Sender Authentication

Sender Authentication is a standard that uses DNS to publicly verify your email messages.

Sender Authentication
Photo by Maksym Mazur / Unsplash

Sender authentication combines three standards to establish the authenticity of an email message. Unlike ARC, which verifies that the message hasn't been modified in transit, or GPG, which encrypts the message, sender authentication uses Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication Reporting and Conformance (DMARC). All three of these involve DNS records.

Sender Policy Framework (SPF)

What IP is allowed to relay mail on my behalf?

SPF is a DNS text (TXT) record used to list the sources from which you will send emails. If an email doesn't come from one of these sources, it will be rejected.

To view the SPF record, use the following command:

┌[ jake@macOS ] ~
└➤ nslookup -q=TXT wildarcher.net

Non-authoritative answer:
wildarcher.net	text = "v=spf1 include:icloud.com -all"

This record specifies the authorized sources for sending emails on behalf of your domain.

DomainKeys Identified Mail (DKIM)

Did I configure this machine to send email on my behalf?

DKIM is an email authentication method that detects forged sender addresses. It allows the receiver to verify that an email claiming to come from a specific domain was indeed authorized by that domain's owner.

  1. Signature Creation:
  • When an email is sent, the sending mail server generates a DKIM signature using a private key. This signature is added to the email's header.
  • The signature includes a hash of the email's content and some headers, encrypted with the private key.
  1. DNS Publishing:
  • The public key corresponding to the private key used for signing is published in the DNS records of the sender's domain.
  1. Verification:
  • Upon receiving the email, the recipient's mail server retrieves the public key from the sender's DNS records.
  • The server uses this public key to decrypt the DKIM signature and verify the hash.
  • If the decrypted hash matches the hash of the received email, the email is considered authentic.

To verify the DKIM signature after receiving a message, read the message headers and look for the DKIM-Signature section. You will see tags such as d=wildarcher.net and s=sig1. Then, you can construct a lookup:

┌[ jake@macOS ] ~
└➤ nslookup -q=TXT sig1._domainkey.wildarcher.net

Non-authoritative answer:
sig1._domainkey.wildarcher.net	canonical name = sig1.dkim.wildarcher.net.at.icloudmailadmin.com.
sig1.dkim.wildarcher.net.at.icloudmailadmin.com	text = "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArXzk9abGwA6wDPA9/C5jSO/GHFNzWz9KFoTT2IpWk0/nQ+lnVpI+fYPTF6J5aDCTnwtTR3VLL1RMmjG8r/XSLPu31algojUvSp9gPyb/by22fCa8yfS2CBGF9dvtEPvye9WdTroVOobkQAiHwjQNEAgXb0qXozejF8speyWbFNKMjQjftr7Ow0R2+PZB2cD68" "h4lX4p7jkTI/kgbuzQI0nmYqAThdvfrTh90nESAcfJUeg8gojypb20+WH3OLo2vDgRBCuZS0PLPnuCiSyolmqb44EQ/E+Gz0ieqcUKJj0Ez39ZxXMWfAKaoKrYW3j3HrJMk4+HSevfO3iBbhww8tQIDAQAB"

This record can be a TXT record or a CNAME record pointing to a TXT record holding the domain keys.

Domain-based Message Authentication Reporting and Conformance (DMARC)

What do I do with SPF and DKIM?

DMARC is a published TXT record that tells an email service what to do if SPF and DKIM fail. It can request an aggregated report about your domain's email activities or only report failures. I've decided to report only failures.

To view the DMARC record, use the following command:

┌[ jake@macOS ] ~
└➤ nslookup -q=TXT _dmarc.wildarcher.net  

Non-authoritative answer:
_dmarc.wildarcher.net	text = "v=DMARC1; p=reject; ruf=mailto:jake@wildarcher.net ; fo=1"

Now, if my email domain is impersonated, I receive a report detailing the activity. With `p=reject`, I instruct the mail service to destroy any message that does not conform to my SPF record or lacks proper DKIM setup.