SPF, DKIM, DMARC Email Security

Updated 14-Sep-2023

Email for personal use and the enterprise tends to come down to only a few providers, based on the leveraging of email into an office suite:

That said, in reality there are still a preponderance of providers and in no way is it necessary to have either Microsoft or Google host or manage email, even when using other applications of theirs.

For us, the default office suite is Google Drive, but our email and calendaring is done with Fastmail, which simply provides a higher quality service and experience. The Fastmail app and web mail are faster and less prone to crashing. The user interfaces are not perfect, but better than Gmail, especially the dark mode options.

SPF, DKIM, DMARC on Fastmail

It turns out that authentication or anti-spoofing/anti-spamming is hard. There is a complete disconnect between the from fields and actual sending protocols, and many email clients break things when they forward email, so a trust chain is simply not possible. Fastmail has a fairly good article discussing the difficulties with SPF, DKIM, and DMARC, as well as an older blog post on email anti-spoofing technology history and future. Some folks have complained and discussed the implementation of SPF, DKIM, and DMARC at Fastmail.

SPF, DKIM, DMARC on Google Workspace

For sure, this is a lot simpler than the many pages of instructions on how to implement SPF, DKIM, and DMARC on Google Workspace, which takes so many clicks to figure out exactly what to do.

In both cases, it comes down to configuring DNS records (usually TXT, sometimes also CNAME). Fastmail is more straightforward, but Google Workspace can be done.