Building Trust 2 October 2017

Best Practices: Email Authentication – SPF, DKIM, and DMARC

Email security, authentication, and related best practices are the foundation of the Internet Society’s Online Trust Alliance work to promote the integrity of email and standards to counter email fraud and phishing. OTA publishes a set of recommendations that prescribe the adoption of freely available and standards-based email authentication technologies as an effective response to rampant abuse of the email channel.

Three email authentication standards form one of the major components of the annual Online Trust Audit:

The Figure below outlines how email authentication provides the ability for ISPs and receiving networks to detect and block spoofed and forged email. (See related overview and recommendation of TLS for email to help protect the privacy of email in transit). 

Best Practices

OTA recognizes the critical role email plays in today’s online ecosystem, and publishes the following recommendations:

  1. Implement both SPF and DKIM for top-level domains, “parked” domains (not used for email) and any major subdomains seen on websites or used for email.
  2. Optimize SPF records with no more than 10 DNS lookups.
  3. Implement DMARC, initially in “monitor” mode to get receiver feedback and verify accuracy of email authentication, and eventually move to “enforcement” (signal a “reject” or “quarantine” policy to receivers).
  4. Mandate the use of DMARC reporting capabilities with RUA (aggregate) and RUF (message-specific forensic) reports.
  5. Implement inbound email authentication checks and DMARC on all networks to help protect against malicious email and spear phishing purporting to come from legitimate senders.
  6. Implement opportunistic TLS to protect email in transit between mail servers.
  7. Ensure that domains are locked to prevent domain takeovers.
  8. Implement DNSSEC to help protect a site’s DNS infrastructure.
  9. Deploy IPv6.
  10. Implement Distributed Denial of Service (DDoS) mitigation technologies and processes.
  11. Implement multi-factor authentication.

Email Authentication Resources >

Related articles

Building Trust 31 August 2020

Policy Toolkit on IoT Security and Privacy

The Policy Toolkit on IoT Security and Privacy is a practical resource for policymakers and regulators to strengthen the...

Building Trust 1 November 2019

Security Factsheet: Keeping Your Workplace Safe Online

For many of us the Internet is a staple in our day-to-day lives – especially at our jobs. But...

Building Trust 1 November 2019

Security Factsheet: Why Should Municipalities Make Network and Data Security a Priority?

Communities can minimize risk by being intentional about how and by whom networks and devices are used. These are...