Best Practices: Email Authentication – SPF, DKIM, and DMARC

Email security, authentication, and related best practices are the foundation of the Internet Society’s Online Trust Alliance work to promote the integrity of email and standards to counter email fraud and phishing. OTA publishes a set of recommendations that prescribe the adoption of freely available and standards-based email authentication technologies as an effective response to rampant abuse of the email channel.

Three email authentication standards form one of the major components <br>

Sender Policy Framework (SPF)<br>

DomainKeys Identified Mail (DKIM)<br>

Domain-based Message Authentication, Reporting & Conformance (DMARC)

Best Practices<br>

Implement both SPF and DKIM for top-level domains, “parked” domains (not used for email) and any major subdomains seen on websites or used for email.<br>

1. Optimize SPF records with no more than 10 DNS lookups.<br>
2. Implement DMARC, initially in “monitor” mode to get receiver feedback and verify accuracy of email authentication, and eventually move to “enforcement” (signal a “reject” or “quarantine” policy to receivers).<br>
3. Mandate the use of DMARC reporting capabilities with RUA (aggregate) and RUF (message-specific forensic) reports.<br>
4. Implement inbound email authentication checks and DMARC on all networks to help protect against malicious email and spear phishing purporting to come from legitimate senders.<br>
5. Implement opportunistic TLS to protect email in transit between mail servers.<br>
6. Ensure that domains are locked to prevent domain takeovers.<br>
7. Implement DNSSEC to help protect a site’s DNS infrastructure.<br>
8. Deploy IPv6.<br>
9. Implement Distributed Denial of Service (DDoS) mitigation technologies and processes.<br>
10. Implement multi-factor authentication.<br>