Alphabet Soup - CNAME, SPF, and DKIM on your DNS - pt.2 SPF and DKIM

Roxann_McGlump1 · ‎03-09-2016

Sender Policy Framework (SPF) is a simple email-validation system designed to detect email spoofing by providing a mechanism to allow receiving mail exchangers to check that incoming mail from a domain comes from a host authorized by that domain's administrators.[1] The list of authorized sending hosts for a domain is published in the Domain Name System (DNS) records for that domain in the form of a specially formatted TXT record. Email spam and phishing often use forged "from" addresses, so publishing and checking SPF records can be considered anti-spam techniques.

Again, this is a very nice technical explanation but what does it mean? I think of it as being something like the security that many companies maintain at their front desk, so the scenario would go something like this.

A delivery person dressed in a Marketo uniform walks up to the front desk of your lead's company (email server), and says to the person at the desk (who in our analogy would be the email security software), "Hi, I'm here to deliver email from yourmarketingteam@yourcompany.com to yourlead@theircompany.com."

The front desk/email security person looks up and notices the uniform says Marketo, not Yourcompany. Depending on their security settings, they might just assume this is okay and buzz Marketo in to make the delivery. However, if they are security-conscious, they are going to want proof that Marketo isn't trying to trick them with a phony delivery (spoofing an email). SPF gives them the ability to call back to the DNS at Yourcompany and ask, "Hey, I've got someone here from Marketo who claims to be making a delivery for you. Is this an authorized delivery?"

If Marketo is correctly included in the SPF record, then effectively, this allows the DNS to tell them, "Yes, Marketo is authorized to make deliveries from us."

So how does this differ from DKIM? According to Wikipedia:

DKIM allows the receiver to check that an email claimed to come from a specific domain was indeed authorized by the owner of that domain which is done using cryptographic authentication.

Verification is carried out using the signer's public key published in the DNS. A valid signature guarantees that some parts of the email (possibly including attachments) have not been modified since the signature was affixed.

So if we go back to our analogy of the delivery at the front desk, it works a bit like this. When the front desk calls the DNS to make sure the delivery is authorized, Marketo has to produce an ID badge with an authorization code on it. The front desk/email security person reads that authorization code to the DNS which validates it against the code it has on record. If the code matches, then the delivery is authorized.

Some email security programs require SPF, some require DKIM, and some don't require anything at all. To be sure Marketo can always make your deliveries, you should always have both set up for each domain you use in the From: line of your emails.

Instructions for setting up SPF and DKIM can be found here.

Is this article helpful ?

Yes No

Dan_Stevens_ · ‎03-16-2016

Roxann - I shared Sandy's blog post with our IT team and they are freaking out. It would be helpful if Marketo could provide a response for this within the comments section of that post (since they don't have access to the community).

SanfordWhiteman · ‎03-16-2016

Dan, the risk comes if one of your competitors [a] uses Marketo, [b] uses the shared DKIM key, and [c] decides to get nasty. This would mean they could send email that would be indistinguishable from your (Marketo-generated) emails in every way. The emails would appear to be sent, signed and sealed by you guys, which is a level of impersonation you want to make impossible.

As long as the above doesn't happen, there's no day-to-day impact on deliverability. No receiver is checking, for example, to see if your DKIM key is a widely shared key.

I would not recommend using the same key you use for person-to-person company mail in Marketo. Use different keys so one can be revoked if necessary without impacting the other(s).

Roxann_McGlump1 · ‎03-16-2016

I'm not able to leave a comment there without signing up for a service of some sort, which I'm not comfortable doing when I don't know what the implications of sign-up are. Perhaps Sanford can update the post instead.

Dan_Stevens_ · ‎03-16-2016

Can you leave a reply here and I can share it with our IT/Security team? Basically they want to know the security implications (from Marketo's standpoint) and if there has ever been any malicious activity as a result of using shared DKIM keys.

SanfordWhiteman · ‎03-16-2016

Yes, the SolidOpinion service is like Disqus or LiveFyre, though without the brand recognition. Ghost blogs don't have built-in comments. It's a known gap, but the blogging platform is great in every other way, so we use a plugin.

I'm happy to add, verbatim, any official Marketo response.

You might also check out the blog series I began yesterday: A third of Marketo users have broken SPF. How's yours?

Roxann_McGlump1 · ‎03-17-2016

While I am a Marketo employee, I'm not authorized to make official responses on behalf of Marketo so I guess I will have to let things stand as they are.

Dan_Stevens_ · ‎03-17-2016

Roxann McGlumphy, according to the documentation, "Modifying/removing the corresponding DNS record will result in harmed deliverability. Make sure to delete the entry in Marketo before making DNS changes." While we will be deleting our existing record within Marketo, can we still use the same "M1_domain…” record on our servers (with the updated key) or do we need to create a new one?