Download Tech Kahunas new ebook "The Accountant's Guide to the FTC Safeguards Rule"
The office was frantic. Jerry, the public relations manager, was dealing with damage control. No one knew who sent the emails. IT was checking the outgoing emails and hadn’t found anything yet, but the messages were sent from the company domain.
Sigh. I wish I didn’t have to write another piece on acronyms. But you must know these three to combat email fraud effectively.
In the world of email security, DKIM, SPF, and DMARC provide insight into whether:
1) The email message content is unchanged.
2) The sender is who they say they are.
3) The email server is what it says it is.
Each of these technologies is strengthened by the others, providing better protection for email users from spam, phishing, and spoofing–email fraud in which a cybercriminal or spammer sends an email that appears to come from a trusted sender but comes from a different source.
All these things can lead to serious legal problems and a bad reputation for your organization.
DKIM: Signing for security
The DKIM (Domain Keys Identified Mail) standard makes spamming and phishing more challenging by helping you identify forged email addresses.
DKIM uses the same public key cryptography a secure web browser uses (Secure Socket Layer, the secure HTTPS protocol for shopping online). DKIM digitally signs the email message header and a portion of the message body with a private key to verify the authenticity of your email message.
Your email recipient’s email server then uses the public key you published in your Domain Name Server(DNS)‘s text record to verify the digital signature. This record contains a name, version, key type, and the key itself and is made available by your email provider.
So DKIM confirms your legitimacy as a sender and can help you build a reputation for your brand through a consistent sending history with internet service providers. You should know that DKIM does not encrypt the email text but will detect whether a message was altered in transit.
DKIM should be used in combination with SPF and DMARC for greater security.
Complaints came to Jerry’s company from around the country. The emails used the company logo and had specious links indicative of typical phishing emails, but someone sent them using the company’s email domain. And since they manipulated recipients to login into a bogus website, customer personal data was released.
The result was a legal crisis.
SPF: Whitelisting your servers
The second leg of a successful email defense is the SPF (Sender Policy Framework) standard, which uses encryption to authenticate the domain name of an email sender.
The receiving email server checks the SPF record (again in your public DNS) to determine whether the IP address of the sending server is included in the white list of servers authorized to send email from your domain.
If the sending server is authorized, the email is verified legitimate; otherwise, the email is marked as potentially suspicious or rejected altogether.
Tech Kahunas recommends using separate IP addresses and subdomains to send your regular business and marketing emails. This practice is recommended to avoid your marketing emails being flagged as spam and your business email delivery and reputation being affected. Tech Kahunas can configure this for you.
Mark, the CEO, was shattered. He had always been cautious. He knew not to click links or open attachments and attended all the security training sessions. But the emails came from his email address. The legal crisis centered on him.
The regular, built-in SMTP protocol for sending email does not protect an email’s “From” field. Spammers and phishing criminals can forge the “From” address field on their bogus emails so that they appear to be coming from one of your users.
But SPF looks at the Return-Path value, the email address used by receiving servers to notify the sending mail server of delivery problems like bounces, and uses it to validate the originating server.
SPF should also be combined with DKIM and DMARC for greater security.
DMARC: What will happen to email?
Jerry was in talks with stakeholders. The company used the same domain for marketing and business emails and was vulnerable to email servers marking regular business emails as spam. IT needed to set up a separate domain for the marketing department.
IT set up SPF and DKIM, but Jerry’s company also wanted DMARC (Domain-based Message Authentication, Reporting, and Conformance) set up for the best protection available.
Domain owners can publish a DMARC policy in their DNS records that specifies what should happen to emails that fail SPF and DKIM authentication checks. When your email is received, the recipient’s email server checks your domain for the DMARC policy and applies the policy.
Jerry also recommended that the performance of the new configuration be measured regularly to check for progress.
With DMARC, you get reports that provide information on which mail servers are sending messages on behalf of the domain and whether those messages are passing authentication checks so you can identify and address potential issues.
DMARC is an open and free standard; anyone can use it. Remember that not all email service providers fully support the standard on your domain and that your service provider must set a custom Return-Path for your domain.
Putting it all together
SPF, DKIM, and DMARC work together to provide enhanced email security. Combined, they can create a layered defense against email spoofing and phishing attacks.
Additionally, DMARC can provide feedback to domain owners about how their domains are being used in email messages, allowing them to take action to prevent unauthorized use of their domain in email messages and to prevent hits to your reputation from spammers forging your email addresses.
When these three technologies work together, your email recipients are happy. Is it really from Mark or Jerry–or “XerionThePlague67”? Did Mark write that content? Did it “stop” anywhere on the way?
Proper configuration of these three standards gives you a better look into your email traffic, helps prevent spam, and promotes your marketing emails while protecting your business workflow.
Why are email and sender security so important?
You know that you must educate your users never to respond to or click on any message that asks them to send money or reveal personally identifiable information. But do you know every source of email for your domain? Are spammers trying to spoof your email domain for hacking or fraud opportunities?
Another reason is that cybersecurity insurance providers assess email performance and history as part of your risk profile. If you’re ready and achieve these standards, you will be better prepared when you need the right insurance coverage and are subject to an audit.
Some big names are using the standards
DMARC has helped companies like PayPal, which stopped an estimated 25 million email attacks using the standard(Postmark).
Google itself mandated in November 2022 that new users who send email to a personal Gmail account must set up either SPF or DKIM (Google). The search giant performs random SPF checks on emails from new senders to personal Gmail accounts to verify they are authentic.
Google rejects emails or marks them as spam without at least one of SPF or DKIM in use. If you are an existing sender, this requirement does not apply.
Conclusion: Configure Your Email Right
We recommend you always set up SPF and DKIM to protect your organization’s email and to support future authentication requirements (Google). We also recommend setting up a custom Return-Path with your domain instead of your provider’s to achieve 100% alignment with the DMARC standard.
For the technical setup of SPF, you must create your SPF record and update your domain’s DNS settings.
For DMARC, you must:
- Generate a DMARC record and start monitoring.
- Analyze your DMARC reports identifying passing, failing, or missing sources. The report comes in an XML format that needs to be parsed.
- Convert all known email sources to have DMARC aligned with DKIM and SPF.
DMARC requires technical analysis to read the reports once configured to fully realize its benefits.
You may need help to make these settings as simple as possible for your organization. Tech Kahunas provides our customers with a custom DMARC platform that ingests the data and gives you a readable report on email delivery.
Tech Kahunas can help you follow the best email practices that will protect your company’s reputation, help shield you from legal disaster, and further the fight against cybercriminals and spam.
