The main TIL here is that Email is surprisingly easy to spoof. For example, you can use Emkei’s mailer to send emails as anyone to anyone. Using an online anonymous mailer like this is a good test of your email authentication and spam filter settings. The more surprising thing, to me at least, is that this is by design, kind of. Time to get into email standards!

Email Protocols

The Simple Mail Transfer Protocol (SMTP) is an internet standard which is commonly used for sending and relaying email messages. SMTP client authentication can be done based on location or user credentials. However, to send email, all you need to do is to perform a valid SMTP transaction. An SMTP transaction consists of three sequences or commands. SMTP does not define what an acceptable sender mailbox specification is, this is up to the receiving party. To remedy this situation, there are three more standards/protocols to discuss.

The Sender Policy Framework (SPF) defines which servers can send email as coming from a specific domain. This can be done by adding a record to a server’s DNS information. With an SPF record in place, receiving mail servers can check whether the originating server is authorised to have sent that email.

With DomainKeys Identified Mail (DKIM) a cryptographic signature is added to emails by the sending mailserver. The public key for DKIM is published as a DNS record against which the signatures can be checked. DKIM associates emails with a domain name so forged sender addresses can be detected. Since DKIM signs parts of the email message, it also ensures that these fields have not been (substantially) changed since the email was sent.

Finally, Domain-based Message Authentication, Reporting & Conformance (DMARC) ties it all together. DMARC is an advisory policy, informing receivers what should be done if an SPF or DKIM check fails. There are three policies:

  • None: no special treatment is required. This should only be used for testing.
  • Quarantine: treat with suspicion, for example flag messages as suspicious or deliver them to the spam folder.
  • Reject: simply reject messages that fail a check (bounce).

Optionally, DMARC can produce aggregate and forensic reports which are sent to a specified email address.

Checking your settings

MXToolBox (among others) has tools to check all three policies: SPF, DKIM and DMARC.