DKIM and SPF are systems that have been in use for many years that allow for many such messages to be detected as spoofed. Sadly there are many mail systems that are not yet using these simple techniques. My system ALWAYS uses both of these protections when transmitting messages allowing any recipient to be assured that messages claiming to be from me are from me.
All mail transmission systems should use these allowing the recipient to chose whether or not to actually check. If they are not transmitted the recipient is deprived of this choice.
Both SPF and DKIM are relatively simple to understand and can be enabled by any competent IT professional in only a few minutes. Professional sites, such as Google, and my sites, already use them. In the following paragraphs I describe these system by the use of illustrated examples.
The Sender Policy Framework system creates a DNS (Domain Name System) record for the sender's domain site. Since only the owner of a domain can add DNS records to the DNS system it may be assumed that the SPF record, where existent, was created by the TRUE owner of the domain. The SPF record describes which computers, by IP address, are permitted to send mail on behalf of the domain.
For example, a lookup of the SPF records for JPHURST.com will return:
v=spf1 a mx -all
. This return value comprises the following sections:
A recipient of eMail can look to see if the sender's domain has an SPF
record in the DNS system. If the sender has been responsible and created
such a record then the recipient's mail agent can check its contents. If the
IP address from which the message arrives is not listed, then the message is
invalid
and must be assumed to be spoofed. For example, messages from me will
contain in their headers, a lines similar to:
Return-Path: jp@2016.jphurst.com
Received: from mail.another1.tk (another1.tk. [107.191.100.195])
which indicates that the message was transmitted by my mail server at the
IP address 107.191.100.195 and appears to be from my domain. As a responsible
sender I have created an
SPF record as listed above, being v=spf1 a mx -all
. A recipient
mail agent, such as google, is able to look at this SPF record and see that
I have specified that my mail servers, as indicated by the 'mx' in this
record as well as my main domain address, as specified by the "a" are valid
senders. The mail agent should
look for the SPF record associated with the domain in the message,
2016.jphurst.com.
A check of A-type
record on the DNS system will show that my domain's main address is that
same 107.191.100.195 IP address. Therefore the message can be assumed to be
valid. It has arrived from a mail server that I have listed as a valid and
expected sender. A spammer will not have access to my server and will be
unable to
send messages from it. He will be unable to set my DNS records, so he is
thwarted and his spam and spoofing may be detected.
So, a responsible sender has an SPF record and this can be checked by ANY recipient. Messages from IP addresses that are not specified by the SPF record are KNOWN to be spoofed.
The SPF record format allows for various additional methods of specifying the addresses from which mail may be transmitted. It is not the intent here to define that whole system. My record specified only that my main server, as defined by "a" and my mail servers as specified my "mx" are the ONLY IP addresses that will EVER transit messages from me. Any message with a "RETURN-PATH" of 2016.jphurst.com is must be from one of the IP addresses specified.
Professional eMail agents such as google will always use DKIM.
With DKIM each message, before being transmitted has a DKIM signature added to its header. The signature uses Public Key Infrastructure systems and ensures that the message was transmitted/signed by the owner of the "private key". Each signature is specific to each recipient so a spammer would need to add significant code to sign each separate message.
The DKIM system publishes the sender's signature made using his private key and so any recipient can be certain that the sender of the message had access to the private key.
For example, my DKIM key is published, using DNS, as:
v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC8222mSpFjN2+Z0cfK2JVVk1Uh+hOg9SLljoa205BkouprhE+H4NBzzV+DTdau12W1YmaMF4JDbrFTVCBXVJLMUrY7QsZQF2K6ZtJN92Hpb8drwV5rQPdoiIzgFp4B117/SxyCi92ZyMlQUlZjTzQfIcXWygCNyk4yROJYh/EBcQIDAQAB
It is indexed by
mail._domainkey.jphurst.com
so any responsible mail agent is able to look it up as a DNS, TXT-type record,
by prefixing "mail._domainkey." to the domain name to retrieve it. The returned
value specifies the type of public key, in this case RSA and the actual key.
All messages from me contain a header similar to:
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=2016.jphurst.com; s=mail;
t=1465982278; bh=frcCV1k9oG9oKj3dpUqdJg1PxRT2RSN/XKdLCPjaYaY=;
h=To:From:Subject:Date:From;
b=opL4E5D3et+CwsgUBUSELH/6m27KC97DtZvNLofbi6wmOScAKNg+62mSk3XYSfOTd
phfdsSRsIsCrgriz7jEONDPL+j+c3lcBJhioCmTdYn3fiGK/zjoO26R38NGBxIH6kv
efk6TvaY/0i3CSFdDMZvMeW7AzE6jmfVVqIta3Sc=
The recipient's mail client, seeing the DKIM-Signature, requests the DNS
record with my public key and is able to ensure that the message was signed
by me. My signature, as can be see above, signs the To, From, Subject and
Date. If a signature is found to be invalid when checked with my public key
then it is known that I did not send the message.
Google for example, when seeing messages from me adds headers:
Authentication-Results: mx.google.com;
Google and any other responsible mail agent has checked my SPF and DKIM and
has a GREAT degree of assurance that the message is from me. Note they see
the dkim=pass and spf=pass.
dkim=pass header.i=@jphurst.com;
spf=pass (google.com: domain of jp@2016.jphurst.com designates 107.191.100.195 as permitted sender) smtp.mailfrom=jp@2016.jphurst.com
This article was inspired by a request from a friend who was receiving spoofed mail from one of his friends and wanted a way to detect it. I checked the spoofed and non-spoofed messages and discovered that:
v=spf1 include:spf.serverdata.net ~all
. Sadly this ~all
instructs that mail is valid whether or not it matches the previous
parameters of the record./li>
It will be noted that the SPF record did include
include:spf.serverdata.net
which specifies that the list of IP
addresses for valid senders are listed at spf.serverdata.net rather than
directly in this record. Checking that SPF record did indeed return the data
v=spf1 ip4:64.78.0.0/18 ip4:162.244.196.0/22 ip4:199.193.200.0/21 ip4:206.225.164.0/22 ip4:162.216.192.0/22 ip4:66.119.34.16/28 ip4:205.140.223.32/28 ip4:185.64.212.0/22 ip4:103.211.140.0/23 ip4:69.10.229.0/24"
. The "clean" messages were in fact sent from IP address
96.114.154.197 which is not listed either. So, this sender's messages can
NEVER be verified. He has an SPF record that says "any sender is valid"
this recommendation specified by the ~all (tilde all) is useless since his
valid messages are not transmitted by listed addresses. He fails to use DKIM.