Enhanced email protection using SPF, DKIM, DMARC (and TLS)

You can't filter out the fact that your corporate email is critical to your business, and as such needs protecting. Let's talk SPF, DKIM & DMARC (and TLS).

Introduction

With an estimated 200 billion emails being sent and received each and every day, it’s incredible to believe that just one in five of those emails are for legitimate purposes. It is estimated that over 90% of all illegitimate (spam) emails are phishing (spear, clone, whaling) attempts that include links to potentially malicious content. Spam is a big problem… but thankfully a problem in slow decline thanks to three email security standards : SPF, DKIM, and DMARC (and to a lesser extent TLS). You can’t hide from the fact that your corporate email is critical to your business, and as such needs protecting. In this article I’ll walk you through what the SPF, DKIM, and DMARC standards bring to the table.

1. SPF – Sender Policy Framework (RFC 4408)

It is important to mention that Sender Policy Framework (SPF) is not a standard designed to protect you from SPAM, but is concerned with controlling and stopping attempted sender forgeries, according to openspf.org. SPF will help to make sure your corporate emails are actually coming from you thus building email recipient confidence.

There are four types of email abuse commonly associated with email sender forgery:

  • Spam (unsolicited bulk email & unsolicited commercial email).
  • Fraudsters (advanced-fee scams).
  • Malware (adware, zero days, viruses, trojans, etc.).
  • Phishers (spear, clone, whaling).
For obvious reasons you do not want your corporate domain associated with any of these activities.

1.1 How does SPF work?

SPF is a Domain Name Service (DNS) text (TXT) entry which provides a list of servers that should be considered capable of sending your corporate email for a specific domain. The fact that SPF is a DNS entry enforces the fact that the list is authoritative for the domain, since the domain controller is the only person allowed to amend the main domain zone. Broadly speaking SPF works as follows:
  • Upon receipt of the HELO message the sender address is fetched by the receiving mail server.
  • The receiving mail server runs an TXT DNS query against the claimed domain SPF entry.
  • The SPF entry data is then used to verify the sender server.
  • In case the check fails a rejection message is given to the sender server.

1.2 Implementing SPF

There are many configuration options to consider when setting up your SPF DNS TXT record.  Thankfully here at Hobo Digital we do this for you for free on all of our domain hosting packages. A straightforward record may look like:
v=spf1 +a +mx +ip4:192.168.0.1 ~all
  • +a – All the A records for domain are tested. If the client IP is found among them, this mechanism matches.
  • +mx – All the A records for all the MX records for the domain are tested in order of MX priority. If the client IP is found among them, this mechanism matches.
  • +ip4 – Allow from IP address.
  • ~all – This mechanism always matches. It usually goes at the end of the SPF record.
Take a look at the SPF Record Syntax specification for details. Use a service like DMARCanalyzer.com to check your SPF record.

2. DKIM – Domain Keys Identified Mail (dkim.org & RFC 5585)

DKIM is an email authentication method designed to detect email spoofing. It allows the receiver to check that an email claimed to have come from a specific domain was indeed authorised by the owner of that domain. It is intended to prevent forged sender addresses in emails, a technique often used in phishing and email spam.

2.1 How does DKIM work?

DKIM is another DNS TXT entry this time containing a public DKIM encryption key. Broadly speaking DKIM works as follows:
  • The last server within the domain infrastructure checks against its internal settings if the domain used in the “From:” header is included in its “signing table”. If not the process stops here.
  • A new header, called “DKIM-Signature”, is added to the mail message by using the private part of the key on the message content.
  • From here on the message main body content can not be modified otherwise the DKIM header will no longer match.
  • Upon receipt the receiving server makes a TXT DNS query to retrieve the key used in the DKIM-Signature field.
  • The DKIM header check result can be then used when deciding if a message is fraudulent or trustworthy.

2.2 Implementing DKIM

There are many configuration options to consider when setting up your DKIM DNS TXT record. Thankfully here at Hobo Digital we do this for you for free on all of our domain hosting packages. Take a look at dkim.org for details. Here are two online wizards you can use to create the public/private key pair and the policy record. You just enter your sending domain and a ’selector’ – which is kind of like a password key. Use a service like DMARCanalyzer.com to check your DKIM record.

3. DMARC – Domain-based Message Authentication, Reporting & Conformance (dmarc.org & RFC 7489)

DMARC is another tool to combat malicious email. For mail servers that listen, DMARC relays how to treat SPF and DKIM, as well as how to report back to you, giving you much needed visibility into your delivery rates and record compliance.

3.1 How does DMARC work?

Guess what?  DMARC is another DNS TXT entry.

Broadly speaking DMARC works as follows:
  • Upon receipt the receiving mail server checks if there is any existing DMARC policy published in the domain used by the SPF and/or DKIM checks.
  • If one or both of the SPF and DKIM checks succeed while still being aligned with the policy set by DMARC, then the check is considered successful, otherwise it is set as failed.
  • If the check fails, different actions are taken based on the action published by the DMARC policy.

3.2 Implementing DMARC

There are many configuration options to consider when setting up your DMARC DNS TXT record. A straightforward record may look this this:
v=DMARC1; p=none; rua=mailto:address@example.org; ruf=mailto:address@example.org; sp=none; fo=1;
  • p – Policy to apply to email that fails the DMARC check. Can be “none”, “quarantine”, or “reject”. “none” is used to collect feedback and gain visibility into email streams without impacting existing flows.
  • rua – The list of URIs for receivers to send XML feedback to. This is not a list of email addresses, as DMARC requires a list of URIs of the form “mailto:address@example.org”. External destination verification is tested if applicable.
  • ruf – The list of URIs for receivers to send Forensic reports to. This is not a list of email addresses, as DMARC requires a list of URIs of the form “mailto:address@example.org”. External destination verification is tested if applicable.
  • sp – Policy to apply to email from a sub-domain of this DMARC record that fails the DMARC check. This tag allows domain owners to explicitly publish a “wildcard” sub-domain policy.
  • f – Forensic reporting options. Possible values: “0” to generate reports if all underlying authentication mechanisms fail to produce a DMARC pass result, “1” to generate reports if any mechanisms fail, “d” to generate report if DKIM signature failed to verify, “s” if SPF failed.
To ease implementation and analysis consider using a service like DMARCanalyzer.com, which can also be used to view your DMARC records.

4. TLS – Transport Layer Security (RFC 5246)

TLS is just a grown-up Secure Socket Layer (SSL) that mail servers can use to submit messages to each other over public connections. It’s SMTP wrapped in SSL.  You can do many other things over TLS, for example SMTP over TLS, and FTP over TLS. It should be noted that TLS only encrypts messages in transit, not at rest. TLS is something you should use wherever possible.

Conclusion

So what’s the message behind all this? Should I use these tools or not? The short answer is: “Yes!”. The longer answer is that everybody should and eventually will in future.  The caveat being that having a perfectly functional email system with all the above security standards enforced will not make you 100% safe from the bad guys out there, but it will make is difficult for them.