One of the things that I’ve noticed during my time is that phishing emails, ebb and flow like the waves of the ocean. It seems like nothing significant for a few weeks, then the flood gates open and a bunch all come in a short period of time. The security, mail and support teams get flooded with what may or may not be legitimate emails. Now honestly, looking at an individual email to determine if it’s spam, phishing, or legitimate email, takes some time, but when you pile on different types, it can get hard and be time consuming.
When you team needs to crawl through all those emails to make a determination, you look for ways to make it easier on them (that doesn’t mean a silver bullet that kills all phishing emails, but gets at the low hanging fruit). The easiest target is those phishers who fake the sender of emails, those are the ones where they look like they are coming from a trusted source, or even you own company, but aren’t. Most (not all) Spam, Fraud emails and viruses come from someone pretending to be from another email address.
So the best first line defense, is verifying the identity of the sender. The best way is to utilize the three main email security protocols of SPF (Sender Policy Framework), DMARC (Domain-based Message Authentication, Reporting, and Conformance), and DKIM and these three complement one another, so it really is best to implement all of them. The three together will prove to ISPs, mail services, and other mail servers that senders are truly authorized to send an email. When properly set up, all three prove that the sender is legitimate, that their identity has not been forged. These anti-spam measures are becoming increasingly important, and will one day be required by all mail services and servers.
Now by no means are these super easy to set up, and depending on your email hosting situation may make it either easier or harder. Yet, there isn’t really a good reason that you shouldn’t invest the time and money into getting these turned on.
Sender Policy Framework (SPF)
- SPF secures the DNS servers and limits who can send emails on your behalf. This keeps others from spoofing your domain.
- SPF consists of three primary components: a policy framework, an authentication technique, and particular headers in the email itself that convey this information.
- Email providers can use your SPF record to verify that a mail server is permitted to send email for your domain.
- In short a SPF record is a DNS TXT record that lists the IP addresses that are permitted to send email on behalf of your domain.
Importance of SPF:
- Receiving mail servers use SPF to verify that incoming email from a domain was sent from a host approved by the domain’s record. This is why it’s stored in the DNS entry.
- The receiving mail server then uses the rules specified in the sending domain’s SPF record to decide whether to accept, reject, or otherwise flag the email message.
- SPF improves the protection of email users from spammers. Because faked “from” addresses and domains are frequently used in email spam and phishing,
- Publishing your domains SPF data is regarded one of the most dependable and simple anti-spam tactics.
- Many email systems use a reputation score for you domain to decide if you are known for unwanted emails…So if you have a good sending reputation, a spammer may try to send email from your domain in order to benefit from your ISP’s good sender reputation.
- This is where SPF authentication will show the receiving server that even though the domain may look like yours, the sending server has not been authorized to send mail for your domain.
If SPF is so great, I’ll just use that!
While I made a case for why SPF is good, like I mentioned it should be part of a 3 legged approach. Why SPF is good, it doesn’t survive the email forwarding process, so it’s not perfect. SPF only says what servers can send on behalf of your
DKIM signing can withstand forwarding. SPF does not work with forwarding since it is merely a list of servers that are authorized to send on behalf of your domain, and a domain owner cannot maintain a list of forwarders.
What about DKIM?
DKIM (Domain Keys Identified Mail) is an email authentication technique that allows the receiving server to check that an email was indeed sent and authorized by the domain owner. This is achieved by giving the email a digital signature that’s encrypted in the email header.
Once receiving system determines that an email is signed with a valid DKIM signature, it knows that the email among the message body and attachments haven’t been modified. DKIM signatures are not shown to end-users, the validation is done on the server side.
Like SPF mentioned above, DKIM is also used in DMARC alignment. The DNS has a DKIM record, although setting it up is a little more challenging than SPF. DKIM has the advantage of being able to withstand forwarding, making it preferable to SPF and a solid basis for email security.
Why DKIM is important:
DKIM is checks the following 3 things:
- The sender of the email owns the DKIM domain, or is authorized by the owner of that domain.
- The contents of an email have not been tampered with.
- The headers in the email have not changed since the original sender sent and that there is no new “from” domain.
OK, so I’ll just use DKIM then!
While DKIM is great, you need to remember isn’t a perfect detector of validating the email sender’s identity on its own, and it doesn’t prevent the spoofing of the domain visible in the email’s header. These problems are solved by using DMARC because the domain the end-user sees is the same as the domain that is validated by DKIM and SPF.
How DMARC works:
Since DMAC employs both DKIM and SPF records to validate the sender of an email, DMARC is used (or highly recommended) for businesses. A DMARC record allows a sender to say that their messages are secured by SPF and/or DKIM, and it instructs a recipient what to do if neither of those authentication techniques succeeds – such as discard or reject the message.
The domain administrator publishes the DMARC policy in the DNS record, defining its email authentication practices and how receiving mail servers should handle mail that violates this policy. When an inbound mail server receives an incoming email, it uses DNS to look up the DMARC policy for the domain then checks, is DKIM Valid, Did it come from an authorized source and is the domain alignment correct. Depending on what this check the receiving server is ready to apply the sending domain’s DMARC policy to decide whether to accept, reject, or otherwise flag the email message.
The good thing about DMARC, is that the receiving server will report back to the original domain originator, as defined in the DMARC policy. So you are able to detect if anything went wrong or wasn’t handled the way it was expected.
Cyber-criminal activity is not going to end anytime soon, so the only logical thing to do is to secure your email domain from fraud. DMARC has benefits regardless of the size of a business. It provides full domain visibility, control over the email traffic, and security from phishers and spoofers. Utilizing all three of these services, you can make sure your email systems are secure, you limit spoofing and you make sure your emails make it to the intended audience. This is a time investment for your IT team, but this is one that is worth it.