ││ Selector (s=mail): Multiple DKIM keys per domain ││ │└─────────────────────────────────────────────────────────────────────────┘Setup with OpenDKIM
Section titled “Setup with OpenDKIM”# Installsudo apt install opendkim opendkim-tools
# Generate keysudo opendkim-genkey -s mail -d example.com -D /etc/opendkim/keys/
# Configure /etc/opendkim.confKeyTable /etc/opendkim/KeyTableSigningTable refile:/etc/opendkim/SigningTableExternalIgnoreList refile:/etc/opendkim/TrustedHosts
# /etc/opendkim/KeyTablemail._domainkey.example.com example.com:mail:/etc/opendkim/keys/mail.private
# /etc/opendkim/SigningTable*@example.com mail._domainkey.example.com
# /etc/opendkim/TrustedHosts127.0.0.1*.example.com
# Postfix integration# /etc/postfix/main.cfsmtpd_milters = inet:localhost:8891non_smtpd_milters = $smtpd_miltersmilter_default_action = accept
# Create systemd service for OpenDKIM80.3 DMARC (Domain-based Message Authentication)
Section titled “80.3 DMARC (Domain-based Message Authentication)”How DMARC Works
Section titled “How DMARC Works”┌─────────────────────────────────────────────────────────────────────────┐│ DMARC FLOW │├─────────────────────────────────────────────────────────────────────────┤│ ││ ┌─────────────────────────────────────────────────────────────────┐ ││ │ Builds on SPF and DKIM: │ ││ │ - Requires at least one to pass (or both) │ ││ │ - Alignment check (From domain matches SPF/DKIM) │ ││ │ - Policy enforcement │ ││ └─────────────────────────────────────────────────────────────────┘ ││ ││ Policy Options: ││ ┌─────────────────────────────────────────────────────────────┐ ││ │ p=none | Monitor only, no action taken │ ││ │ p=quarantine| Mark as spam │ ││ │ p=reject | Reject messages completely │ ││ └─────────────────────────────────────────────────────────────┘ ││ ││ Alignment: ││ - relaxed: Domain match (subdomains OK) ││ - strict: Exact domain match required ││ │└─────────────────────────────────────────────────────────────────────────┘Configuration
Section titled “Configuration”# Basic DNS TXT Record_dmarc.example.com. IN TXT "v=DMARC1; p=quarantine; rua=mailto:dmarc@example.com"
# Full example_dmarc.example.com. IN TXT "v=DMARC1; p=reject; sp=reject; \ rua=mailto:dmarc@example.com; \ ruf=mailto:forensic@example.com; \ pct=100; \ adkim=r; aspf=r"
# Parameters:# v=DMARC1 - Version# p= - Policy (none/quarantine/reject)# sp= - Subdomain policy# pct - Percentage of messages to apply# rua - Aggregate reports (mailto)# ruf - Forensic reports (mailto)# adkim - DKIM alignment (relaxed/strict)# aspf - SPF alignment (relaxed/strict)80.4 Testing Email Security
Section titled “80.4 Testing Email Security”# Check DNS recordsdig TXT example.comdig TXT _dmarc.example.comnslookup -type=txt example.com
# Check SPFnslookup -type=txt _spf.example.com
# Check DKIMnslookup -type=txt mail._domainkey.example.com
# Online testing tools# https://www.mail-tester.com/# https://www.dmarcanalyzer.com/# https://dkimvalidator.com/# https://www.g Mass MXToolbox
# Check email headers# Look for:# Authentication-Results: SPF=pass, DKIM=pass, DMARC=pass80.5 Interview Questions
Section titled “80.5 Interview Questions”┌─────────────────────────────────────────────────────────────────────────┐│ EMAIL SECURITY INTERVIEW QUESTIONS │├─────────────────────────────────────────────────────────────────────────┤ │Q1: What does SPF verify? │ │A1: │- Verifies that the sending mail server is authorized by the domain │- Checks if sender IP is in the SPF DNS record │- Returns: Pass, Fail, SoftFail, Neutral, None │ │─────────────────────────────────────────────────────────────────────────┤ │Q2: What does DKIM verify? │ │A2: │- Verifies email hasn't been tampered with in transit │- Cryptographic signature in email header │- Public key in DNS (TXT record) │- Result: Pass, Fail, None │ │─────────────────────────────────────────────────────────────────────────┤ │Q3: What does DMARC do? │ │A3: │- Builds on SPF and DKIM │- Aligns From domain with SPF/DKIM domains │- Provides policy (none/quarantine/reject) │- Enables reporting (aggregate and forensic) │ │─────────────────────────────────────────────────────────────────────────┤ │Q4: What is the difference between ~all and -all in SPF? │ │A4: │- ~all (SoftFail): Non-matching servers accepted but marked │- -all (Fail): Strict - reject non-authorized servers │- Start with ~all, then move to -all after testing │ │─────────────────────────────────────────────────────────────────────────┤ │Q5: What is DKIM alignment? │ │A5: │- Domain in From: header must match d= in DKIM signature │- relaxed: subdomains OK │- strict: exact match required │- Prevents domain spoofing │ │─────────────────────────────────────────────────────────────────────────┤ │Q6: How do you implement email authentication? │ │A6: │1. SPF: Add TXT record to DNS │2. DKIM: Generate key pair, configure mail server, add DNS record │3. DMARC: Add TXT record to _dmarc subdomain │4. Monitor reports and adjust policies │ │─────────────────────────────────────────────────────────────────────────┤ │Q7: What are DMARC aggregate (rua) and forensic (ruf) reports? │ │A7: │- rua: Aggregate reports - daily summary of auth results │- ruf: Forensic reports - immediate notice of failures │- Both sent to specified mailto addresses │ │─────────────────────────────────────────────────────────────────────────┤ │Q8: What is email deliverability? │ │A8: │- Ability to land in inbox, not spam │- Depends on: SPF, DKIM, DMARC, sender reputation, content │- Use mail-tester.com to check score │ │─────────────────────────────────────────────────────────────────────────┤ │Q9: What is a selector in DKIM? │ │A9: │- Selector (s=) allows multiple DKIM keys per domain │- mail._domainkey for primary key │- Allows key rotation without DNS changes │ │─────────────────────────────────────────────────────────────────────────┤ │Q10: How do you troubleshoot email authentication failures? │ │A10: │1. Check DNS records are published correctly │2. Use dig/online tools to verify records │3. Check email headers for auth results │4. Review DMARC reports │5. Verify alignment (From matches d=) │ │└─────────────────────────────────────────────────────────────────────────┘Common Mistakes & Anti-Patterns
Section titled “Common Mistakes & Anti-Patterns”1. Using Too Many SPF Include Mechanisms
Section titled “1. Using Too Many SPF Include Mechanisms”WRONG:
# Too many includes - can exceed DNS lookup limitv=spf1 include:_spf.google.com include:amazonses.com include:mailchimp.com include:sendgrid.com include:another-service.com -allCORRECT:
# Consolidate to reduce lookups# Use ~all initially, move to -all after testingv=spf1 include:_spf.google.com include:amazonses.com -allWhy: SPF has a 10 DNS lookup limit. Exceeding it causes SPF to fail permanently ( PermError ).
2. Setting DMARC Policy to ‘reject’ Without Testing
Section titled “2. Setting DMARC Policy to ‘reject’ Without Testing”WRONG:
# Jump straight to reject - will block legitimate email_dmarc.example.com. IN TXT "v=DMARC1; p=reject; rua=mailto:dmarc@example.com"CORRECT:
# Phase 1: Monitor only_dmarc.example.com. IN TXT "v=DMARC1; p=none; rua=mailto:dmarc@example.com"
# Phase 2: Quarantine_dmarc.example.com. IN TXT "v=DMARC1; p=quarantine; rua=mailto:dmarc@example.com"
# Phase 3: Reject (after 2-4 weeks of monitoring)_dmarc.example.com. IN TXT "v=DMARC1; p=reject; rua=mailto:dmarc@example.com"Why: Reject policy immediately bounces all failing messages. Must ensure 100% alignment first.
3. Not Monitoring DMARC Reports
Section titled “3. Not Monitoring DMARC Reports”WRONG:
# No reporting - blind to issues_dmarc.example.com. IN TXT "v=DMARC1; p=quarantine; pct=100"CORRECT:
# Always set up reporting_dmarc.example.com. IN TXT "v=DMARC1; p=quarantine; rua=mailto:dmarc-aggregate@example.com; ruf=mailto:dmarc-forensic@example.com"Why: DMARC reports reveal authentication issues, domain abuse, and legitimate sending sources you may not know about.
4. Using 1024-bit DKIM Keys
Section titled “4. Using 1024-bit DKIM Keys”WRONG:
# Too small - vulnerable to attacksmail._domainkey IN TXT "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEF..."CORRECT:
# 2048-bit minimum, 4096-bit recommendedmail._domainkey IN TXT "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA... (longer key)"Why: 1024-bit RSA keys are considered insecure. Use at least 2048-bit keys.
5. Not Implementing SPF, DKIM, and DMARC Together
Section titled “5. Not Implementing SPF, DKIM, and DMARC Together”WRONG:
# Only SPF - missing layers of protectionv=spf1 mx -all# No DKIM# No DMARCCORRECT:
# SPF: Authorizes sending serversv=spf1 mx include:_spf.google.com -all
# DKIM: Cryptographic signaturemail._domainkey IN TXT "v=DKIM1; k=rsa; p=..."
# DMARC: Policy and reporting_dmarc.example.com. IN TXT "v=DMARC1; p=quarantine; rua=mailto:dmarc@example.com"Why: Each provides different protection. SPF verifies sender IP, DKIM verifies message integrity, DMARC enforces policy.
6. Ignoring Subdomain Policy
Section titled “6. Ignoring Subdomain Policy”WRONG:
# Main domain protected but subdomains vulnerable_dmarc.example.com. IN TXT "v=DMARC1; p=reject"_dmarc.marketing.example.com. IN TXT "v=DMARC1; p=none"CORRECT:
# Apply subdomain policy_dmarc.example.com. IN TXT "v=DMARC1; p=reject; sp=reject"Why: Attackers often spoof subdomains (e.g., security@example.com) to bypass main domain protection.
7. Not Rotating DKIM Keys
Section titled “7. Not Rotating DKIM Keys”WRONG:
# Same DKIM key for yearsmail._domainkey IN TXT "v=DKIM1; k=rsa; p=... (old key)"CORRECT:
# Key rotation every 6-12 months# Add new selector before removing oldmail._domainkey IN TXT "v=DKIM1; k=rsa; p=2024-key..."mail2023._domainkey IN TXT "v=DKIM1; k=rsa; p=2023-key..."Why: Regular key rotation limits exposure if a key is compromised. Use selectors for version management.
Quick Reference
Section titled “Quick Reference”# SPFv=spf1 mx -all
# DKIM# Public key in DNS: mail._domainkey.example.com# Sign outgoing mail with private key
# DMARCv=DMARC1; p=reject; rua=mailto:dmarc@example.comSummary
Section titled “Summary”- SPF: Verifies sending server is authorized
- DKIM: Cryptographic signature verifying email integrity
- DMARC: Combines SPF/DKIM with policy and reporting
Next Chapter
Section titled “Next Chapter”Chapter 81: Kernel Compilation
Last Updated: February 2026