Posts

Email authentication standards: SPF, DKIM, and DMARC are showing promise in cutting down on email spoofing attempts and improving email deliverability. While differentiating spoofed (fake) emails from legitimate ones, email authentication standards go further in distinguishing if an email is legitimate by verifying the identity of the sender.

As more organizations adopt these standards, the overall message of trust and authority in email communication will begin to reassert itself. Every business that depends on email marketing, project requests, financial transactions, and the general exchange of information within or across companies needs to understand the basics of what these solutions are designed to accomplish and what benefits they can get out of them.

What is Email Spoofing?

Email spoofing is a common cybersecurity issue encountered by businesses today. In this article, we will understand how spoofing works and the various methods to fight it. We will learn about the three authentication standards used by email providers − SPF, DKIM, and DMARC to stop it from happening.

Email spoofing can be classified as an advanced social engineering attack that uses a combination of sophisticated techniques to manipulate the messaging environment and exploit legitimate features of email. These emails will often appear entirely legitimate, but they are designed with the intention of gaining access to your information and/or resources. Email spoofing is used for a variety of purposes ranging from attempts to commit fraud, to breach security, and even to try to gain access to confidential business information. As a very popular form of email forgery, spoofing attacks aim to deceive recipients into believing that an email was sent from a business they use and can trust, instead of the actual sender. As emails are increasingly being sent and received in bulk, this malicious form of email scam has increased dramatically in recent years.

How can Email Authentication Prevent Spoofing?

Email authentication helps you verify email sending sources with protocols like SPF, DKIM, and DMARC to prevent attackers from forging domain names and launch spoofing attacks to trick unsuspecting users. It provides verifiable information on email senders that can be used to prove their legitimacy and specify to receiving MTAs what to do with emails that fail authentication.

Hence, to enlist the various benefits of email authentication, we can confirm that SPF, DKIM, and DMARC aid in:

  • Protecting your domain from phishing attacks, domain spoofing, and BEC
  • Providing granular information and insights on email sending sources
  • Improving domain reputation and email deliverability rates
  • Preventing your legitimate emails from being marked as spam

How Do SPF, DKIM, and DMARC Work Together to Stop Spoofing?

Sender Policy Framework

SPF is an email authentication technique used to prevent spammers from sending messages on behalf of your domain. With it, you can publish authorized mail servers, giving you the ability to specify which email servers are permitted to send emails on behalf of your domain. An SPF record is stored in the DNS, listing all the IP addresses that are authorized to send mail for your organization.

If you want to leverage SPF in a way that would ensure its proper functioning, you need to ensure that SPF doesn’t break for your emails. This could happen in case you exceed the 10 DNS lookup limit, causing SPF permerror. SPF flattening can help you stay under the limit and authenticate your emails seamlessly.

DomainKeys Identified Mail

Impersonating a trusted sender can be used to trick your recipient into letting their guard down. DKIM is an email security solution that adds a digital signature to every message that comes from your customer’s inbox, allowing the receiver to verify that it was indeed authorized by your domain and enter your site’s trusted list of senders.

DKIM affixes a unique hash value, linked to a domain name, to each outgoing email message, allowing the receiver to check that an email claiming to have come from a specific domain was indeed authorized by the owner of that domain or not. This ultimately helps to pick up on spoofing attempts.

Domain-based Message Authentication, Reporting and Conformance

Simply implementing SPF and DKIM can help verify sending sources but isn’t effective enough to stop spoofing on their own. In order to stop cybercriminals from delivering fake emails to your recipients, you need to implement DMARC today. DMARC helps you align email headers to verify email From addresses, exposing spoofing attempts and fraudulent use of domain names. Moreover, it gives domain owners the power to specify to email receiving servers how to respond to emails failing SPF and DKIM authentication. Domain owners can choose to deliver, quarantine, and reject fake emails based on the degree of DMARC enforcement they need.

Note: Only a DMARC policy of reject allows you to stop spoofing.

Additionally, DMARC also offers a reporting mechanism to provide domain owners with visibility on their email channels and authentication results. By configuring your DMARC report analyzer, you can monitor your email domains on a regular basis with detailed information on email sending sources, email authentication results, geolocations of fraudulent IP addresses, and the overall performance of your emails. It helps you parse your DMARC data into an organized and readable format, and take action against attackers faster.

Ultimately, SPF, DKIM, and DMARC can work together to help you catapult your organization’s email security to new heights, and stop attackers from spoofing your domain name to safeguard your organization’s reputation and credibility.

Before we get into how to setup DKIM for your domain, let’s talk a bit about what is DKIM. DKIM, or DomainKeys Identified Mail, is an email authentication protocol that is used for verifying the authenticity of outbound emails. The process involves using a private cryptographic key generated by your mail server which signs each outgoing email message. This ensures your recipients can verify that the emails they receive were sent from your mail server and are not forged. This can improve deliverability and help weed out spam. To place it simply an email from a DKIM enabled mail server contains a digital signature or more correctly, a cryptographic signature, which can be validated by the receiver’s email server.

DKIM was created by combining existing technologies like DomainKeys (from Yahoo) and Identified Internet Mail (from Cisco). It has developed into a widely adopted authentication method, which is known as DKIM and it is also registered as an RFC (Request for Comments) by the IETF (Internet Engineering Task Force). All major ISPs like Google, Microsoft and Yahoo create a digital signature that is embedded in the email header of outgoing emails and validate incoming mail with their own policies.

In the blog we are going to delve into the mechanism used in DKIM to validate your emails and its various advantages, as well as learn about how to setup DKIM for your own domain.

How to Setup DKIM to Protect Your Domain from Spoofing?

The DKIM signature is generated by the MTA and is stored in the list domain. After receiving the email, you can verify the DKIM by using the public key. DKIM as an authentication mechanism that can prove the identity of a message. This signature proves that the message is generated by a legitimate server.

This is especially required since domain spoofing attacks are on the rise in recent times.

What is a DKIM Signature?

In order to use DKIM, you need to decide what should be included in the signature. Typically this is the body of the email and some default headers. You can’t change these elements once they’re set, so choose them carefully. Once you have decided what parts of the email will be included in the DKIM signature, these elements must remain unchanged to maintain a valid DKIM signature.

Not to be confused with DKIM selector, DKIM signature is nothing more than a consortium of arbitrary string values also known as “hash values”. When your domain is configured with DKIM, your sending email server encrypts this value with a private key that only you have access to. This signature ensures that the email you send has not been altered or tampered after it was sent. To validate the DKIM signature, the email receiver will run a DNS query to search for the public key. The public key will have been provided by the organization that owns the domain. If they match, your email is classified as authentic.

How to Setup DKIM in 3 Easy Steps?

In order to implement DKIM easily with PowerDMARC all you need to do is generate your DKIM record using our free DKIM record generator. Your DKIM record is a DNS TXT record that is published in your domain’s DNS. Next you can conduct a free DKIM lookup, using our DKIM record lookup tool. This free tool provides a one-click DKIM check, ensuring that your DKIM record is error-free and valid. However, in order to generate the record, you need to first identify your DKIM selector.

How Do I Identify My DKIM Selector?

A common question often raised by domain owners is how do I find my DKIM? In order to find your DKIM selector, all you need to do is:

1) Send a test mail to your gmail account 

2) Click on the 3 dots next to the email in your gmail inbox

3) Select “show original” 

4) On the “Original Message” page navigate to the bottom of the page to the DKIM signature section and try to locate the “s=” tag, the value of this tag is your DKIM selector. 

DMARC and DKIM

A common question that you may often find yourself asking is whether implementing DKIM is enough? The answer is no. While DKIM helps you encrypt your email messages with a cryptographic signature in order to validate the legitimacy of your senders, it doesn’t provide a way for email receiver’s to respond to messages that fail DKIM. This is where DMARC steps in!

Domain-Based Message Authentication, Reporting and Conformance (DMARC) is an email authentication protocol that helps domain owners take action against messages that fail SPF/DKIM authentication. This in turn minimizes chances of domain spoofing attacks and BEC. DMARC along with SPF and DKIM can improve email deliverability by 10% over time and boost your domain reputation.

Sign up with PowerDMARC today to avail of your free DMARC analyzer trial today!

Why do I Need DKIM? Isn’t SPF Enough?

Remote working has specifically introduced people to an increased number of phishing and cyberattacks. Mostly, the worst amount of phishing attacks are those that one can’t ignore. No matter the amount of work emails being received and sent, and despite the rise in workplace chat and instant messaging apps, for most people working in offices, email continues to dominate the business communication both internally and externally.

However, it’s not a secret that emails are usually the most common entry point for cyberattacks, which involves sneaking malware and exploits into the network and credentials, and reveal the sensitive data. According to data from SophosLabs in September 2020, around 97% of the malicious spam caught by the spam traps were phishing emails, hunting for credentials, or any other information. 

Out of this, the remaining 3% carried a mixed bags of messages that had been carrying links to malicious websites or with those that were booby-trapped attachments. These were mostly hoping to install backdoors, remote access trojans (RATs), information stealer, exploits, or maybe download other malicious files. 

No matter what the source, phishing remains a pretty frighteningly effective tactic for the attackers, whatever their final objective maybe. There are some robust measures all organizations could use to verify as to whether or not an email has come from the person and source that it claims to have come from.

How Does DKIM Come to Rescue?

It must be ensured that an organization’s email security should be able to keep a check on every email that’s incoming, which would be against the authentication rules being set by the domain that the email appears to have come from. DomainKeys Identified Mail (DKIM) is one that helps look into an inbound email, in order to check if nothing has been altered. In case of those emails that are legitimate, DKIM would definitely be finding a digital signature which would be linked to a specific domain name.

This domain name would be attached to the header of the email, and there would be a corresponding encryption key back at the source domain. The greatest advantage of DKIM is that it provides a digital signature on your email headers so that the servers receiving it can cryptographically authenticate those headers, deeming it to be valid and original.

These headers are typically signed as ‘From’, ‘To’, ‘Subject’ and ‘Date’.

Why Do You Need DKIM?

Experts in the field of cybersecurity state that DKIM is pretty much needed in the day to day scenario for securing official emails. In DKIM, the signature is being generated by the MTA (Mail Transfer Agent), that creates a unique string of characters called the Hash Value.

Further, the hash value is being stored in the listed domain, which after receiving the email, the receiver could verify the DKIM signature by using the public key that is being registered in the Domain Name System (DNS). After this, this key is being used to decrypt the Hash Value in the header, and also recalculate the hash value from the email that it received.

After this, the experts would be finding out that if these two DKIM signatures are a match, then the MTA would be knowing that the email hasn’t been altered. Additionally, the user is being given further confirmation that the email was being actually sent from the listed domain.

DKIM, which was being originally formed by merging two station keys, Domain keys (the one created by Yahoo) and Identified Internet Mail (by Cisco) in 2004, and has been developing into a new widely adopted authentication technique that makes an organization’s email procedure pretty trustworthy, and which is specifically why leading tech companies like Google, Microsoft and Yahoo always check incoming mail for DKIM signatures.

DKIM Vs. SPF

Sender Policy Framework (SPF) is a form of email authentication that defines a process in order to validate an email message, one that has been sent from an authorized mail server in order to detect forgery and to prevent scam.

While most people hold the opinion that both SPF and DKIM must be used in organizations, but DKIM certainly has an added advantage over the others. The reasons are as follows:

  • In DKIM, the domain owner publishes a cryptographic key, which is being specifically formatted as a TXT record in the overall DNS record
  • The unique DKIM signature that is being attached to the header of the message makes it more authentic
  • Using DKIM proves out to be more fruitful because the DKIM key used by inbound mail servers to detect and decrypt the message’s signature proves the message to be more authentic, and unaltered.

In Conclusion

For most business organizations, not only would DKIM protect their businesses from phishing and spoofing attacks, but DKIM would also be helping in protecting customer relationships and brand reputation.

This is specifically important as DKIM provides an encryption key and a digital signature which doubly proves that an email wasn’t forged or altered. These practices would help organizations and businesses move one step closer improving their email deliverability and sending a secure email, that would be helping in generating revenue. Mostly, it depends on organizations as to how they would be using it and implementing the same. This is most important and relatable as most organizations would be wanting to free themselves from cyber attacks and threats.

As a DMARC services provider, we get asked this question a lot: “If DMARC just uses SPF and DKIM authentication, why should we bother with DMARC? Isn’t that just unnecessary?”

On the surface it might seem to make little difference, but the reality is very different. DMARC isn’t just a combination of SPF and DKIM technologies, it’s an entirely new protocol by itself. It has several features that make it one of the most advanced email authentication standards in the world, and an absolute necessity for businesses.

But wait a minute. We’ve not answered exactly why you need DMARC. What does it offer that SPF and DKIM don’t? Well, that’s a rather long answer; too long for just one blog post. So let’s split it up and talk about SPF first. In case you’re not familiar with it, here’s a quick intro.

What is SPF?

SPF, or Sender Policy Framework, is an email authentication protocol that protects the email receiver from spoofed emails. It’s essentially a list of all IP addresses authorized to send email through your (the domain owner) channels. When the receiving server sees a message from your domain, it checks your SPF record that’s published on your DNS. If the sender’s IP is in this ‘list’, the email gets delivered. If not, the server rejects the email.

As you can see, SPF does a pretty good job keeping out a lot of unsavoury emails that could harm your device or compromise your organisation’s security systems. But SPF isn’t nearly as good as some people might think. That’s because it has some very major drawbacks. Let’s talk about some of these problems.

Limitations of SPF

SPF records don’t apply to the From address

Emails have multiple addresses to identify their sender: the From address that you normally see, and the Return Path address that’s hidden and require one or two clicks to view. With SPF enabled, the receiving email server looks at the Return Path and checks the SPF records of the domain from that address.

The problem here is that attackers can exploit this by using a fake domain in their Return Path address and a legitimate (or legitimate-looking) email address in the From section. Even if the receiver were to check the sender’s email ID, they’d see the From address first, and typically don’t bother to check the Return Path. In fact, most people aren’t even aware there is such a thing as Return Path address.

SPF can be quite easily circumvented by using this simple trick, and it leaves even domains secured with SPF largely vulnerable.

SPF records have a DNS lookup limit

SPF records contain a list of all the IP addresses authorized by the domain owner to send emails. However, they have a crucial drawback. The receiving server needs to check the record to see if the sender is authorized, and to reduce the load on the server, SPF records have a limit of 10 DNS lookups.

This means that if your organization uses multiple third party vendors who send emails through your domain, the SPF record can end up overshooting that limit. Unless properly optimized (which isn’t easy to do yourself), SPF records will have a very restrictive limit. When you exceed this limit, the SPF implementation is considered invalid and your email fails SPF. This could potentially harm your email delivery rates.

 

SPF doesn’t always work when the email is forwarded

SPF has another critical failure point that can harm your email deliverability. When you’ve implemented SPF on your domain and someone forwards your email, the forwarded email can get rejected due to your SPF policy.

That’s because the forwarded message has changed the email’s recipient, but the email sender’s address stays the same. This becomes a problem because the message contains the original sender’s From address but the receiving server is seeing a different IP. The IP address of the forwarding email server isn’t included within the SPF record of original sender’s domain. This could result in the email being rejected by the receiving server.

How does DMARC solve these issues?

DMARC uses a combination of SPF and DKIM to authenticate email. An email needs to pass either SPF or DKIM to pass DMARC and be delivered successfully. And it also adds one key feature that makes it far more effective than SPF or DKIM alone: Reporting.

With DMARC reporting, you get daily feedback on the status of your email channels. This includes information about your DMARC alignment, data on emails that failed authentication, and details about potential spoofing attempts.

If you’re wondering about what you can do to not get spoofed, check out our handy guide on the top 5 ways to avoid email spoofing.