‹ Back
Building Trust 2 October 2017

Best Practices: Email Authentication – SPF, DKIM, and DMARC

Email security, authentication, and related best practices are the foundation of the Internet Society’s Online Trust Alliance work to promote the integrity of email and standards to counter email fraud and phishing. OTA publishes a set of recommendations that prescribe the adoption of freely available and standards-based email authentication technologies as an effective response to rampant abuse of the email channel.

Three email authentication standards form one of the major components of the annual Online Trust Audit:

The Figure below outlines how email authentication provides the ability for ISPs and receiving networks to detect and block spoofed and forged email. (See related overview and recommendation of TLS for email to help protect the privacy of email in transit). 

Best Practices

OTA recognizes the critical role email plays in today’s online ecosystem, and publishes the following recommendations:

  1. Implement both SPF and DKIM for top-level domains, “parked” domains (not used for email) and any major subdomains seen on websites or used for email.
  2. Optimize SPF records with no more than 10 DNS lookups.
  3. Implement DMARC, initially in “monitor” mode to get receiver feedback and verify accuracy of email authentication, and eventually move to “enforcement” (signal a “reject” or “quarantine” policy to receivers).
  4. Mandate the use of DMARC reporting capabilities with RUA (aggregate) and RUF (message-specific forensic) reports.
  5. Implement inbound email authentication checks and DMARC on all networks to help protect against malicious email and spear phishing purporting to come from legitimate senders.
  6. Implement opportunistic TLS to protect email in transit between mail servers.
  7. Ensure that domains are locked to prevent domain takeovers.
  8. Implement DNSSEC to help protect a site’s DNS infrastructure.
  9. Deploy IPv6.
  10. Implement Distributed Denial of Service (DDoS) mitigation technologies and processes.
  11. Implement multi-factor authentication.

Email Authentication Resources >

‹ Back

Related articles

Email Integrity Audit
Building Trust2 October 2017

Email Integrity Audit

Email security, authentication, and related best practices are the foundation of the Internet Society's Online Trust Alliance work to promote...

2014 Email Integrity Audit
Building Trust6 August 2014

2014 Email Integrity Audit

Best Practices to Enhance Trust & Fight Malicious & Deceptive Email

Email Security Committee
Building Trust1 October 2017

Email Security Committee

The committee works to promote adoption of email security, sending and authentication best practices for all classes of email senders...

Join the conversation with Internet Society members around the world