How SPF, DMARC, and DKIM and Other Email Authentication Techniques Help Protect Against Malware, Ransomware, and Phishing
Imagine a utopian world where you could be sure that you only received email that you wanted, you knew it was from a legitimate sender, and you were sure it was not laced with malware, ransomware, phishing lures or other nefarious trickery. Now wake up! There is no utopia. But, there are specific - and simple - measures you can take to live in a less dystopian email world. And surprisingly, many organizations remain exposed.
In this first of a two-part blog series, we’ll talk about email hygiene. In a follow-on blog, we’ll step past hygiene and into email security itself. Oh, and on that third point - only receiving email that you ’want’ - we’ll have to leave that one to you (but we do empathize).
So, what is email hygiene, exactly? A quick Google search will yield about a half a million listings that talk about verifying and/or removing invalid email addresses from an email list. That is not what we are talking about. Email hygiene in the world of security has to do with configuring a set of email authentication and verification methods that prove to ISPs and mail services that your sending servers are, in fact, authorized to send out email from your domains.
Get your hygiene right and you’ll receive the following business benefits:
- Stops email spoofing/phishing originating from your domain
- Provides important information about the emails you send - which helps to properly authenticate all legitimate emails
- Improves sender reputation and email deliverability - your legitimate emails are more likely to reach the intended recipient's inbox
- Email hygiene is just as important for any of your vendors or partners to manage, and should be a factor in deciding with whom you work. If you are establishing a trust relationship with a vendor, you want to be certain the emails you receive from them ARE actually from them. You cannot do that without proper hygiene settings on your side.
So how do you do this?
Let’s start with a list of hygiene configuration settings, what each means technically, and a snippet that describes the role it plays in plain English.
Sender Policy Framework (SPF). SPF is a simple email validation system designed to detect and prevent email spoofing. When an email is sent, the receiving server checks the sender's domain against a published list of authorized sending IP addresses. If the sending IP address is not on the list, the email is considered to be spoofed and is typically either rejected or flagged as spam. Role - the letter is only delivered from a legitimate 'postman'.
Domain Keys Identified Mail (DKIM). DKIM is another email authentication system that uses digital signatures to verify that an email message has not been tampered with during transit. When an email is sent, a DKIM signature is added to the message header, which can be used by the receiving server to verify the sender's identity and ensure that the message has not been modified. Role - the letter has a 'tamper-resistant wax seal'.
Domain-based Message Authentication, Reporting & Conformance (DMARC). DMARC, or Domain-based Message Authentication, Reporting, and Conformance, builds upon the SPF system by adding a mechanism for receiving servers to report back to the sender's domain about messages that pass or fail SPF and DKIM checks. This allows the sender's domain to track the delivery of their emails and take action if they notice any suspicious activity. Role - advertises your SPF and DKIM to the world.
SPF, DKIM and DMARC are the ‘big three’. Together, they form a powerful set of tools for maintaining good email hygiene and protecting against spam, phishing, and other types of online scams, ensuring that your emails are delivered safely and securely, and that your online reputation is protected. Don’t leave any of these unattended. That said, there are a few more that are worthy of your attention:
RUA or 'DMARC Aggregate Report' is an XML file that contains information regarding the authentication of an email. These reports contain details as to which emails have been authenticated using SPF and DKIM, and which have not. RUA is widely supported by email service providers. Role - postmen inform you generally of deliverability issues and spoofing attempts.
DMARC Forensic Report, otherwise known as RUF, is a feature that allows users to view the status of an email that they sent to a particular destination but failed DKIM, SPF, or DMARC authentication. Do note that while RUA is widely adopted, RUF is not supported by all email service providers. Role - postmen share a copy of undeliverable or spoofed mail.
A Brand Indicator Message Identification (BIMI) record is a type of DNS record used to display a company logo inside an email inbox if the email is legitimate. BIMI records are an industry-wide effort to use brand logos as indicators to help email recipients recognize and avoid fraudulent messages. Role - postman is wearing your branded shirt when delivering the letter.
MTA-STS improves Email security by requiring authentication checks and encryption for email sent to your domain. Use Transport Layer Security (TLS) reporting to get information about external server connections to your domain. Role - postmen keep your letter in a locked box.
Now that you are armed with this hygiene configuration knowledge, what should you do? It’s actually quite simple. Get in touch with whoever is in charge of your email service configuration settings, and make sure that each of the above parameters are configured in accordance with your organization’s preferred email hygiene policy. Some administrators will be well familiar with these settings, others perhaps less so. But, there is no argument for leaving it to chance as it is fast and easy to address - and by doing so, you are doing yourself a favor, but also all of the businesses, partners, customers, etc. with which you do business (and you should expect the very same from them).
Of course, it can be tricky to call up IT and say, “Hey, I’m concerned our email hygiene may not be up to snuff,” especially if you have no evidence one way or the other.
To that end, we have conveniently built a free email hygiene analysis for you. Simply enter an email domain and we’ll send you a report in seconds that shows your hygiene rating (Great, Good, OK, Fail). As well, the report will tell you which of the above configuration settings are lax, and which one you should address next for the biggest rating improvement. And, for grins, here is rundown of how the Fortune 500 currently ranks (we checked them too) - you know the organizations that we all hold in high esteem:
39% Great 😃 | 41% Good 😀 | 14% Ok 😐 | 5% Fail 🤕
Of course, maintaining good email hygiene is not a silver bullet. Remember, there is no Utopia. Organizations still need to be vigilant in monitoring their email traffic and taking action if they notice any suspicious activity. This includes regularly checking SPF, DMARC, and DKIM records to ensure they are up to date and properly configured, as well as keeping an eye out for any unusual patterns in the delivery of emails. But by implementing these simple hygiene configurations, any organization can significantly improve safe and secure email delivery, and maintain a respectable online reputation.
Take advantage of our free email hygiene analysis. You have absolutely nothing to lose.
Keep an eye out for the second blog of this two-part series!