ASD's Blueprint for Secure Cloud

SPF, DMARC and DKIM

This section describes the design decisions associated with Microsoft 365 for system(s) built using ASD's Blueprint for Secure Cloud.

Estimated reading time: 2 minutes

Sender Policy Framework (SPF), Domain Key Identified Mail (DKIM), and Domain-based Message Authentication, Reporting and Conformance (DMARC) are tools for email authentication. These tools can coexist to provide enhanced capabilities.

These tools can coexist to provide enhanced capabilities.

  • SPF - SPF is a DNS entry which lists the servers which can send emails from a specific domain. It enables recipients to verify the identity of incoming mail
  • DKIM - DKIM, unlike SPF is a tool to verify whether the content of the message is trustworthy. This is completed using a public/private key signing process
  • DMARC - DMARC enables both SPF and DKIM using policy. A DMARC policy sets out how to handle messages which do not align to what the receiver knows about the sender. This can include rejecting the message; suggesting the message is quarantined; or allowing the message

While DKIM within Microsoft 365 can sign messages, the organisation gateway may also be configured to do this which may cause issues with DMARC verification.

References

  • None identified
  • None identified

Do you have a suggestion on how the above page could be improved? Get in touch! ASD's Blueprint for Secure Cloud is an open source project, and we would love to get your input. Submit an issue on our GitHub, or send us an email at blueprint@asd.gov.au

Acknowledgement of Country icon

Acknowledgement of Country
We acknowledge the Traditional Owners and Custodians of Country throughout Australia and their continuing connections to land, sea and communities. We pay our respects to them, their cultures and their Elders; past, present and emerging. We also recognise Australia's First Peoples' enduring contribution to Australia's national security.

Authorised by the Australian Government, Canberra