From a security point of view, which is better if we compare SPF vs DKIM?
I am looking for an email provider that I will use with a custom domain, one provider is cheaper but has only SPF while the other is more expensive but uses both SPF and DKIM and I'm not sure if paying more is worth it if the other factors are similar. I read about SPF and DKIM and I have some questions about them and also some about email security in general.
What benefit would DKIM provide if SPF is already used?
Is it correct to say that SPF ensures that the server from which the email claims to originate is the one from which it in fact originated and DKIM ensures that the content of the email message hasn't been modified?
If it's correct that DKIM protects the message from being tampered with, then from whom does it protect exactly? Who can alter the content of the email while in transit, what are the common attack vectors? Can there be a malicious "node" that relays the email but modifies its content?
Would it be possible for an attacker to make a server that relays emails and then snoop on them or modify the content, just like anybody can make a malicious Tor node?
If the email provider I use supports sending emails over SSL and I want to send an email to my friend who uses Gmail (which also supports SSL), does my message travel the whole path encrypted? Does it mean that the message is encrypted with a public key belonging to Gmail and no server which relays the message will ever see it unencrypted?
Let's assume that I use SPF. An attacker attempts to sends an email that appears to come from me. Where is this email relayed to (is this something called MTA)? Does it work like a node that forwards information to further nodes? If the attacker controls the first "node", can't he report to the nodes that it forwards to, that the message passes SPF when it does not and the nodes that get forwarded the message would believe it?
In a nutshell, SPF vs DKIM - SPF uses path-based authentication while DKIM uses an identity-based authentication. SPF uses DNS to publish a record of all mail transfer authorities (MTA) authorized to send mail on behalf of the domain. Recipient MTAs then query DNS for the SPF record and reconcile the list of approved IP addresses against the path the message actually took. SPF syntax dictates how mail is handled if the IP addresses don't match. For instance, -all means mail is either rejected entirely. ~all means mail is marked but still permitted through.
SPF has its limitations. It can be cumbersome to deploy completely (large organizations can find it difficult to track down every MTA they use) which may lead to a more passive SPF policy to prevent legitimate mail from being snagged by filters. This can increase the prevalence of phishing. DKIM uses asymmetric cryptography to digitally sign a message. A domain has a public/private keypair. DKIM will take a hash of several fields of an email, including To:, From:, Date:, etc. This hash is then signed with the private key of the domain in question and placed in the DKIM header. The domain public key is published in DNS and used to verify the authenticity of the email. DKIM doesn't protect against forging theFrom: field directly but it does ensure that an email truly came from the domain in question. For instance, DKIM can guarantee an email came from the domain foo-bar.com but it can't necessarily guarantee from whom within that domain sent the message, since the domain as a whole uses one keypair, not individual senders.