- Configure a private DNS server in Docker - Fri, Mar 24 2023
- Store secrets in AWS Secrets Manager - Fri, Mar 17 2023
- Install Windows 10 / 11 22H2 without Microsoft account - Tue, Feb 28 2023
Since email attacks are becoming more sophisticated every day, the techniques to counter such attacks need to be more robust, too. As you learned in my previous post, the SPF record lists the servers that are authorized to send emails from your domain. DKIM, on the other hand, makes sure that the email message is signed using a digital signature that can be verified by the receiving mail server.
There are two types of From addresses in an email message. The first is mail from (a.k.a. return-path or envelope from), and the second is from address, which is displayed in the email client. The SPF record only validates the return-path address and doesn't care about the from address, which makes it easy for attackers to forge.
What's more, SPF is more fragile than DKIM. Consider a scenario in which an original email message (which was verified by the SPF check) is forwarded to someone else. Since the forwarder is now the new sender of the email message, the return-path will change and the SPF check is performed against the new sending domain, which causes the SPF check to fail. This problem doesn't exist for a DKIM-signed message since the signature is embedded in the message header. So, even if the original email message is forwarded, the DKIM signature is still preserved in the header.
Let's look at an example to understand how SPF and DKIM make a difference. Suppose you send an email to a recipient with a gmail.com address. The following screenshot shows what the email will look like when it is sent from a domain with a correctly configured SPF record.
Understanding the mailed by field in Gmail
The mailed-by field in the screenshot indicates that the SPF check was passed, and the email message was indeed sent by an authorized server. Now, let's see what an email message looks like when it is sent from a domain having both SPF and DKIM in place.
Subscribe to 4sysops newsletter!
Understanding the mailed by and signed by fields in Gmail
In this screenshot, you can see the mailed-by and signed-by fields. The latter denotes that the email message was signed using DKIM, and it was verified by Gmail servers that the message is authentic and wasn't changed in transit.
I did encounter the case of 16 lookups limit for spf. In those cases ended up using micro spf to add more IPs.
The limit is 10 DNS lookups in SPF. There is no limit of adding IP addresses since they don’t trigger DNS lookup. Lookup is only triggered when you use mechanisms like a, mx, include etc. as in include:spf.protection.outlook.com.