Email alphabet soup
Modern email involves a confusing array of different acronyms. Most of these are attempts to fix the problem of email being fundamentally insecure, with no way to authenticate the sender of an email. The remainder are attempts to fix the new problems created by attempting to fix the first problem.
This blog post tries to provide a concise glossary of these different technologies, and the associated DNS records and URLs needed to make them go.
CAT is not yet an email-related acronym
SPF: Sender Policy Framework
Publish a list of servers that are allowed to send mail from your domain.
SPF is published as a DNS TXT record for the domain itself (an apex record), which states which servers are allowed to send mail from your domain. For example:
example.com. IN TXT "v=spf1 include:_spf.mythic-beasts.com ~all"
SPF breaks email forwarding, unless you use SRS. SPF only restricts the “envelope sender”, which is not normally visible to end users.
SRS: Sender Rewriting Scheme
Rewrite sender addresses when forwarding mail in order to avoid failing SPF checks.
SRS is a technique used when forwarding email that replaces the original sender address with an address in your own domain. SRS only affects the envelope sender, which is not normally visible to end users. SRS allows email forwarding to work with SPF.
DKIM: DomainKeys Identified Mail
Digitally sign email envelopes.
Public keys are published in DNS records, allowing recipients to verify that the email is authentic. Public keys are published as TXT records within the _domainkey subdomain. For example:
mythic-beasts-k1._domainkey.example.com. IN TXT "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG...."
The first part of the hostname is a unique identifier for the key. The signature is added to the email as a DKIM-Signature header. The header includes a field (the s field) with the name of the key used to sign the message.
DMARC: Domain-based Message Authentication, Reporting and Conformance
Tell recipients to reject email from your domain if it isn’t DKIM signed and doesn’t pass SPF.
DMARC is a mechanism that allows a domain owner to assert that all email sent will pass either DKIM or SPF validation, and if it doesn’t recipients should reject it. Subtly changes SPF behaviour so that it binds the “From” address (which is the one that users usually see) rather than the envelope sender. Breaks email forwarding even with SRS unless messages are DKIM signed. Example DMARC record:
_dmarc.example.com. IN TXT "v=DMARC1; p=reject; rua=postmaster@example.com"
ARC: Authenticated Received Chain
Enable mailing lists to forward DKIM-signed emails.
ARC allows a system that forwards mail to provide a digitally-signed summary of the results of SPF, DKIM and DMARC validation at the point thta it was received by the forwarding server. This enables the intermediary system to make changes to the message (such as adding a mailing list footer) that will break the original DKIM signature, but still allow the final receiver to verify its integrity. ARC relies on recipients trusting the intermediary. ARC uses the same DNS-published DomainKeys as DKIM.
DANE: DNS-based Authentication of Named Entities
Publish TLS certificates in DNS, and require TLS when connecting to your servers.
DANE is not specific to email, but it can be used to enforce the use of secure TLS connections when mail servers talk to each other. In the absence of DANE, mail servers will generally try to use TLS if possible, but fall back on an insecure connection if it doesn’t work. By publishing a TLSA DNS record, domains can enforce that TLS is used when delivering mail to the servers listed in its MX records. DANE relies on DNSSEC, and also provides an alternative to Certificate Authority-based authentication of TLS certificates.
MTA-STS: Mail Transfer Agent Strict Transport Security
Require TLS when connecting to your servers by publishing a policy at a well known URL.
MTS-STS allows you to require secure TLS connections when mail servers connect to your server by publishing a machine-readable policy at a well-known URL (https://example.com/.well-known/mta-sts.txt). MTA-STS is an HTTPS-based alternative to the TLS-enforcement part of DANE.