Email Auth SPF,DKIM,DMARC

Email Auth SPF,DKIM,DMARC
From: https://kb.smtp.com/article/1039-email-authentication-spf-dkim -dmarc

Email Auth SPF How To Implement DKIM DMARC

Email authentication (SPF, DKIM, DMARC)
Email authentication refers to a set of tools that improve an email's
legitimacy, allowing you to determine the source of each particular email.
Mechanisms such as SPF, DKIM and DMARC will be overviewed in this article,
providing you with an understanding of these concepts that provide huge
benefits to you as an email marketer.

There are three mechanisms that exist to counteract Spammers, Fraudsters,
Phishers and other types of email abuse, making sure that fraudulent emails
impersonating sensitive services don't make it into the recipients inbox.
These are:

SPF helps servers verify that messages appearing to come from a particular
domain are sent from servers authorised by the domain owner.
DKIM adds a digital signature to every message. This lets receiving servers
verify that messages aren't forged, and weren't changed during transit.
DMARC authenticates messages with SPF and DKIM, and manages suspicious
incoming messages.




SPF
Sender Policy Framework (SPF) is an attempt to control forged email. SPF is not
directly about stopping spam and junk email. It is about giving domain owners a
way to say which mail sources are legitimate for their domain and which ones 
aren't. This tool protects the envelope address (Return-Path email address). It
uses the TXT DNS record that is published at the Return-Path domain and relies
on the recipient server to lookup that TXT record, parse it, analyse it and 
check against the IP address of the MTA that pushed the email in question to the
final recipient's service. Receivers verifying the SPF information in TXT 
records may reject messages from unauthorised sources before receiving the body
of the message: "550 Message rejected because SPF check failed"

The SPF record contains rules as to what IP addresses are allowed or prohibited
to send email for a specific hostname (one specified in the Return-Path header
field). Every record starts with "v=spf1". This is due to the fact that TXT 
records can be used to hold a variety of data and an SPF record must correctly
identify itself as such to make sure the SPF validation parser check relevant 
information only.You may check SPF syntax and SPF specifications at 
http://www.open-spf.org/



How to implement? 
You have the option to verify your domain with SPF within “Manage Sending
Emails and Domains” option under the Accounts dropdown in the navigation
bar.
	
SPF record should be added to DNS settings of each sending domain as TXT
record type: 

Name/Host/Label: set it as a subdomain or to @ if you do not use a
subdomain.
RecordType: "TXT"
Value/Text: "v=spf1 include:_spf.smtp.com ~all"


Please consult SPF Setup for SMTP.com Customers for further details. 



DKIM

DomainKeys Identified Mail (DKIM) is an email authentication method designed
to detect email spoofing. It allows the receiver to check that an email from
a specific domain was authorised by the owner of that domain.

DKIM lets a domain associate its name with an email message by affixing a
digital signature to it. Verification is carried out using the signer's
public key published in the DNS. A valid signature guarantees that parts of
the email ( including attachments) have not been modified since the
signature was affixed.

DKIM provides for two distinct operations, signing and verifying. Either of
them can be handled by a module of a Mail Transfer Agent (MTA). DKIM keys
are generated in pairs: Private and Public.

DKIM relies on “asymmetric cryptography” (also known as “public-key
cryptography”). After a message is received, and before that message is
delivered to its destination, DKIM uses a “private key” to create a
signature which is attached to the message. When the message is delivered to
the destination, the destination server asks the sender for a public key to
verify that the signature is correct. If the public key allows the
destination server to decrypt the supplied signature to the same value it
computes as the signature, it can assume the sender is who they claim to
be.Does SMTP.com automatically assign emails with DKIM?

Yes, SMTP.com will automatically DKIM sign your messages using one of our
shared domains. But you may also add a Custom DKIM to use your own domain. 

How to add a Custom DKIM? 
Use the “Manage Sending Emails and Domains” option under the Accounts
dropdown in the navigation bar. 
Check the instructions on how to set up a valid SPF and DKIM.
Use the API to add custom DKIM. Please visit the API guide for details.



DMARC

DMARC is built on top of two existing mechanisms, Sender Policy Framework
(SPF) and DomainKeys Identified Mail (DKIM). Unlike SPF and DKIM - DMARC is
not designed to add legitimacy to email, but to prevent any possible
fraudulent emails from being accepted. It ensures that legitimate email is
authenticating against established DKIM and SPF standards and that
fraudulent activity appearing to come from domains under the organisations
control (active sending domains, non-sending domains, and defensively
registered domains) is blocked.

DMARC allows senders to instruct email providers on how to handle
unauthenticated mail via a published DMARC policy, removing any guesswork on
how they should handle messages that fail DMARC authentication. Senders can
either:

Monitor all mail, to understand their brand’s email authentication
ecosystem, and ensure legitimate mail is authenticating properly without
interfering with the delivery of messages that fail.
Instruct to quarantine messages that fail DMARC (e.g.move to the spam
folder)
Instruct to reject messages that fail DMARC (e.g. don’t deliver the mail
at all)


DMARC mainly relies on domain alignment and reporting features. It also uses
the DNS system to publish policies, just like SPF and DKIM do.

The alignment feature prevents spoofing of the “header from” address by:

Matching the “header from” domain name with the “envelope from”
domain name used during an SPF check (matching From to Return-Path);
Matching the “header from” domain name with the “d= domain name” in
the DKIM signature (matching From to DKIM d=)


For more info regarding DMARC, please visit http://dmarc.org and check
Instructions on how to set up a valid DMARC record.

NOTE: 
If you would like to set up DMARC, please ensure that you have a custom DKIM
and SPF set up properly first prior to any changes. A message will fail
DMARC if the message fails both SPF(or SPF alignment) and DKIM(or DKIM
alignment). It is recommended to test DMARC with p=none policy for some time
before implementing other policies, as withp=none allows the sender can
receive forensic and aggregate reports without the danger of their email
being rejected or quarantined.