Jan 17, 2024 12:35:00

What exactly are 'SPF', 'DKIM', and 'DMARC' necessary to send emails correctly?

The application system for the 2024 Kanagawa Prefecture Public High School Entrance Examination has been

experiencing problems receiving emails since January 9th. Kanagawa Prefecture has explained that ``an event has occurred where emails from the application system cannot be received mainly at @gmail.com,'' but various sites have pointed out that the sender address is not properly configured. It has been.

Prefectural Entrance Examination 2024 Why haven't I received an email from the application system? | Kanagaku
https://kanagaku.com/archives/69286

I looked into it a bit, but it's really terrible. The basic email settings are incorrect due to previous problems such as general JP and domain authentication not being done properly. Don't suddenly write the IP address on MX. Moreover, the IP address is also incorrect. / “High school entrance exam application system, emails are not arriving in Gmail... God...” https://t.co/4sxyz2wAiw

— Tetsu. Uehara (@tetsutalow) January 16, 2024

According to Google's email sender guidelines , it is necessary to set three types of authentication in order to send emails correctly: ``SPF'', ``DKIM'', and ``DMARC''.

◆SPF
SPF is an abbreviation for Sender Policy Framework, which is a mechanism to verify whether an email is being sent from a legitimate server.

There are two types of headers in an email: 'Header-From', which is displayed as the 'sender', and 'Envelope-From', which shows the actual sender. SPF verifies Envelope-From, which is the actual source.

By setting an SPF record in DNS and writing an appropriate IP address as the sender, the recipient of the email can match the content of the SPF record of the domain that is considered the 'actual sender' with the sender's IP address. You can check whether it is correct. If an email is sent from an IP address that is not listed in the SPF record, you can tell that the email is from a fake sender.

In addition to entering the IP address directly in the SPF record, you can also enter references to A records, MX records, and references to external domains. However, if the 'lookup' to obtain another record from DNS exceeds 10 times, SPF authentication will fail .

◆DKIM
DKIM is an abbreviation for DomainKeys Identified Mail, and it is a mechanism that adds electronic signatures to outgoing emails to confirm that the email is sent from the original sender and that the email content has not been tampered with. By registering a DKIM public key in a DNS TXT record, email recipients can refer to the DKIM record of the email sending domain to obtain the public key and verify the email's electronic signature.

In order to send email to a personal Gmail, the DKIM key length must be at least 1024 bits. Please note that it is recommended that the key length be 2048 bits to improve security.

In most cases, the sender does not need to add an electronic signature intentionally; the email server is configured to automatically do so at the time of sending.

◆DMARC
DMARC is an abbreviation for Domain-based Message Authentication Reporting and Conformance, which is a mechanism for finding ``spoofed'' emails that misrepresent the sender domain as shown to users. When sending emails, the sender can freely set the ``sender address'', so it is possible to use the domain of an authoritative site such as a bank without permission to mislead users and lead them to phishing sites. Masu.

DMARC must be used at the same time as SPF and DKIM, and in addition to SPF/DKIM authentication, it verifies whether 'Header-From matches Envelope-From.' This means that emails whose 'Header-From' as seen by the user is different from the actual sender will fail verification and will be delivered to spam folders or rejected, depending on your DMARC settings. Masu.

When I checked the sender email address of the Kanagawa Prefecture public high school entrance examination application system, 'mail.shutsugankanagawa.jp,' using

DMARC Domain Checker , I found that DMARC, SPF, and DKIM were all set properly at the time of writing the article, as shown in the image below. It seemed like it was.

Mr. suzuki.ryo, an engineer whose family is planning to take the Kanagawa Prefectural High School Entrance Examination in February 2024, actually analyzed an email he received from the Kanagawa Prefecture Public High School Entrance Examination Application System on January 15, 2024 . ``Based on the emails received by Yahoo Mail this time, it appears that Amazon SES, which was used to send emails from the application system, is configured appropriately.''

It is believed that authentication failed due to inappropriate settings on January 9, when the problem occurred, but we have not heard from outsiders why delivery to Gmail still fails even after the settings were corrected. It seems impossible to know. The operating status of the Kanagawa Prefecture public high school entrance selection online application system is posted on the Kanagawa Prefecture page .

◆Forum now open
A forum related to this article has been set up on the GIGAZINE official Discord server . Anyone can write freely, so please feel free to comment! If you do not have a Discord account, please create one by referring to the article explaining how to create an account!

• Discord | 'Have you ever encountered the problem of not being able to send or receive emails? Have you been able to fix it?' | GIGAZINE
https://discord.com/channels/1037961069903216680/1197113218468937888