This recipe describes the outbound email Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting & Conformance (DMARC) preparation on FortiMail and the DNS server for verification by the receiving email servers.
Email signing requires up-to-date SPF, DKIM, and DMARC TXT records within the DNS server:
For outbound email, SPF records indicate who is authorized to send email on your behalf. SPF records contain the client IP addresses of the domains' authorized senders. These domains are checked until an authorized IP address match occurs. If the test fails, the email is identified as spam. DNS records must be kept up-to-date.
DKIM records digitally sign outbound emails to prove that the email has not been tampered with in transit. This is achieved through both a public key and a private key. The public key is what is published to the DNS record, so receiving MTAs can download the key and validate the signature.
On the receiver's end, DMARC records provide a form of feedback as to whether SPF and DKIM passed. For Fortinet as an example, DMARC passes if either SPF or DKIM pass. Otherwise, if both SPF and DKIM fail, DMARC takes an action of either none, quarantine, or reject.
Note that SPF performs its check using the Mail From address, or the RFC5321.MailFrom (envelope) address. DMARC enhances SPF by performing its check against the From address, or the RFC5322.From (header) address.
This prevents situations where messages can pass an SPF check, but spoof its RFC5322.From sender address.
For more information, see identifier alignment information at RFC 7489.
Below are examples, taken from publicly accessible DNS records at mxtoolbox.com, of the three TXT records required for a given domain (in this example, fortinet.com):
In this example, the appropriate text records for SPF, DKIM, and DMARC are retrieved for the domain fortinet.com. These records are used to update the DNS server, and an email is sent from a Fortinet account to a Gmail account (from fortinet.com to gmail.com) to prove the email passed successfully.
For more information about these email authentication protocols, see the FortiMail Administration Guide. For a recipe regarding email checking, see Configuring incoming email DMARC checking with SPF and DKIM.