DKIM uses digital signatures in an email to confirm that an email isn’t altered while in transit. DNS stores the public key of the sending domain so the receiving domain can validate.

DMARC is the set of policies used to decide how to handle messages that don’t pass the other tests. DMARC is also stored in DNS.

SPF is the method by which receiving domains determine if an email was actually sent by a server that is authorized by the sending domain to send that domain’s emails. The SPF configuration is also stored in DNS.

These are all email security standards that leverage DNS txt records to specify config/authorization.

Let me know how I did on your homework.

They are types of DNS records that are used to verify that emails come from the domain that they purport to come from.

Without them, emails may end up getting categorised as spam. And the domain is easier to impersonate without having that verification in place.

As the owner of a domain name (eg. Google.com) you need to direct traffic accordingly when someone visits your website. This is done with DNS records. Simple pieces of text that are listed with your domain name and visible to anyone.

There are different types of records. For example:

“Hey my website is over here” (A record)

Or, “Looking to send me an email, right this way!” (MX records).

There are also various types of notices and information you can put in your DNS records which don’t necessarily point anywhere, but are used as a way to prove that something is legit.

These are things like TXT records, SPF, and DMARC records (there are quite a few different conventions for proving email is legit).

So for your email question …

“Hey, if you received an email from us but the sender didn’t have these records in their DNS, it wasn’t us and the message is probably spam or someone is trying to trick you!”

Without these records, your email will still be sent, but many companies email systems have strict rules to prevent spam, and they will require some, or all of the verification methods to be present before they will allow your email through.

All of the things you mentioned exist as DNS records. When a system is trying to figure out if an email came from someone who’s allowed to send email from that domain, it checks these records. Look at it as if you’re receiving a package from Amazon (this is a really loose analogy, but it kinda works):

SPF – Think of this as a list of employees of a company. This is like Amazon saying: “This employee (IP address) is allowed to send you a package (send you an email) using our system, and anyone who isn’t on this list is not allowed.”

DKIM – Think of this as a notary, someone who “signs” the email as you would a legal document or bank check. You check this to make sure the company (or system) that sent the package (email) is the one you expect. This is like Amazon sending you the package in one of its own trucks, with an Amazon driver wearing an Amazon uniform.

DMARC – This tells your system what to do if you get something that’s not obviously from Amazon’s system (SPF) or delivered by an obvious agent of Amazon (DKIM). Most of the time, it’ll tell you to send it to the spam folder, or just delete it altogether. This is like refusing a package or letter from someone you don’t know (I don’t have a good analogy here because Amazon doesn’t really instruct people what to do when they get fraudulent packages).