Email_security
Chapter 80: Email Security - SPF, DKIM, DMARC
Section titled “Chapter 80: Email Security - SPF, DKIM, DMARC”Comprehensive Email Authentication
Section titled “Comprehensive Email Authentication”80.1 SPF (Sender Policy Framework)
Section titled “80.1 SPF (Sender Policy Framework)”How SPF Works
Section titled “How SPF Works”┌─────────────────────────────────────────────────────────────────────────┐│ SPF FLOW │├─────────────────────────────────────────────────────────────────────────┤│ ││ ┌─────────────────────────────────────────────────────────────────┐ ││ │ 1. Sender domain publishes SPF record in DNS │ ││ │ 2. Receiving server queries SPF record │ ││ │ 3. Checks if sender IP is authorized │ ││ │ 4. Returns Pass/Fail/SoftFail/Neutral/Fail │ ││ └─────────────────────────────────────────────────────────────────┘ ││ ││ DNS Record Format: ││ v=spf1 ip4:192.0.2.0/24 include:_spf.google.com ~all ││ ││ Mechanisms: ││ ┌─────────────────────────────────────────────────────────────┐ ││ │ +all Pass all (production) │ ││ │ ~all SoftFail (testing) │ ││ │ -all Fail (strict) │ ││ │ ?all Neutral │ ││ │ mx Authorized MX servers │ ││ │ a Authorized A records │ ││ │ include Include another domain's SPF │ ││ └─────────────────────────────────────────────────────────────┘ ││ │└─────────────────────────────────────────────────────────────────────────┘Configuration
Section titled “Configuration”# DNS TXT Record Examples
# Simple - only MX servers can sendexample.com. IN TXT "v=spf1 mx -all"
# With Google Workspaceexample.com. IN TXT "v=spf1 include:_spf.google.com ~all"
# Multiple sourcesexample.com. IN TXT "v=spf1 ip4:203.0.113.0/24 mx -all"
# Include multiple providersexample.com. IN TXT "v=spf1 include:_spf.google.com include:_spf.office365.com -all"
# With all mechanismsexample.com. IN TXT "v=spf1 mx a:mail.example.com ip4:203.0.113.0/24 -all"80.2 DKIM (DomainKeys Identified Mail)
Section titled “80.2 DKIM (DomainKeys Identified Mail)”How DKIM Works
Section titled “How DKIM Works”┌─────────────────────────────────────────────────────────────────────────┐│ DKIM FLOW │├─────────────────────────────────────────────────────────────────────────┤│ ││ ┌─────────────────────────────────────────────────────────────────┐ ││ │ 1. Domain generates public/private key pair │ ││ │ 2. Public key published in DNS ( TXT record) │ ││ │ 3. Outgoing mail signed with private key │ ││ │ 4. Receiving server fetches DKIM key from DNS │ ││ │ 5. Verifies signature │ ││ │ 6. Result: Pass/Fail/None │ ││ └─────────────────────────────────────────────────────────────────┘ ││ ││ DKIM Header: ││ DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; ││ d=example.com; s=mail; h=from:to:subject; ││ bh=...; b=... ││ ││ Selector (s=mail): Multiple DKIM keys per domain ││ │└─────────────────────────────────────────────────────────────────────────┘Setup with OpenDKIM
Section titled “Setup with OpenDKIM”# Installsudo apt install opendkim opendkim-tools
# Generate keysudo opendkim-genkey -s mail -d example.com -D /etc/opendkim/keys/
# Configure /etc/opendkim.confKeyTable /etc/opendkim/KeyTableSigningTable refile:/etc/opendkim/SigningTableExternalIgnoreList refile:/etc/opendkim/TrustedHosts
# /etc/opendkim/KeyTablemail._domainkey.example.com example.com:mail:/etc/opendkim/keys/mail.private
# /etc/opendkim/SigningTable*@example.com mail._domainkey.example.com
# /etc/opendkim/TrustedHosts127.0.0.1*.example.com
# Postfix integration# /etc/postfix/main.cfsmtpd_milters = inet:localhost:8891non_smtpd_milters = $smtpd_miltersmilter_default_action = accept
# Create systemd service for OpenDKIM80.3 DMARC (Domain-based Message Authentication)
Section titled “80.3 DMARC (Domain-based Message Authentication)”How DMARC Works
Section titled “How DMARC Works”┌─────────────────────────────────────────────────────────────────────────┐│ DMARC FLOW │├─────────────────────────────────────────────────────────────────────────┤│ ││ ┌─────────────────────────────────────────────────────────────────┐ ││ │ Builds on SPF and DKIM: │ ││ │ - Requires at least one to pass (or both) │ ││ │ - Alignment check (From domain matches SPF/DKIM) │ ││ │ - Policy enforcement │ ││ └─────────────────────────────────────────────────────────────────┘ ││ ││ Policy Options: ││ ┌─────────────────────────────────────────────────────────────┐ ││ │ p=none | Monitor only, no action taken │ ││ │ p=quarantine| Mark as spam │ ││ │ p=reject | Reject messages completely │ ││ └─────────────────────────────────────────────────────────────┘ ││ ││ Alignment: ││ - relaxed: Domain match (subdomains OK) ││ - strict: Exact domain match required ││ │└─────────────────────────────────────────────────────────────────────────┘Configuration
Section titled “Configuration”# Basic DNS TXT Record_dmarc.example.com. IN TXT "v=DMARC1; p=quarantine; rua=mailto:dmarc@example.com"
# Full example_dmarc.example.com. IN TXT "v=DMARC1; p=reject; sp=reject; \ rua=mailto:dmarc@example.com; \ ruf=mailto:forensic@example.com; \ pct=100; \ adkim=r; aspf=r"
# Parameters:# v=DMARC1 - Version# p= - Policy (none/quarantine/reject)# sp= - Subdomain policy# pct - Percentage of messages to apply# rua - Aggregate reports (mailto)# ruf - Forensic reports (mailto)# adkim - DKIM alignment (relaxed/strict)# aspf - SPF alignment (relaxed/strict)80.4 Testing Email Security
Section titled “80.4 Testing Email Security”# Check DNS recordsdig TXT example.comdig TXT _dmarc.example.comnslookup -type=txt example.com
# Check SPFnslookup -type=txt _spf.example.com
# Check DKIMnslookup -type=txt mail._domainkey.example.com
# Online testing tools# https://www.mail-tester.com/# https://www.dmarcanalyzer.com/# https://dkimvalidator.com/# https://www.g Mass MXToolbox
# Check email headers# Look for:# Authentication-Results: SPF=pass, DKIM=pass, DMARC=pass80.5 Interview Questions
Section titled “80.5 Interview Questions”┌─────────────────────────────────────────────────────────────────────────┐│ EMAIL SECURITY INTERVIEW QUESTIONS │├─────────────────────────────────────────────────────────────────────────┤ │Q1: What does SPF verify? │ │A1: │- Verifies that the sending mail server is authorized by the domain │- Checks if sender IP is in the SPF DNS record │- Returns: Pass, Fail, SoftFail, Neutral, None │ │─────────────────────────────────────────────────────────────────────────┤ │Q2: What does DKIM verify? │ │A2: │- Verifies email hasn't been tampered with in transit │- Cryptographic signature in email header │- Public key in DNS (TXT record) │- Result: Pass, Fail, None │ │─────────────────────────────────────────────────────────────────────────┤ │Q3: What does DMARC do? │ │A3: │- Builds on SPF and DKIM │- Aligns From domain with SPF/DKIM domains │- Provides policy (none/quarantine/reject) │- Enables reporting (aggregate and forensic) │ │─────────────────────────────────────────────────────────────────────────┤ │Q4: What is the difference between ~all and -all in SPF? │ │A4: │- ~all (SoftFail): Non-matching servers accepted but marked │- -all (Fail): Strict - reject non-authorized servers │- Start with ~all, then move to -all after testing │ │─────────────────────────────────────────────────────────────────────────┤ │Q5: What is DKIM alignment? │ │A5: │- Domain in From: header must match d= in DKIM signature │- relaxed: subdomains OK │- strict: exact match required │- Prevents domain spoofing │ │─────────────────────────────────────────────────────────────────────────┤ │Q6: How do you implement email authentication? │ │A6: │1. SPF: Add TXT record to DNS │2. DKIM: Generate key pair, configure mail server, add DNS record │3. DMARC: Add TXT record to _dmarc subdomain │4. Monitor reports and adjust policies │ │─────────────────────────────────────────────────────────────────────────┤ │Q7: What are DMARC aggregate (rua) and forensic (ruf) reports? │ │A7: │- rua: Aggregate reports - daily summary of auth results │- ruf: Forensic reports - immediate notice of failures │- Both sent to specified mailto addresses │ │─────────────────────────────────────────────────────────────────────────┤ │Q8: What is email deliverability? │ │A8: │- Ability to land in inbox, not spam │- Depends on: SPF, DKIM, DMARC, sender reputation, content │- Use mail-tester.com to check score │ │─────────────────────────────────────────────────────────────────────────┤ │Q9: What is a selector in DKIM? │ │A9: │- Selector (s=) allows multiple DKIM keys per domain │- mail._domainkey for primary key │- Allows key rotation without DNS changes │ │─────────────────────────────────────────────────────────────────────────┤ │Q10: How do you troubleshoot email authentication failures? │ │A10: │1. Check DNS records are published correctly │2. Use dig/online tools to verify records │3. Check email headers for auth results │4. Review DMARC reports │5. Verify alignment (From matches d=) │ │└─────────────────────────────────────────────────────────────────────────┘Quick Reference
Section titled “Quick Reference”# SPFv=spf1 mx -all
# DKIM# Public key in DNS: mail._domainkey.example.com# Sign outgoing mail with private key
# DMARCv=DMARC1; p=reject; rua=mailto:dmarc@example.comSummary
Section titled “Summary”- SPF: Verifies sending server is authorized
- DKIM: Cryptographic signature verifying email integrity
- DMARC: Combines SPF/DKIM with policy and reporting
Next Chapter
Section titled “Next Chapter”Chapter 81: Kernel Compilation
Last Updated: February 2026