How Does SPF Compare To DMARC And Why Is DMARC Needed To Stop Domain Phishing And Spoofing?
With this article, we will discuss what SPF does and what it does not:
Does:
- SPF authenticates the sending server of the email based on the sending IPv4/IPv6 address.
- SPF focuses on a header that is not visible to the end-user (Return-Path, MAIL FROM, Envelope-From, Bounce address).
Does not:
- SPF does not require any alignment between the end-users visible domain and the typically invisible Return-Path that it actually checks.
- SPF does not provide any reporting functionality for the receiver to send back to the sender with the results of the email authentication.
- SPF does not survive forwarding and indirect mail-flows.
- SPF does not tell the receiving server what it should do with an email that failed SPF. For example, senders can publish “-all” but this has never been honoured by receivers, as SPF breaks easily and this would cause legitimate emails to be rejected. This is the most commonly held misconception regarding SPF.
This prompted the introduction of an additional email authentication standard. This standard needed to address the shortcomings of the standalone SPF protocol by explicitly telling receivers what to do and provide authentication reports back. These reports enabled the sender to take the necessary actions to fix legitimate mail flows. This standard was finally formalized as the DMARC protocol.
DMARC makes use of SPF as one of its foundations but also adds additional features:
- Focuses on the “From” header which is visible to the end-user (Header From).
- DMARC requires that the domain used by SPF aligns (either an exact match or subdomain) with the domain found in the visible “From” address of the email.
- DMARC ignores the nuances of soft fail and hard fail in your SPF configuration i.e. ~all and -all are treated equivalently as a SPF fail.
- DMARC provides the reporting functionality to send email authentication results back to the owner of the “From” domain so they can find out if their domain is being misused. It also helps with troubleshooting your deliverability as the reporting will aid in discovering any misconfiguration with your legitimate email senders.
- DMARC provides a policy that tells the receivers what to do with an email that fails email authentication. This policy is enforced by the receivers. There is no enforcement when SPF is used without DMARC.
Now that DMARC is here to provide the missing pieces, it is widely being adopted and used as an authentication requirement, which comes with the added bonus of improving email deliverability. Another protocol that DMARC relies on is DKIM which serves as a failsafe in cases where SPF breaks.
Related Articles
How To Stop Receiving Phishing Emails From Other Domains?
With DMARC, you can protect your own domain from being misused in phishing attempts. If you receive a phishing email from some other domain then it is the responsibility of the domain’s owner to implement DMARC and protect its users from being ...
Configuration Of DMARC And SPF
In this article, we are going to help you with adding the records to your DNS. Adding the DMARC CNAME record in your DNS: CNAME Record Step1: If DMARC is not set Log in to your Domain Control Center. Select your domain to access the Domain ...
How to Configure SPF?
Sender Policy Framework (SPF) is an email authentication technique used for mitigating cyber threats by helping the user detect email forging and spoofing. Email servers use the Return-Path to get an SPF Record, whenever a user receives an email. A ...
Why Implementing DMARC Is Not Enough?
DMARC is an email authentication protocol whose purpose is to secure emails from spoofing and phishing attacks. Various organizations are turning to implement DMARC, but it seems like most of them haven’t found the right way to configure it. KDMARC ...
What is DMARC?
DMARC (Domain-based Message Authentication, Reporting and Conformance) is an email authentication protocol. It is designed to give email domain owners the ability to protect their domain from unauthorized use, commonly known as email spoofing. The ...