Detailed explanation of SPF, DKIM, DMARC, ARC
- Apr 26, 2024
- 3 min read
Updated: Jan 29
Updated on 28 January, 2025
Email security has always been a challenge because the Simple Mail Transfer Protocol (SMTP) wasn’t built with security in mind. This makes it easy for cybercriminals to spoof email addresses and launch phishing, scam, or spam attacks. However, various email authentication mechanisms have been introduced to help verify senders and detect fraudulent messages. When analyzing an email header, you’ll often see these security measures in action
------------------------------------------------------------------------------------------------------------
Sender Policy Framework (SPF)
SPF helps verify if an email is sent from an authorized mail server for a particular domain. You’ll often find this in the header under the Received-SPF line.
Think of SPF as a guest list for a party
only specific mail servers are allowed to send emails on behalf of a domain. If an email comes from an unauthorized source, it fails SPF, raising a red flag.
Received-SPF: pass (google.com: domain of n0459381b14-ceb4982011ad4618-nikopirosmani22===gmail.com@bounce.twitter.com designates 199.16.156.176 as permitted sender) client-ip=199.16.156.176;Header Entry:
Received-SPF: This header field indicates the outcome of SPF validation. A "pass" typically signifies a legitimate email, while a "fail" might indicate a potentially suspicious email.
Example:- if an email is supposedly from outlook.com, the SPF record ensures it was actually sent by Microsoft’s mail servers.
------------------------------------------------------------------------------------------------------------
DomainKeys Identified Mail (DKIM)
DKIM takes email authentication a step further by verifying both the sender and the integrity of the message content. It uses a digital signature, which is added to the email header by the sending server. If this signature is valid, it confirms two things:
The email genuinely came from the stated domain.
The content wasn’t tampered with in transit.
Header Entry:
DKIM-Signature: This header field contains the DKIM signature and associated information. A successful DKIM validation usually results in a "pass" status.
------------------------------------------------------------------------------------------------------------
Authenticated Received Chain (ARC)
Emails often get forwarded through mailing lists, auto-forwarding, or relays.
When that happens, SPF and DKIM checks may fail because the email’s route has changed. That’s where ARC comes in. ARC keeps track of authentication results at each hop, maintaining a chain of trust.
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-2016081 h=feedback-id:message-id:precedence:list-unsubscribe:mime-version:subject:to:from:date:dkim-signature;Every forwarding step is recorded in the email header, and each mail server in the chain signs the message with an ARC-Message-Signature. This way, even if SPF and DKIM fail due to forwarding, ARC can confirm that the original email was legitimate. Google was one of the first major email providers to adopt ARC, followed by Microsoft 365 and others.
------------------------------------------------------------------------------------------------------------
Domain-based Message Authentication, Reporting, and Conformance (DMARC)
DMARC builds on SPF and DKIM by letting domain owners specify what should happen if an email fails authentication checks. The policy can be set to:
None (just monitor emails without blocking them)
Quarantine (send suspicious emails to the spam folder)
Reject (completely block failed emails from delivery)
Header Entry:
dmarc: This header field displays the DMARC policy status, which can be "pass," "fail," "none," or other designated states. It also indicates policy actions like "p=REJECT" or "p=NONE."
------------------------------------------------------------------------------------------------------------
Verifying Email Authentication for Investigations
If you're investigating a suspicious email, checking SPF, DKIM, ARC, and DMARC records can help confirm its legitimacy. Here are some practical tools:
MxToolbox – Checks SPF records and other email security details.
dkimpy (Python library) – Validates DKIM and ARC signatures.
Metaspike Forensic Email Intelligence – Automates email header analysis for forensic investigations.\
Limitations of Email Authentication
While these security measures are powerful, they aren’t foolproof. Here’s what you should keep in mind:
Not all email providers use SPF, DKIM, and ARC.
DKIM and ARC signatures can expire when mail servers rotate their keys, making it impossible to validate old emails.
These authentication methods only apply to received emails, not emails in the sender’s outbox.
Microsoft Outlook and Exchange may modify email headers, making DKIM validation difficult for emails stored in PST/OST files.
To ensure authenticity, collect emails in their original MIME format (EML, EMLX, or MBOX).
Implications for Digital Forensics
Enhanced Verification: SPF, DKIM, and DMARC provide digital forensic professionals with additional tools for email verification and authentication, enhancing the accuracy and reliability of forensic investigations.
Policy Interpretation: Understanding DMARC policies can help investigators interpret email handling procedures and identify potential red flags or suspicious activities.
Privacy and Compliance: While these protocols enhance security, forensic professionals must also ensure that their methods align with privacy regulations like GDPR, respecting user consent and data protection rights.
Conclusion
SPF, DKIM, and DMARC protocols have become integral components of modern email security, offering robust mechanisms for authentication, integrity, and policy enforcement. As these protocols continue to evolve, digital forensic professionals must stay updated with the latest trends and practices to effectively navigate the complexities of email-based investigations, ensuring both security and compliance in their endeavors.
Akash Patel
Comments