Fighting spam with using DKIM and SPF (ISPConfig)
Servgate Fighting Spam
Servgate email hosting clients will have noticed that we have been stepping up our fight against spam in recent months. We have improved both spam and virus filtering, and we hope that you noticed many fewer spam emails getting through.
But filtering spam is only one part of the game – and it only deals with spam emails received by our servers. Now we are implementing two important email standards in relation to fighting spam, both of which deal with allowing the recipient of the email we are sending to verify that they are coming from an authorised server. Since August, we have been implementing SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) on our mail-server, and we urge all our email hosting clients to get in touch with us so that we can implement both standards also for their domain. Below we briefly outline how these two standards work.
Sender Policy Framework (SPF)
SPF (see https://en.wikipedia.org/wiki/Sender_Policy_Framework) is a simple way to expose email spoofing. It allows the receiving mail-server to check that the mail had been sent via an authorised server. It does so by publishing a DNS (Domain Name System) record for the domain, which includes:
- what servers (by name and/or IP address) are authorised to send emails originating from that domain
- what to do if mail from a server not included in the above list is received.
Most spam software (such as spamassassin – which is what we use) will check the SPF DNS record of a domain, and if it exists it will verify that the mail in question comes from an authorised server. If not, the spam software can penalise the mail, making it more likely that it will be considered spam. The mechanism is simple and, unfortunately, its effectiveness is limited. Nevertheless, it helps fighting spam and is a widely used standard.
DomainKeys Identified Mail (DKIM)
DKIM (see https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail) goes further. As the Wikipedia article explains: DKIM “allow[s] receiving mail exchangers to check that incoming mail from a domain is authorized by that domain’s administrators and that the email (including attachments) has not been modified during transport. A digital signature included with the message can be validated by the recipient using the signer’s public key published in the DNS.”
DKIM consists of several parts. The outgoing mail-server (our smtp server at mx.netuxo.co.uk) signs outgoing email (the entire message including attachments) of a domain using a specific private key, which is unique for each domain. This DKIM signature is then included as a special header in the email. The receiving mail-server will retrieve the public key of the domain from the published DKIM DNS record, which then it can use to verify the signature. Thus, DKIM allows to verify that the email comes from an authorised server (as it is signed) and that it has not been tampered with en-route (as the signature can be verified).
As with SPF, what is required is a specific DNS record for the domain which includes the public domain key.
Over to you
For now, we are only signing our own emails with DKIM, and we published a DNS record for netuxo.co.uk and netuxo.com . However, we would very much like to also sign your emails – which you send via our server. To do so, we need your help:
- if we also manage your domain, we can add the required DNS records. However, we need you to tell us if you also send emails via others servers and which ones they are, in order for us to be able to create the correct SPF policy and DNS record. For DKIM, we can create the DKIM key pair and publish the respective DNS record;
- if you manage your domain yourself, but have set mx.netuxo.co.uk as your MX record (meaning we deal with your email), then you will need to add the DNS records for both, SPF and DKIM, yourself. We can give you the details of the DNS record for DKIM (which include the public key), and can assist you in creating your SPF record, and in adding the DNS records to your domain. However, as this depends very much on who your domain registrar is, and whether your registrar supports the required DNS record -this goes beyond this blog post.
According to Kaspersky Lab, in Q1 2019, the proportion of spam in email traffic was 59.2% (see https://securelist.com/analysis/quarterly-spam-reports/69932/spam-and-phishing-in-the-first-quarter-of-2015/). This is down from the high estimates of over 80% from five years ago, but it not only a nuisance but also puts stress onto email systems. Fighting spam requires our continued efforts. So please get in touch and help us to do so…