IntroductionWith an estimated 200 billion emails being sent and received each and every day, it’s incredible to believe that just one in five of those emails are for legitimate purposes. It is estimated that over 90% of all illegitimate (spam) emails are phishing (spear, clone, whaling) attempts that include links to potentially malicious content. Spam is a big problem… but thankfully a problem in slow decline thanks to three email security standards : SPF, DKIM, and DMARC (and to a lesser extent TLS). You can’t hide from the fact that your corporate email is critical to your business, and as such needs protecting. In this article I’ll walk you through what the SPF, DKIM, and DMARC standards bring to the table.
1. SPF – Sender Policy Framework (RFC 4408)It is important to mention that Sender Policy Framework (SPF) is not a standard designed to protect you from SPAM, but is concerned with controlling and stopping attempted sender forgeries, according to openspf.org. SPF will help to make sure your corporate emails are actually coming from you thus building email recipient confidence.
There are four types of email abuse commonly associated with email sender forgery:
- Spam (unsolicited bulk email & unsolicited commercial email).
- Fraudsters (advanced-fee scams).
- Malware (adware, zero days, viruses, trojans, etc.).
- Phishers (spear, clone, whaling).
1.1 How does SPF work?SPF is a Domain Name Service (DNS) text (TXT) entry which provides a list of servers that should be considered capable of sending your corporate email for a specific domain. The fact that SPF is a DNS entry enforces the fact that the list is authoritative for the domain, since the domain controller is the only person allowed to amend the main domain zone. Broadly speaking SPF works as follows:
- Upon receipt of the HELO message the sender address is fetched by the receiving mail server.
- The receiving mail server runs an TXT DNS query against the claimed domain SPF entry.
- The SPF entry data is then used to verify the sender server.
- In case the check fails a rejection message is given to the sender server.
1.2 Implementing SPFThere are many configuration options to consider when setting up your SPF DNS TXT record. Thankfully here at Hobo Digital we do this for you for free on all of our domain hosting packages. A straightforward record may look like:
v=spf1 +a +mx +ip4:192.168.0.1 ~all
- +a – All the A records for domain are tested. If the client IP is found among them, this mechanism matches.
- +mx – All the A records for all the MX records for the domain are tested in order of MX priority. If the client IP is found among them, this mechanism matches.
- +ip4 – Allow from IP address.
- ~all – This mechanism always matches. It usually goes at the end of the SPF record.
2.1 How does DKIM work?DKIM is another DNS TXT entry this time containing a public DKIM encryption key. Broadly speaking DKIM works as follows:
- The last server within the domain infrastructure checks against its internal settings if the domain used in the “From:” header is included in its “signing table”. If not the process stops here.
- A new header, called “DKIM-Signature”, is added to the mail message by using the private part of the key on the message content.
- From here on the message main body content can not be modified otherwise the DKIM header will no longer match.
- Upon receipt the receiving server makes a TXT DNS query to retrieve the key used in the DKIM-Signature field.
- The DKIM header check result can be then used when deciding if a message is fraudulent or trustworthy.
2.2 Implementing DKIMThere are many configuration options to consider when setting up your DKIM DNS TXT record. Thankfully here at Hobo Digital we do this for you for free on all of our domain hosting packages. Take a look at dkim.org for details. Here are two online wizards you can use to create the public/private key pair and the policy record. You just enter your sending domain and a ’selector’ – which is kind of like a password key. DMARCanalyzer.com to check your DKIM record.
DMARC is another tool to combat malicious email. For mail servers that listen, DMARC relays how to treat SPF and DKIM, as well as how to report back to you, giving you much needed visibility into your delivery rates and record compliance.
3.1 How does DMARC work?
Guess what? DMARC is another DNS TXT entry.Broadly speaking DMARC works as follows:
- Upon receipt the receiving mail server checks if there is any existing DMARC policy published in the domain used by the SPF and/or DKIM checks.
- If one or both of the SPF and DKIM checks succeed while still being aligned with the policy set by DMARC, then the check is considered successful, otherwise it is set as failed.
- If the check fails, different actions are taken based on the action published by the DMARC policy.
3.2 Implementing DMARCThere are many configuration options to consider when setting up your DMARC DNS TXT record. A straightforward record may look this this:
v=DMARC1; p=none; rua=mailto:email@example.com; ruf=mailto:firstname.lastname@example.org; sp=none; fo=1;
- p – Policy to apply to email that fails the DMARC check. Can be “none”, “quarantine”, or “reject”. “none” is used to collect feedback and gain visibility into email streams without impacting existing flows.
- rua – The list of URIs for receivers to send XML feedback to. This is not a list of email addresses, as DMARC requires a list of URIs of the form “mailto:email@example.com”. External destination verification is tested if applicable.
- ruf – The list of URIs for receivers to send Forensic reports to. This is not a list of email addresses, as DMARC requires a list of URIs of the form “mailto:firstname.lastname@example.org”. External destination verification is tested if applicable.
- sp – Policy to apply to email from a sub-domain of this DMARC record that fails the DMARC check. This tag allows domain owners to explicitly publish a “wildcard” sub-domain policy.
- f – Forensic reporting options. Possible values: “0” to generate reports if all underlying authentication mechanisms fail to produce a DMARC pass result, “1” to generate reports if any mechanisms fail, “d” to generate report if DKIM signature failed to verify, “s” if SPF failed.