Skip to main content

SPF, DKIM, and DMARC: Security for Email Sending with AirLST via AWS

Updated

When sending emails on behalf of your own domain, it is important to use authentication mechanisms to prevent misuse and improve deliverability.

How to set up your own domain can be found here: Custom Email Sender

In this article, we explain the most important protection measures: SPF, DKIM, and DMARC – and why an SPF record alone does not mean that any sender can send emails via AWS.

WHAT IS SPF?

SPF (Sender Policy Framework) is a mechanism that defines which mail servers are authorized to send emails on behalf of your domain.

HOW DOES SPF WORK?

  1. The SPF record is stored as a TXT record in the DNS settings of your domain.
  2. When receiving an email, the recipient's mail server checks whether the sending server is listed in this SPF record.
  3. If the server is not authorized, the email can be marked as spam or rejected.

IMPORTANT CLARIFICATION

NOTE An SPF record for AWS SES does not mean that all AWS servers are allowed to send emails on your behalf.
Rather, only our explicitly authorized AWS account is permitted to use it.
SPF alone is not sufficient to verify an email as genuine.

WHAT IS DKIM?

DKIM (DomainKeys Identified Mail) is a method for digitally signing emails. This signature is created with a private key and can only be added by servers that possess this key – in our case, our AWS account.

HOW DOES DKIM PROTECT YOUR DOMAIN?

  1. The public key is stored as a DNS record.
  2. The receiving mail server checks whether the signature matches the public key.
  3. Only correctly signed emails are considered authentic.
  4. If a third party tries to send emails without a DKIM signature, these can be detected as forged.

WHAT IS DMARC?

DMARC (Domain-based Message Authentication, Reporting, and Conformance) builds on SPF and DKIM. It gives mail servers instructions on how to handle emails that fail one of these checks.

ADVANTAGES OF DMARC

  1. You can specify whether unauthenticated emails should be rejected or quarantined.
  2. DMARC enables you to receive reports about unauthorized sending attempts.
  3. This makes it significantly harder for attackers to send forged emails on behalf of your domain.

SECURITY MEASURES BY AIRLST & AWS

In addition to the general protection mechanisms, AirLST offers additional measures to prevent misuse and ensure the authenticity of sender addresses:

OPT-IN CONFIRMATION FOR SENDER ADDRESSES

  • Before an email address can be used as a sender, the owner of the address must explicitly confirm this.
  • The address receives an email with a confirmation link that must be clicked within 24 hours.
  • Only after successful confirmation can the email address be used as a sender for the specific AirLST account.
  • The usage rights of the confirmed address remain exclusively reserved for the AirLST account that requested the approval.

DOMAIN VERIFICATION

  • Before AWS SES can be used for a domain, the domain must be verified by the owner. Usage is then exclusively reserved for our AirLST AWS account and cannot be used by any other AWS customer.

RATE LIMITING & MONITORING

  • AWS monitors sending activity and prevents suspicious behavior.

BOUNCE & COMPLAINT HANDLING

  • AirLST tracks failed or rejected emails and reduces spam risks.

CONCLUSION
MAXIMUM SECURITY THROUGH THE COMBINATION OF METHODS

SPF alone is not sufficient protection to prevent misuse of a domain. 
Only through the combination of SPF, DKIM, DMARC, and the additional AirLST security measures is it ensured that only authorized systems and senders can send emails on behalf of your domain.

DO YOU HAVE QUESTIONS?

If you have any questions, our Customer Service Team is always available to assist you.

Related to

Related articles