E-mail security is a key issue for companies as billions of e-mails – often with sensitive content – are sent and received every day. Attacks like phishing and spoofing not only pose data protection risks, but also threaten the perceived trustworthiness of the sender domain. This is where e-mail security protocols like DKIM and DMARC come in: They ensure that e-mails are authenticated, the senders are verified and the e-mail traffic itself is protected against manipulation.
But for DKIM and DMARC to work effectively, they also require the “Sender Policy Framework”, or SPF for short. This authentication method defines which servers are authorized to send e-mails on behalf of a domain. Together, SPF, DKIM and DMARC form a strong protection system that makes it significantly more difficult for attackers to manipulate e-mails. In this article, we explain why domain owners should activate these protective measures.
SPF – protection against fake senders
The “Sender Policy Framework” (SPF) is an important component of e-mail authentication and works hand in hand with DKIM and DMARC to provide a comprehensive security solution. SPF is used to check whether the sending server is authorized to send e-mails on behalf of a particular domain.
The owner of a domain stores an SPF record in the DNS zone for their domain. This record contains a list of IP addresses and servers that are authorized to send e-mails on behalf of the domain. When a recipient mail server receives an e-mail, it checks the SPF record of the sender domain and compares the IP address of the sending server with the authorized addresses in the SPF record. If the check is successful, this is an indication that the e-mail is legitimate. Otherwise, it may be rejected or marked as spam.
An SPF record thus protects against attackers sending e-mails from unauthorized servers that pretend to come from a legitimate domain. To ensure reliable delivery of e-mails, the valid outgoing mail server provided by web hosting providers such as Hostpoint should be used. This reduces the risk that e-mails will be rejected by the recipient due to a negative SPF check.
DKIM – protection against e-mail manipulation
Domain Keys Identified Mail (DKIM) is an e-mail authentication method that adds a digital signature to e-mails. This signature enables the recipient to check if the e-mail is really from the sender domain’s server and that the contents of the e-mail have not been changed. To do this, DKIM uses an asymmetric encryption method consisting of two keys. When an e-mail is sent by a domain, the sender’s mail server creates a digital signature stored in a special header in the e-mail. This signature is created using a private key that is known only to the sender.
The receiving server, in turn, can use the public key stored in the DNS zone of the sender’s domain to verify the signature. If the calculated hash value matches the one in the e-mail, this indicates that the e-mail is authentic and unchanged.
DKIM makes it easier to detect manipulated emails. This protects both the sender and the recipient against phishing and spoofing attacks. For companies, DKIM also reduces the likelihood that their e-mails will erroneously end up in the spam folder. With some providers (e.g. Google, Yahoo), the use of DKIM is already required when sending mass e-mails.
Since May 2024, Hostpoint has automatically activated DKIM for all domains that were assigned to a web hosting account or a Cloud Office group. For older domains, this must be done manually, as described in more detail in this guide. By default, Hostpoint creates three DKIM records per domain with different key types (rsa1024, rsa2048, ed25519) so that as many recipients as possible can validate the signature. For a successful DKIM check, it is sufficient if at least one of the signatures can be verified.
For users who want to use Hostpoint for e-mail traffic and activate DKIM for domains managed externally, DKIM must be activated with Hostpoint and the DKIM information stored with the external DNS provider. For precise instructions, we recommend reading the article in our Support Center.
Tip:
You can use various online tools (e.g. called “DKIM test” or “DKIM record checker”) to test whether DKIM has been correctly configured for your domain and that your e-mails are correctly signed.
DMARC – rules for non-authenticated e-mails
Domain-based Message Authentication, Reporting and Conformance (DMARC) provides an additional protective layer and builds on DKIM and SPF, enabling them to achieve their full effectiveness.
With DMARC, domain owners can define how they want to handle e-mails that do not pass the SPF or DKIM check. They can decide whether such e-mails should be placed in the spam folder or rejected directly. There are three DMARC policies for this:
-
None: The e-mails are delivered as usual and displayed in the recipient’s inbox, regardless of the result of the authentication check. This option is not available with Hostpoint.
-
Quarantine: E-mails are accepted by the recipient’s mail server, but sent to the spam/junk folder.
-
Reject: E-mails are rejected by the mail server and not delivered, although the sender is usually notified of the failed delivery.
With Hostpoint, the Quarantine policy is the default setting. This can be changed in the Hostpoint Control Panel.
We recommend initially using the DMARC Quarantine policy. This sends suspicious e-mails to the spam folder to test deliverability before stricter measures such as complete rejection are introduced.
Using DMARC, companies can significantly reduce the misuse of their domains through phishing and spoofing attacks. It protects not just the e-mail recipient, but also the reputation of the sender by ensuring that only legitimate messages reach the recipient.
Please note:
Since August 2024, Hostpoint has automatically activated DMARC for all domains that were assigned to a web hosting account or a Cloud Office group. In all other cases, manual activation is possible. A guide to activating DMARC is available here.
Why domain owners should use DKIM and DMARC
For domain owners and companies, implementing DKIM and DMARC is an important instrument for making e-mail communications more secure. These technologies offer protection against phishing, spoofing and other threats that can be posed by manipulated or fake e-mails.
One common scenario is phishing attacks in which attackers send fake e-mails and pretend to be from a legitimate company. In spoofing attacks, fraudsters attempt to falsify the sender’s address in order to send e-mails with malicious content.
With DKIM and DMARC, such attempts to manipulate e-mails either land harmlessly in the spam folder or are blocked directly before they reach the recipient, depending on the configuration. At the same time, legitimate e-mails that are protected with these technologies are less likely to be blocked by spam filters. This increases the likelihood that these e-mails will arrive in their recipients’ inboxes. Nevertheless, it’s always a good idea to be on the lookout for phishing as even the safest methods can’t protect against it entirely.
If you have questions about DKIM, DMARC or other topics related to e-mail security, Hostpoint Support is at your service. Our team can help with the setup and configuration of these protective measures to make sure that your e-mail communications stay secure.
Contact us via e-mail at support@hostpoint.ch or by phone at 0844 04 04 04 – we’re at your service, in your language, seven days a week from 8 am to 6 pm!