Posts

Before we get into how to setup DKIM for your domain, let’s talk a bit about what is DKIM. DKIM, or DomainKeys Identified Mail, is an email authentication protocol that is used for verifying the authenticity of outbound emails. The process involves using a private cryptographic key generated by your mail server which signs each outgoing email message. This ensures your recipients can verify that the emails they receive were sent from your mail server and are not forged. This can improve deliverability and help weed out spam. To place it simply an email from a DKIM enabled mail server contains a digital signature or more correctly, a cryptographic signature, which can be validated by the receiver’s email server.

DKIM was created by combining existing technologies like DomainKeys (from Yahoo) and Identified Internet Mail (from Cisco). It has developed into a widely adopted authentication method, which is known as DKIM and it is also registered as an RFC (Request for Comments) by the IETF (Internet Engineering Task Force). All major ISPs like Google, Microsoft and Yahoo create a digital signature that is embedded in the email header of outgoing emails and validate incoming mail with their own policies.

In the blog we are going to delve into the mechanism used in DKIM to validate your emails and its various advantages, as well as learn about how to setup DKIM for your own domain.

How to Setup DKIM to Protect Your Domain from Spoofing?

The DKIM signature is generated by the MTA and is stored in the list domain. After receiving the email, you can verify the DKIM by using the public key. DKIM as an authentication mechanism that can prove the identity of a message. This signature proves that the message is generated by a legitimate server.

This is especially required since domain spoofing attacks are on the rise in recent times.

What is a DKIM Signature?

In order to use DKIM, you need to decide what should be included in the signature. Typically this is the body of the email and some default headers. You can’t change these elements once they’re set, so choose them carefully. Once you have decided what parts of the email will be included in the DKIM signature, these elements must remain unchanged to maintain a valid DKIM signature.

Not to be confused with DKIM selector, DKIM signature is nothing more than a consortium of arbitrary string values also known as “hash values”. When your domain is configured with DKIM, your sending email server encrypts this value with a private key that only you have access to. This signature ensures that the email you send has not been altered or tampered after it was sent. To validate the DKIM signature, the email receiver will run a DNS query to search for the public key. The public key will have been provided by the organization that owns the domain. If they match, your email is classified as authentic.

How to Setup DKIM in 3 Easy Steps?

In order to implement DKIM easily with PowerDMARC all you need to do is generate your DKIM record using our free DKIM record generator. Your DKIM record is a DNS TXT record that is published in your domain’s DNS. Next you can conduct a free DKIM lookup, using our DKIM record lookup tool. This free tool provides a one-click DKIM check, ensuring that your DKIM record is error-free and valid. However, in order to generate the record, you need to first identify your DKIM selector.

How Do I Identify My DKIM Selector?

A common question often raised by domain owners is how do I find my DKIM? In order to find your DKIM selector, all you need to do is:

1) Send a test mail to your gmail account 

2) Click on the 3 dots next to the email in your gmail inbox

3) Select “show original” 

4) On the “Original Message” page navigate to the bottom of the page to the DKIM signature section and try to locate the “s=” tag, the value of this tag is your DKIM selector. 

DMARC and DKIM

A common question that you may often find yourself asking is whether implementing DKIM is enough? The answer is no. While DKIM helps you encrypt your email messages with a cryptographic signature in order to validate the legitimacy of your senders, it doesn’t provide a way for email receiver’s to respond to messages that fail DKIM. This is where DMARC steps in!

Domain-Based Message Authentication, Reporting and Conformance (DMARC) is an email authentication protocol that helps domain owners take action against messages that fail SPF/DKIM authentication. This in turn minimizes chances of domain spoofing attacks and BEC. DMARC along with SPF and DKIM can improve email deliverability by 10% over time and boost your domain reputation.

Sign up with PowerDMARC today to avail of your free DMARC analyzer trial today!

Why do I Need DKIM? Isn’t SPF Enough?

Remote working has specifically introduced people to an increased number of phishing and cyberattacks. Mostly, the worst amount of phishing attacks are those that one can’t ignore. No matter the amount of work emails being received and sent, and despite the rise in workplace chat and instant messaging apps, for most people working in offices, email continues to dominate the business communication both internally and externally.

However, it’s not a secret that emails are usually the most common entry point for cyberattacks, which involves sneaking malware and exploits into the network and credentials, and reveal the sensitive data. According to data from SophosLabs in September 2020, around 97% of the malicious spam caught by the spam traps were phishing emails, hunting for credentials, or any other information. 

Out of this, the remaining 3% carried a mixed bags of messages that had been carrying links to malicious websites or with those that were booby-trapped attachments. These were mostly hoping to install backdoors, remote access trojans (RATs), information stealer, exploits, or maybe download other malicious files. 

No matter what the source, phishing remains a pretty frighteningly effective tactic for the attackers, whatever their final objective maybe. There are some robust measures all organizations could use to verify as to whether or not an email has come from the person and source that it claims to have come from.

How Does DKIM Come to Rescue?

It must be ensured that an organization’s email security should be able to keep a check on every email that’s incoming, which would be against the authentication rules being set by the domain that the email appears to have come from. DomainKeys Identified Mail (DKIM) is one that helps look into an inbound email, in order to check if nothing has been altered. In case of those emails that are legitimate, DKIM would definitely be finding a digital signature which would be linked to a specific domain name.

This domain name would be attached to the header of the email, and there would be a corresponding encryption key back at the source domain. The greatest advantage of DKIM is that it provides a digital signature on your email headers so that the servers receiving it can cryptographically authenticate those headers, deeming it to be valid and original.

These headers are typically signed as ‘From’, ‘To’, ‘Subject’ and ‘Date’.

Why Do You Need DKIM?

Experts in the field of cybersecurity state that DKIM is pretty much needed in the day to day scenario for securing official emails. In DKIM, the signature is being generated by the MTA (Mail Transfer Agent), that creates a unique string of characters called the Hash Value.

Further, the hash value is being stored in the listed domain, which after receiving the email, the receiver could verify the DKIM signature by using the public key that is being registered in the Domain Name System (DNS). After this, this key is being used to decrypt the Hash Value in the header, and also recalculate the hash value from the email that it received.

After this, the experts would be finding out that if these two DKIM signatures are a match, then the MTA would be knowing that the email hasn’t been altered. Additionally, the user is being given further confirmation that the email was being actually sent from the listed domain.

DKIM, which was being originally formed by merging two station keys, Domain keys (the one created by Yahoo) and Identified Internet Mail (by Cisco) in 2004, and has been developing into a new widely adopted authentication technique that makes an organization’s email procedure pretty trustworthy, and which is specifically why leading tech companies like Google, Microsoft and Yahoo always check incoming mail for DKIM signatures.

DKIM Vs. SPF

Sender Policy Framework (SPF) is a form of email authentication that defines a process in order to validate an email message, one that has been sent from an authorized mail server in order to detect forgery and to prevent scam.

While most people hold the opinion that both SPF and DKIM must be used in organizations, but DKIM certainly has an added advantage over the others. The reasons are as follows:

  • In DKIM, the domain owner publishes a cryptographic key, which is being specifically formatted as a TXT record in the overall DNS record
  • The unique DKIM signature that is being attached to the header of the message makes it more authentic
  • Using DKIM proves out to be more fruitful because the DKIM key used by inbound mail servers to detect and decrypt the message’s signature proves the message to be more authentic, and unaltered.

In Conclusion

For most business organizations, not only would DKIM protect their businesses from phishing and spoofing attacks, but DKIM would also be helping in protecting customer relationships and brand reputation.

This is specifically important as DKIM provides an encryption key and a digital signature which doubly proves that an email wasn’t forged or altered. These practices would help organizations and businesses move one step closer improving their email deliverability and sending a secure email, that would be helping in generating revenue. Mostly, it depends on organizations as to how they would be using it and implementing the same. This is most important and relatable as most organizations would be wanting to free themselves from cyber attacks and threats.

As a DMARC services provider, we get asked this question a lot: “If DMARC just uses SPF and DKIM authentication, why should we bother with DMARC? Isn’t that just unnecessary?”

On the surface it might seem to make little difference, but the reality is very different. DMARC isn’t just a combination of SPF and DKIM technologies, it’s an entirely new protocol by itself. It has several features that make it one of the most advanced email authentication standards in the world, and an absolute necessity for businesses.

But wait a minute. We’ve not answered exactly why you need DMARC. What does it offer that SPF and DKIM don’t? Well, that’s a rather long answer; too long for just one blog post. So let’s split it up and talk about SPF first. In case you’re not familiar with it, here’s a quick intro.

What is SPF?

SPF, or Sender Policy Framework, is an email authentication protocol that protects the email receiver from spoofed emails. It’s essentially a list of all IP addresses authorized to send email through your (the domain owner) channels. When the receiving server sees a message from your domain, it checks your SPF record that’s published on your DNS. If the sender’s IP is in this ‘list’, the email gets delivered. If not, the server rejects the email.

As you can see, SPF does a pretty good job keeping out a lot of unsavoury emails that could harm your device or compromise your organisation’s security systems. But SPF isn’t nearly as good as some people might think. That’s because it has some very major drawbacks. Let’s talk about some of these problems.

Limitations of SPF

SPF records don’t apply to the From address

Emails have multiple addresses to identify their sender: the From address that you normally see, and the Return Path address that’s hidden and require one or two clicks to view. With SPF enabled, the receiving email server looks at the Return Path and checks the SPF records of the domain from that address.

The problem here is that attackers can exploit this by using a fake domain in their Return Path address and a legitimate (or legitimate-looking) email address in the From section. Even if the receiver were to check the sender’s email ID, they’d see the From address first, and typically don’t bother to check the Return Path. In fact, most people aren’t even aware there is such a thing as Return Path address.

SPF can be quite easily circumvented by using this simple trick, and it leaves even domains secured with SPF largely vulnerable.

SPF records have a DNS lookup limit

SPF records contain a list of all the IP addresses authorized by the domain owner to send emails. However, they have a crucial drawback. The receiving server needs to check the record to see if the sender is authorized, and to reduce the load on the server, SPF records have a limit of 10 DNS lookups.

This means that if your organization uses multiple third party vendors who send emails through your domain, the SPF record can end up overshooting that limit. Unless properly optimized (which isn’t easy to do yourself), SPF records will have a very restrictive limit. When you exceed this limit, the SPF implementation is considered invalid and your email fails SPF. This could potentially harm your email delivery rates.

 

SPF doesn’t always work when the email is forwarded

SPF has another critical failure point that can harm your email deliverability. When you’ve implemented SPF on your domain and someone forwards your email, the forwarded email can get rejected due to your SPF policy.

That’s because the forwarded message has changed the email’s recipient, but the email sender’s address stays the same. This becomes a problem because the message contains the original sender’s From address but the receiving server is seeing a different IP. The IP address of the forwarding email server isn’t included within the SPF record of original sender’s domain. This could result in the email being rejected by the receiving server.

How does DMARC solve these issues?

DMARC uses a combination of SPF and DKIM to authenticate email. An email needs to pass either SPF or DKIM to pass DMARC and be delivered successfully. And it also adds one key feature that makes it far more effective than SPF or DKIM alone: Reporting.

With DMARC reporting, you get daily feedback on the status of your email channels. This includes information about your DMARC alignment, data on emails that failed authentication, and details about potential spoofing attempts.

If you’re wondering about what you can do to not get spoofed, check out our handy guide on the top 5 ways to avoid email spoofing.

As organisations set up charity funds around the world to fight Covid-19, a different sort of battle is being waged in the electronic conduits of the internet. Thousands of people around the world have fallen prey to email spoofing during the coronavirus pandemic. It’s become increasingly common to see cybercriminals use real domain names of these organisations in their emails to appear legitimate.

In the most recent high-profile coronavirus scam, an email supposedly from the World Health Organization (WHO) was sent around the world, requesting donations to the Solidarity Response Fund. The sender’s address was ‘[email protected]’, where ‘who.int’ is the real domain name for WHO. The email was confirmed to be a phishing scam, but at first glance, all signs pointed to the sender being genuine. After all, the domain belonged to the real WHO.

donate response fund

However, this has only been one in a growing series of phishing scams that use emails related to coronavirus to steal money and sensitive information from people. But if the sender is using a real domain name, how can we distinguish a legitimate email from a fake one? Why are cybercriminals so easily able to employ email domain spoofing on such a large organisation?

And how do entities like WHO find out when someone is using their domain to launch a phishing attack?

Email is the most widely used business communication tool in the world, yet it’s a completely open protocol. On its own, there’s very little to monitor who sends what emails and from which email address. This becomes a huge problem when attackers disguise themselves as a trusted brand or public figure, asking people to give them their money and personal information. In fact, over 90% of all company data breaches in recent years have involved email phishing in one form or the other. And email domain spoofing is one of the leading causes of it.

In an effort to secure email, protocols like Sender Policy Framework (SPF) and Domain Keys Identified Mail (DKIM) were developed. SPF cross-checks the sender’s IP address with an approved list of IP addresses, and DKIM uses an encrypted digital signature to protect emails. While these are both individually effective, they have their own set of flaws. DMARC, which was developed in 2012, is a protocol that uses both SPF and DKIM authentication to secure email, and has a mechanism that sends the domain owner a report whenever an email fails DMARC validation.

This means the domain owner is notified whenever an email sent by an unauthorised third party. And crucially, they can tell the email receiver how to handle unauthenticated mail: let it go to inbox, quarantine it, or reject it outright. In theory, this should stop bad email from flooding people’s inboxes and reduce the number of phishing attacks we face. So why doesn’t it?

Can DMARC Prevent Domain Spoofing?

Email authentication requires sender domains to publish their SPF, DKIM and DMARC records to DNS. According to a study, only 44.9% of Alexa top 1 million domains had a valid SPF record published in 2018, and as little as 5.1% had a valid DMARC record. And this is despite the fact that domains without DMARC authentication suffer from spoofing nearly four times as much as domains that are secured. There’s a lack of serious DMARC implementation across the business landscape, and it’s not gotten much better over the years. Even organisations like UNICEF have yet to implement DMARC with their domains, and the White House and US Department of Defense both have a DMARC policy of p = none, which means they’re not being enforced.

A survey conducted by experts at Virginia Tech has brought to light some of the most serious concerns cited by major companies and businesses that have yet to use DMARC authentication:

  1. Deployment Difficulties: The strict enforcement of security protocols often means a high level of coordination in large institutions, which they often don’t have the resources for. Beyond that, many organisations don’t have much control over their DNS, so publishing DMARC records becomes even more challenging.
  2. Benefits Not Outweighing the Costs: DMARC authentication typically has direct benefits to the recipient of the email rather than the domain owner. The lack of serious motivation to adopt the new protocol has kept many companies from incorporating DMARC into their systems.
  3. Risk of Breaking the Existing System: The relative newness of DMARC makes it more prone to improper implementation, which brings up the very real risk of legitimate emails not going through. Businesses that rely on email circulation can’t afford to have that happening, and so don’t bother adopting DMARC at all.

Recognising Why We Need DMARC

While the concerns expressed by businesses in the survey have obvious merit, it doesn’t make DMARC implementation any less imperative to email security. The longer businesses continue to function without a DMARC-authenticated domain, the more all of us expose ourselves to the very real danger of email phishing attacks. As the coronavirus email spoofing scams have taught us, no one is safe from being targeted or impersonated. Think of DMARC as a vaccine — as the number of people using it grows, the chances of catching an infection go down dramatically.

There are real, viable solutions to this problem that might overcome people’s concerns over DMARC adoption. Here are just a few that could boost implementation by a large margin:

  1. Reducing Friction in Implementation: The biggest hurdle standing in the way of a company adopting DMARC are the deployment costs associated with it. The economy is in doldrums and resources are scarce. Which is why PowerDMARC along with our industrial partners Global Cyber Alliance (GCA) are proud to announce a limited-time offer during the Covid-19 pandemic — 3 months of our full suite of apps, DMARC implementation and anti-spoofing services, completely free. Get your DMARC solution set up in minutes and start monitoring your emails using PowerDMARC now.
  2. Improving Perceived Usefulness: For DMARC to have a major impact on email security, it needs a critical mass of users to publish their SPF, DKIM and DMARC records. By rewarding DMARC-authenticated domains with a ’Trusted’ or ‘Verified’ icon (like with the promotion of HTTPS among websites), domain owners can be incentivised to get a positive reputation for their domain. Once this reaches a certain threshold, domains protected by DMARC will be viewed more favourably than ones that aren’t.
  3. Streamlined Deployment: By making it easier to deploy and configure anti-spoofing protocols, more domains will be agreeable to DMARC authentication. One way this could be done is by allowing the protocol to run in a ’Monitoring mode’, allowing email administrators to assess the impact it has on their systems before going for a full deployment.

Every new invention brings with it new challenges. Every new challenge forces us to find a new way to overcome it. DMARC has been around for some years now, yet phishing has existed for far longer. In recent weeks, the Covid-19 pandemic has only given it a new face. At PowerDMARC, we’re here to help you meet this new challenge head on. Sign up here for your 3-month PowerDMARC deployment for absolutely free, so that while you stay home safe from coronavirus, your domain is safe from email spoofing.