SPF, DKIM and DMARC for better email security

Email remains one of the most widely used communication tools in both personal and business settings. Unfortunately, it is also one of the most targeted channels for cyberattacks, phishing campaigns, and impersonation attempts. To combat these threats, email authentication protocols such as SPF, DKIM, and DMARC have been developed and widely adopted. Together, these standards significantly reduce the risk of email spoofing and improve the overall trustworthiness of email communication.

In this article, we’ll dive deep into SPF, DKIM, and DMARC, explain how they work, and why implementing all three is crucial for robust email security.

Understanding the Problem: Email Spoofing

Email spoofing is a technique where attackers forge the sender’s address to make their email look like it came from a trusted domain. Spoofed emails are often used in phishing attacks, tricking recipients into clicking malicious links, sharing sensitive information, or downloading malware.

Traditional email protocols (like SMTP) were not designed with strong authentication in mind, which makes spoofing possible. This is where SPF, DKIM, and DMARC step in.

What is SPF?

Sender Policy Framework (SPF)

SPF is an email authentication mechanism that allows domain owners to specify which mail servers are authorized to send emails on behalf of their domain.

How It Works:

  1. The domain owner publishes an SPF record (a type of DNS TXT record).
  2. When an email is received, the recipient’s mail server checks whether the sending IP address is included in the SPF record.
  3. If the IP matches, the email passes SPF authentication.

Example SPF Record:

v=spf1 include:_spf.google.com -all

  • v=spf1: Version of SPF being used.
  • include:_spf.google.com: Authorizes Google servers.
  • -all: Rejects all other sources not listed.

Limitations:

  • SPF only checks the envelope sender, not the “From” address seen by the user.
  • Forwarded emails may break SPF validation.

What is DKIM?

DomainKeys Identified Mail (DKIM)

DKIM ensures that an email’s content has not been tampered with in transit and validates that it came from the claimed domain.

How It Works:

  1. The sending mail server generates a cryptographic signature for the email header and body.
  2. This signature is added to the email as a DKIM-Signature header.
  3. The recipient’s mail server retrieves the sender’s public key from DNS and verifies the signature.

Example DKIM Record:

selector1._domainkey.example.com IN TXT “v=DKIM1; k=rsa; p=MIIBIjANBgkqhki…”

  • selector1: Identifies the key.
  • p=…: Public key used for verification.

Benefits:

  • Protects against email tampering.
  • Adds cryptographic validation to email authentication.

Limitations:

  • Complexity in setup (requires DNS updates and mail server support).
  • Does not directly prevent spoofing of the “From” address.

What is DMARC?

Domain-based Message Authentication, Reporting, and Conformance (DMARC)

DMARC builds on SPF and DKIM, providing domain owners with the ability to control how unauthenticated messages should be handled.

How It Works:

  1. The domain owner publishes a DMARC record in DNS.
  2. Receiving mail servers check both SPF and DKIM for alignment with the visible “From” domain.
  3. Based on the DMARC policy, the recipient server will accept, quarantine, or reject the email.

Example DMARC Record:

v=DMARC1; p=reject; rua=mailto:[email protected]; ruf=mailto:[email protected]; sp=quarantine; aspf=s

  • p=reject: Rejects unauthenticated emails.
  • rua=…: Aggregate report email address.
  • ruf=…: Forensic report email address.
  • sp=quarantine: Policy for subdomains.
  • aspf=s: Strict alignment for SPF.

Benefits:

  • Enforces alignment between the visible “From” address and the authenticated domain.
  • Provides detailed reports on email authentication results.
  • Allows gradual rollout with none, quarantine, and reject policies.

Why Use SPF, DKIM, and DMARC Together?

Individually, SPF and DKIM provide important security features but have limitations:

  • SPF can be bypassed by forwarders.
  • DKIM doesn’t validate the “From” address.

DMARC bridges these gaps by requiring alignment and giving domain owners control over how failures are handled.

Combined Benefits:

  • SPF: Prevents unauthorized servers from sending email.
  • DKIM: Ensures integrity and authenticity of messages.
  • DMARC: Aligns SPF/DKIM with the visible “From” address and enforces policies.

Together, they:

  • Reduce spam and phishing attacks.
  • Increase domain reputation.
  • Improve deliverability of legitimate emails.

Best Practices for Implementation

  1. Start with SPF: Publish a correct SPF record for your sending infrastructure.
  2. Enable DKIM: Generate DKIM keys and publish them in DNS.
  3. Deploy DMARC gradually:
    • Begin with p=none to monitor.
    • Move to p=quarantine for stricter control.
    • Finalize with p=reject once confident.
  4. Monitor Reports: Use DMARC reports to analyze unauthorized senders.
  5. Review Regularly: Keep DNS records updated when changing mail providers.

Conclusion

SPF, DKIM, and DMARC are essential layers of modern email security. While each protocol addresses different aspects of authentication, their combined implementation offers a comprehensive defense against spoofing and phishing attacks.

Organizations that implement all three not only protect their brand and customers but also improve their email deliverability and reputation. In today’s threat landscape, deploying these email authentication standards is no longer optional—it’s a necessity for safe and trustworthy communication.

How to protect agains Ransomware attack?

Ransomware attack is one of the most dangerous cyber threats facing businesses and individuals today. With just one careless click, attackers can encrypt your files, lock you out of your systems, and demand payment in exchange for access. The financial, operational, and reputational damage can be devastating.

The good news? While ransomware is scary, it’s not unbeatable. With the right combination of awareness, planning, and security tools, you can protect yourself and greatly reduce the risk of falling victim.

In this article, we’ll break down what ransomware is, how it works, and—most importantly—how to defend against it.

What Is a Ransomware attack?

Ransomware attack is a type of malicious software (malware) that blocks access to your files or systems by encrypting them. Attackers then demand a ransom payment (often in cryptocurrency) to restore access.

Some of the most well-known ransomware families include:

  • WannaCry – spread rapidly across the globe in 2017.
  • Ryuk – often targets businesses and government institutions.
  • LockBit – a “Ransomware-as-a-Service” model used by many cybercriminal groups.

The threat is constantly evolving, and attackers are always finding new ways to spread ransomware through phishing emails, malicious links, infected downloads, or vulnerabilities in outdated systems.

Why Ransomware attack Is So Dangerous

Ransomware attacks can have severe consequences:

  • Financial loss – not just the ransom itself, but also downtime, lost productivity, and recovery costs.
  • Data breaches – some attackers steal sensitive data before encryption and threaten to publish it (“double extortion”).
  • Reputation damage – customers may lose trust if their personal information is exposed.
  • Operational disruption – critical services can be shut down for days or even weeks.

How to Protect Against Ransomware Attack

The best defense against ransomware is a layered approach that combines prevention, detection, and recovery strategies. Here are the most effective measures:

1. Keep Backups – and Test Them

Backups are your ultimate insurance policy.

  • Store backups offline or in a secure cloud environment.
  • Follow the 3-2-1 rule: keep 3 copies of your data, on 2 different media, with 1 copy offsite.
  • Regularly test backups to ensure they can be restored quickly.

2. Update and Patch Regularly

Outdated systems are an easy target.

  • Apply software patches and updates as soon as they’re released.
  • Don’t forget network devices (routers, firewalls) and third-party applications.
  • Enable automatic updates where possible.

3. Train Employees to Spot Threats

Human error is the #1 entry point for ransomware.

  • Educate staff about phishing emails, suspicious attachments, and fake links.
  • Run regular awareness campaigns and phishing simulations.
  • Encourage employees to report anything suspicious.

4. Use Strong Security Tools

A solid security stack makes it much harder for ransomware to succeed.

  • Deploy next-generation antivirus and anti-ransomware software.
  • Use firewalls and intrusion detection systems.
  • Enable email filtering to block malicious attachments and links.
  • Consider endpoint detection and response (EDR) for advanced monitoring.

5. Limit User Access

The fewer privileges an account has, the less damage ransomware can cause.

  • Apply the principle of least privilege (users only get the access they need).
  • Segment networks to prevent ransomware from spreading across the whole environment.
  • Use multi-factor authentication (MFA) for critical accounts.

6. Monitor Network Activity

Unusual behavior often signals an attack.

  • Watch for large spikes in file encryption activity.
  • Monitor outbound connections to suspicious domains.
  • Use security information and event management (SIEM) tools for real-time alerts.

7. Have a Ransomware Response Plan

Preparation is key.

  • Document step-by-step actions to take in the event of an attack.
  • Define roles and responsibilities for IT staff, management, and legal teams.
  • Practice incident response drills to ensure everyone knows what to do.

Should You Pay the Ransom?

Experts (including the FBI) advise not paying the ransom. There’s no guarantee you’ll get your files back, and paying only funds future attacks. Instead, focus on recovery through backups and reporting the incident to authorities.

Final Thoughts

Ransomware is one of the biggest cyber threats today, but it doesn’t have to be a nightmare. By combining regular backups, patching, user training, security tools, and a solid response plan, you can greatly reduce your risk and recover faster if an attack does occur.

The best protection is preparation. Start securing your systems today—because once ransomware hits, it may already be too late.

The difference between Cron and Anacron

Automation is at the heart of modern system administration. On Linux and Unix-like systems, two of the most common tools for scheduling repetitive tasks are Cron and Anacron. At first glance, they seem very similar: both allow you to schedule jobs such as backups, log rotations, or cleanup scripts. But they differ significantly in how and when they execute those jobs.

Understanding these differences—and how to monitor jobs once they are scheduled—is critical for anyone who wants to keep systems running smoothly.

What is Cron?

Cron is a time-based job scheduler that has been a cornerstone of Unix and Linux systems for decades. It uses a background service called the cron daemon (crond) to check configuration files (called crontabs) for scheduled tasks.

Each job in a crontab follows a simple syntax to define when it should run, down to the exact minute. Cron is designed for environments where systems are running continuously, such as production servers.

Key Features of Cron

  • Executes tasks at specific, precise times (e.g., 3:15 AM daily).
  • Can run jobs every minute, hour, day, week, or month.
  • If the system is off at the scheduled time, the job will be missed. Cron does not automatically “make up” for downtime.
  • Supports per-user crontabs (via crontab -e) and a system-wide crontab (/etc/crontab).

Example of a Cron Job

0 2 * * * /usr/local/bin/backup.sh

This will run the backup script every day at 2:00 AM sharp.

What is Anacron?

Anacron was created to solve a limitation of Cron: what happens if your computer is off when the job is supposed to run? For servers that run 24/7, this isn’t a problem. But for laptops, desktops, or any machine that isn’t always powered on, Cron can skip important jobs.

Anacron ensures that jobs are eventually executed, even if they were missed due to downtime. It doesn’t work with per-minute precision like Cron; instead, it handles jobs at daily, weekly, or monthly intervals.

Key Features of Anacron

  • Ensures scheduled jobs are run eventually, not skipped.
  • Ideal for machines that are not running all the time.
  • Jobs are configured in /etc/anacrontab.
  • Jobs can be delayed after startup to avoid slowing down boot.

Example of an Anacron Job

1 10 backup.daily /usr/local/bin/backup.sh

This means:

  • Run the job once every 1 day.
  • Wait 10 minutes after boot before running it.
  • Identify this job as backup.daily.

So, even if the computer was turned off at 2 AM, Anacron will still run the backup when the system starts again.

Cron vs. Anacron

Although they serve similar purposes, Cron and Anacron differ in important ways:

FeatureCronAnacron
SchedulingMinute, hour, day, monthDaily, weekly, monthly only
PrecisionExact timingFlexible (runs later if missed)
Missed JobsMissed if system is offExecutes after boot if missed
Best ForServers running 24/7Laptops, desktops, non-24/7 PCs
Configuration Filecrontab, /etc/crontab/etc/anacrontab

In fact, many modern Linux systems use both together. Cron handles precise jobs, while Anacron ensures essential periodic jobs are not skipped.

Cron Job Monitoring

Scheduling jobs is only half the story—monitoring them is equally important. Without proper monitoring, you may not know if a backup script failed or a cleanup job never ran.

There are a few ways to monitor Cron jobs:

  • Log Monitoring: By default, Cron logs to /var/log/cron or /var/log/syslog depending on the distribution. Reviewing these logs can confirm whether jobs ran successfully.
  • Email Alerts: Cron can send the output of a job to the local mail of the user. By setting the MAILTO variable in a crontab, you can receive email notifications whenever a job runs (or fails).
  • External Monitoring Tools: Services like ClouDNS, Cronitor, Healthchecks.io, or Dead Man’s Snitch provide more advanced monitoring. They work by requiring your Cron job to “check in” with the monitoring service each time it runs. If a job doesn’t report back on time, you’ll receive alerts via email, Slack, or other channels.

System Monitoring Beyond Cron

While Cron job monitoring is essential, it only covers the tasks you explicitly schedule. For broader visibility into your system’s health and performance, you may also want a system monitoring service.

One popular option is Nagios, an open-source monitoring tool that can track system metrics, network status, and application availability. Unlike Cron-focused monitoring tools, Nagios provides:

  • Alerts for CPU, memory, and disk usage.
  • Service uptime monitoring (web servers, databases, etc.).
  • Notification integration with email, SMS, or chat systems.
  • A dashboard to visualize system health across multiple servers.

This makes Nagios (and similar tools like Zabbix or Prometheus) a valuable complement to Cron monitoring. While Cronitor tells you if your scheduled task ran, Nagios can tell you if your system is under strain, a process crashed, or a network link failed.

When to Use Cron, Anacron, and Monitoring

  • Use Cron if you need precision and your system is always running.
  • Use Anacron if your system is not always powered on, but you want to guarantee jobs still run eventually.
  • Use Monitoring to ensure you actually know whether scheduled tasks succeeded and to keep an eye on overall system health.

Together, Cron, Anacron, and monitoring tools form a reliable automation and maintenance strategy for Linux and Unix environments.

Final Thoughts

Cron and Anacron are both indispensable for scheduling jobs, but they solve slightly different problems:

  • Cron is about running jobs exactly on schedule.
  • Anacron is about ensuring jobs eventually run, even if a system was off.

Adding monitoring—whether with Cron-specific tools like Cronitor or full system monitoring platforms like Nagios—completes the picture by providing visibility and alerts. That way, you don’t just schedule jobs—you know they actually ran and succeeded.