Skip to main content

SPF, DKIM and DMARC: Security when sending emails with AirLST via AWS

Updated

When sending emails on behalf of your own domain, it is important to use authentication mechanisms to prevent abuse and improve deliverability.

Learn how to set up your own domain here: Custom Email Sender

In this article, we explain the key security measures: SPF, DKIM, and DMARC – and why an SPF record alone does not mean that any sender can send emails via AWS.

What is SPF?

SPF (Sender Policy Framework) is a mechanism that defines which mail servers are authorized to send emails on behalf of your domain.

How does SPF work?

  1. The SPF record is stored as a TXT record in the DNS settings of your domain.
  2. When receiving an email, the recipient's mail server checks whether the sending server is listed in this SPF record.
  3. If the server is not authorized, the email may be marked as spam or get rejected.

Important clarification:

An SPF record for AWS SES does not mean that all AWS servers are allowed to send emails on your behalf. Rather, only our explicitly authorized AWS account is approved for use. However, SPF alone is not sufficient to verify an email as genuine.

What is DKIM?

DKIM (DomainKeys Identified Mail) is a method for digitally signing emails. This signature is created using a private key and can only be added by servers that have this key – in our case, our AWS account.

How does DKIM protect your domain?

  1. The public key is stored as a DNS record.
  2. The receiving mail server checks whether the signature matches the public key.
  3. Only correctly signed emails are considered authentic.
  4. If a third party attempts to send emails without a DKIM signature, they can be identified as fraudulent.

What is DMARC?

DMARC (Domain-based Message Authentication, Reporting, and Conformance) builds on SPF and DKIM. It instructs mail servers on how to handle emails that fail these checks.

Advantages of DMARC:

  1. You can specify whether unauthenticated emails should be rejected or quarantined.
  2. DMARC allows you to receive reports on unauthorized sending attempts.
  3. This makes it significantly more difficult for attackers to send fake emails on behalf of your domain.

Security Measures by AirLST & AWS

In addition to general security mechanisms, AirLST provides additional measures to prevent abuse and ensure the authenticity of sender addresses:

  1. Opt-in confirmation for sender addresses:
  2. Before an email address can be used as a sender, its owner must explicitly confirm it.
  3. The address receives an email with a confirmation link, which must be clicked within 24 hours.
  4. Only after successful confirmation can the email address be used as a sender for the specific AirLST account.

Conclusion: Maximum Security Through Combined Methods

SPF alone is not enough to prevent domain abuse. Only by combining SPF, DKIM, DMARC, and additional AirLST security measures can you ensure that only authorized systems and senders send emails on behalf of your domain. If you have any questions about implementation or need more information, contact our support team.

Related to

Related articles