Did you know that 14.5 billion spam emails are sent every single day?
Want to know how you can help stop this?
I’m going to show you how you can implement SPF, DKIM and DMARC controls for your email.
This will stop attackers from using your email while cutting down on the spam you receive.
Let’s get started.
Before we dive too deep, let’s be sure we explain:
What is SPF, DKIM, and DMARC?
SPF, DKIM, and DMARC are three security controls that you can add to email to make it more secure. Basically, they are records (like DNS) that you can add to your domain to tell email recipients which servers are allowed to send email on your behalf and what to do with imposters.
That’s the high level.
Now let’s dive into this a little deeper.
But first, you have to understand how email works.
How email works
Email is not a point-to-point communication method.
Instead, when you send an email, it is relayed over a series of servers before it reaches its destination.
When you send an email from your computer, your email provider then relays that email to the provider of the recipient.
This is where emails get insecure.
There are actually two addresses in your email – the header address and the envelope address.
You can think of it like a package.
Often times, when you send a package, there is an address on the outside of the box, but there’s also a letter on the inside of the box with recipient information.
The problem with email is that historically, those addresses where received without being checked.
Thus, SPF, DKIM and DMARC were introduced.
How do SPF, DKIM, and DMARC work?
Like we mentioned previously, they are DNS records – the system that tells the internet where everything is.
Think about the internet as huge highway.
There are numbered exits; but it’s much easier to remember “the Los Angeles Airport Exit” than exit “99” right?
DNS tells computers that the exit for “Los Angeles Airport” is exit 99.
SPF – Sender Policy Framework
What is SPF? (Sender Policy Framework)
Sender Policy Framework is a DNS record that is added to your domain that tells email recipients which IP addresses or mail servers are permitted to send emails for your domain.
Here’s how SPF works:
1 First, the domain owner must add the SPF record to their DNS authority (usually the domain registrar – the place where you purchased your domain).
The record looks something like this:
v=spf1 ip22.214.171.124 include:another-domain-that-can-send-email.com -all
The IP is the ip address(es) of your mail server.
The include statement are secondary domains that can send emails for you domain.
So, if you’re using convertkit for your email marketing, for example, you’d need to add them to the include statement.
And finally, the all tag tells the recipient server how to handle the emails.
For an in depth guide on all of the variations, check out this post.
The mail server receiving mail from your domain check the DNS records.
The address in the FROM field we discussed earlier is the address that the mail server will look up SPF records for.
If the IP address is wrong, a hard fail occurs.
When the recipient mail server gets an email from @cyberx.tech, as an example, but the IP address the mail came from is not one of the permitted ones, the recipient server will reject the email or quarantine it.
When no SPF record exists, a soft fail happens
Now, should the recipient server check the DNS records for @cyberx.tech and not find an SPF record, what we call a soft fail occurs.
Usually, this will cause the email to go to the spam folder, but occasionally it could mean that the email is rejected.
What is a DKIM record?
A DKIM (DomainKeys Identified Mail) record is an email signing method that uses public-key cryptography for verifying that a message’s contents are trustworthy. The record helps recipients validate the integrity of an email.
DKIM uses public key cryptography to verify that emails haven’t been altered.
Let’s start with a quick explanation of public key cryptography.
Traditional cryptography uses a single key to encrypt and decrypt data.
The problem with this is when you need to send the data to someone else, how do you get them the key securely?
To solve this, public key cryptography uses a pair (2) of keys to encrypt and decrypt the data.
Here’s how it works.
Bob has a public key and a private key.
When someone wants to send Bob a message, they encrypt it with his public key.
Bob receives the message and wants to read it, so he uses the only key that will decrypt it – his private key (the secret key that he doesn’t share with anyone).
Public key cryptography uses pairs of keys.
So, back to DKIM
DKIM is a form of public key cryptography used for emails.
The email sender publishes their public key as a DNS record with their domain registrar.
Then, when an email is sent, a special signature is added inside of the email header.
This signature is made by using the private key to hash the email from address and the body.
When the recipient does the same thing using the public key, they can tell if someone has tried to tamper with the email in transit.
What is a DMARC record?
In short, a DMARC (Domain Message Authentication Reporting Compliance) record is an email security control that is added via DNS to tell your email recipients how they should handle emails that fail SPF or DKIM.
So. DMARC is really a way that email senders can help cut down on spam and spoofing.
It provides a way for email senders to specify what should happen with emails that fail SPF and DKIM checks.
One of its main goals is to help reduce false positives.
Here’s how it works:
When an email server receives an email, they first check to see if a DMARC record is in place.
Then, it proceeds to check SPF and DKIM.
If either fail, the email server will take appropriate measures depending on the DMARC’s specifications.
One really nice thing about DMARC is that you can add a policy to send spam & spoofed email reports to an address of your choosing.
Then, when organizations receive fake emails from your organization, you will be notified.
The downside of SPF, DKIM, and DMARC
While implementing SPF, DKIM and DMARC are great attempts at preventing email fraud, they are not complete.
The first problem is simply that not everyone is using the controls.
SPF has a big draw back too.
If you use the IP address of your mail server, you can run into issues if you are using shared hosting or common email services like GSuite and Office 365.
An attacker can use them to and bypass the SPF checks.
That being said, you should still enable SPF, DKIM and DMARC for your organization’s email.