In this era of sophisticated modern cyberattacks, how can you be sure that the email in your inbox is really from your bank? Can the link within it really be trusted?

Avoiding this uncertainty is exactly what sender fraud protection through the implementation of SPF, DKIM and DMARC is designed to do. This article will explain how the SPF, DKIM and DMARC email authentication protocols help combat sender forgeries, and will explore how to secure the inbox against fraudulent emails that may result in attacks on your organization leading to data theft, fraudulent wire transfers, significant, costly downtime and serious damage to your reputation.

Email Spoofing: A Favorite Technique among Cyber Criminals

Email Spoofing - a form of email fraud in which a malicious actor sends an email with a fraudulent “From” address - is a tactic frequently used in phishing attacks and other malicious email scams. In a spoofing attack, the sender forges an email header so that the client software displays the fraudulent sender address, which most users take at face value. By masquerading as an individual or organization that the recipient knows and trusts, attackers are more likely to trick users into disclosing sensitive information, as recipients are more likely to click on a malicious URL, share credentials, install malware or wire corporate funds when it appears as if an email is from a known and trusted sender. Having an effective strategy in place to protect against email spoofing is critical, as spoofing is used in the majority of modern phishing scams, which account for over 90% of all cyberattacks.

What Are SPF, DKIM and DMARC and How Do These Protocols Protect Against Sender Fraud?

SPF, DKIM and DMARC are three protocols - or standards put in place for systems or devices to better communicate - used to verify sender identity and confirm the legitimacy of email communications. Let’s examine the purpose for each of these protocols and the mechanisms it employs to combat spoofing and sender fraud.

SPF

SPF (Sender Policy Framework) is an open standard that specifies a method for preventing sender address forgery - ensuring that the emails you send are actually coming from you. The purpose of SPF is to control and prevent sender fraud, as opposed to proactively eliminating spam email. SPF is most valuable as a warning sign for email service providers, as the protocol only works on a domain in the Simple Mail Transfer Protocol (SMTP) sending protocol.

SPF enables providers and organizations to identify their domain’s legitimate mail sources and prevent unauthorized sources from sending fraudulent emails from their domain. With SPF in place, recipients can check a list of IP addresses to verify that emails they receive are from an authorized domain.

DKIM

DKIM (DomainKeys Identified Mail) is a TXT record published in an organization’s Domain Name System (DNS) that provides a method for validating a domain name identity associated with a message through cryptographic authentication using public-key cryptography. In this method, public and private key pairs are generated to keep mail servers and communications authenticated. Each outgoing SMTP server needs the right private key and prefix in order to match a public DNS record that the receiving mail server then verifies. In simpler terms, DKIM uses keys to ensure that an email sender is indeed who they say they are, and that a message hasn’t been altered in transit. 

Implementing DKIM enables providers and recipients to associate a single domain or multiple domains (if multiple DKIM signatures have been placed on an email) with each signed message, and build a log of “trusted” and “untrusted” emails associated with given domains, IP addresses and From: identities. This provides them with the option of  only allowing mail from “trusted” senders to be delivered.

DMARC

DMARC (Domain-based Message Authentication, Reporting, and Conformance) helps senders and recipients work together to create more secure email communications by adding an “identity check” to all inbound messages. DMARC is considered a strong anti-phishing and anti-spoofing protocol, as it helps maintain "domain reputation", which can be used by providers and recipients to determine whether an email received from a sender actually came from that sender and not spoofed address.

DMARC enables a sender to indicate that their messages are protected with SPF and/or DKIM, and applies clear instructions for the recipient to follow if an email does not pass SPF or DKIM authentication (reject, junk, etc.). DMARC then sends a report back to the sender about messages that PASS and/or FAIL DMARC evaluation. An email passing both SPF and DKIM authentications indicates that the message is coming from an authorized server and that the header information has not been tampered with to falsify alignment. An email passing at least one of the two authentication protocols proves that the sender owns the DNS space of the “Friendly-From” - the name and address that indicate how the sender wants to be identified - and is therefore who they claim to be. 

Limitations of SFP, DKIM and DMARC

While the SPF, DKIM and DMARC protocols are instrumental in protecting against attacks that leverage sender fraud, they are not a “silver bullet” in the realm of email security. The three protocols work best when used together, but even then have potential deficiencies that must be considered prior to implementation. For instance, SPF records apply to Return-Path domains which are hidden in the header of an email, not the "From" address that an email client displays to the user. Thus, users generally pay attention to the “From” address, not the Return-Path domains. While SPF alone won't provide sufficient protection against sender forgeries, it’s an additional layer of protection that, combined with DKIM and DMARC, can improve delivery rates and prevent abuse. In order to be truly effective in combating spoofing and sender fraud, these protocols should be implemented as part of a multi-layered email security solution managed by an expert provider who understands how to implement them to their fullest as part of a defense-in-depth approach to protecting sensitive information and preventing email fraud.

Key Takeaways

Having an effective email security strategy in place that implements SPF, DKIM and DMARC is critical in setting up key standards and barriers for online communications, preventing sender fraud and spoofing - techniques used in the majority of modern cyberattacks. It is crucial to keep in mind that fortifying business email against today’s sophisticated attacks requires a defense-in-depth approach to security, and email authentication protocols should be implemented as part of a comprehensive strategy towards protecting business email, preferably managed by a reputable email security provider.

Email risk has been drastically heightened due to the pandemic, and this elevated risk will persist in years to come, as cyber thieves now have mechanisms in place to distribute attacks exploiting the latest trends. No organization can afford to overlook the importance of having email authentication protocols in place as part of a multi-layered email defense strategy, as an attack or breach can result in data theft, financial loss, reputation damage, significant, costly downtime, or worse - permanent closure.

We’re here to help! Interested in learning more about how you can implement SPF, DKIM and DMARC as part of a layered, fully-managed solution? Speak with a Security Expert Today>

Blog Articles