Email Security 101: How DKIM, SPF, and DMARC Keep Your Messages Safe

The office was frantic. Jerry, the public relations manager, was dealing with damage control. No one knew who sent the emails. IT was checking the outgoing emails and hadn’t found anything yet, but the messages were sent from the company domain.

Sigh. I wish I didn’t have to write another piece on acronyms. But there are three you must know that combat email fraud effectively.

In the world of email security, DKIM, SPF, and DMARC provide insight into whether:

1) The email message content is unchanged.

2) The sender is who they say they are.

3) The email server is what it says it is.

Each of these technologies is strengthened by the others, providing better protection for email users from spam, phishing, and spoofing (email fraud in which a cybercriminal or spammer sends an email that appears to come from a trusted sender but comes from a different source). These attacks lead to serious legal problems and a bad reputation for your organization. Cyber-savvy business leaders are having their IT staff implement these standards.

DKIM: Signing for security

The DKIM (Domain Keys Identified Mail) standard combats spamming and phishing attacks by helping you identify forged email addresses. How does it work, and what can it do for you?

DKIM works by using the same public key cryptography a secure web browser uses (Secure Socket Layer, the secure HTTPS protocol for shopping online). DKIM digitally signs the email message header and a portion of the message body with a private key to verify the authenticity of your email message.

Your email recipient’s email server then uses the public key you published in your Domain Name Server(DNS)‘s text record to verify the digital signature. This record contains a name, version, key type, and the key itself and is made available by your email provider.

So, DKIM confirms your legitimacy as a sender and is important because you can build a reputation for your brand through a consistent sending history with internet service providers. You should know that DKIM does not encrypt the email text but will detect whether a message was altered in transit.

DKIM should be used in combination with SPF and DMARC for greater security.

Complaints came to Jerry’s company from around the country. The emails used the company logo and had specious links indicative of typical phishing emails, but someone sent them using the company’s email domain. And since they manipulated recipients to log into a bogus website, customer personal data was released.

The result was a legal crisis.

SPF: Whitelisting your servers

The second leg of a successful email defense is the SPF (Sender Policy Framework) standard, which uses encryption to authenticate the domain name of an email sender.

SPF works this way: the receiving email server checks the SPF record (again in your public DNS) to determine whether the IP address of the sending server is included in the white list of servers authorized to send email from your domain.

If the sending server is authorized, the email is verified legitimate; otherwise, the email is marked as potentially suspicious or rejected altogether.

Tech Kahunas recommends using separate IP addresses and subdomains to send regular business and marketing emails. This practice is recommended to avoid your marketing emails being flagged as spam and your business email delivery and reputation being affected. Tech Kahunas can configure this for you.

Mark, the CEO, was shattered. He had always been cautious. He knew not to click links or open attachments and attended all the security training sessions. But the emails came from his email address. The legal crisis centered on him.

The regular, built-in SMTP protocol for sending email does not protect an email’s “From” field. Spammers and phishing criminals can forge the “From” address field on their bogus emails so that they appear to be coming from one of your users.

But SPF looks at the Return-Path value, the email address used by receiving servers to notify the sending mail server of delivery problems like bounces, and uses it to validate the originating server.

SPF should also be combined with DKIM and DMARC for greater security.

DMARC: What will happen to email?

Jerry was in talks with stakeholders. The company used the same domain for marketing and business emails and was vulnerable to email servers marking regular business emails as spam. IT needed to set up a separate domain for the marketing department.

IT set up SPF and DKIM, but Jerry’s company also wanted IT to set up DMARC (Domain-based Message Authentication, Reporting, and Conformance) for the best protection available.

DMARC works by publishing a DMARC policy in your DNS records that specifies what should happen to emails that fail SPF and DKIM authentication checks. When your email is received, the recipient’s email server checks your domain for the DMARC policy and applies the policy.

Jerry also recommended that the performance of the new configuration be measured regularly to check for progress.

With DMARC, you get important reports that provide information on which mail servers are sending messages on behalf of the domain and whether those messages are passing authentication checks so you can identify and address potential issues.

DMARC is an open and free standard; anyone can use it. Remember that not all email service providers fully support the standard on your domain and that your service provider must set a custom Return-Path for your domain.

DMARC May Fail When…

DMARC has been known to fail for the following reasons:

Misconfigured DNS Records: Incorrectly configured or missing DMARC records can lead to failures.

Incorrect DMARC Policies: Setting overly restrictive DMARC policies without proper testing can result in legitimate email being rejected.

Lack of Alignment: DMARC requires alignment between the “From” header domain, the “Return-Path” domain, and the SPF and DKIM results. If these domains do not align, DMARC policies may not be enforced as intended, leading to vulnerabilities.

Email Forwarding: DMARC can fail when forwarded email may not pass DMARC checks, as the “From” domain changes, and the forwarding service may modify the email in a way that breaks alignment.

Unauthenticated Senders: If legitimate email senders do not implement SPF or DKIM authentication for their emails, DMARC may not provide protection against their domain being spoofed.

Phishing Attacks on Subdomains: DMARC policies set for the primary domain may not protect subdomains, which can be targeted in phishing attacks. Separate DMARC policies may be needed for subdomains.

False Negatives: Some advanced attackers may find ways to bypass DMARC checks, leading to false negatives. Attackers may use look-alike domains that pass DMARC checks.

Legacy Systems: In organizations with legacy email systems that do not support DMARC, implementing DMARC may not be feasible, leading to vulnerabilities.

Inadequate Reporting: Proper DMARC implementation requires continuous monitoring and reporting. If organizations do not regularly review DMARC reports and act on the information, they may not be aware of issues and vulnerabilities.

Overlooked Email Services: Organizations may forget to configure DMARC policies for all email services they use, leaving some channels vulnerable to spoofing.

Third-Party Services: Organizations that use third-party email services, such as marketing or customer support platforms, may face challenges in configuring DMARC correctly for these services.

Putting it all together

While SPF, DKIM, and DMARC can work alone, they work together to provide enhanced email security. Combined, they can create a layered defense against email spoofing and phishing attacks.

Additionally, DMARC can provide important feedback to domain owners about how their domains are being used in email messages, allowing them to take action to prevent unauthorized use of their domain in email messages and to prevent hits to your reputation from spammers forging your email addresses.

When these three technologies work together, your email recipients are happy. Is it really from Mark or Jerry–or “XerionThePlague67”? Did Mark write that content? Did it “stop” anywhere on the way?

Proper configuration of these three standards gives you a better look into your email traffic, helps prevent spam, and promotes your marketing emails while protecting your business workflow.

Why are email and sender security so important?

You know that you must educate your users never to respond to or click on any message that asks them to send money or reveal personally identifiable information. But do you know every source of email for your domain? Are spammers trying to spoof your email domain for hacking or fraud opportunities?

Another reason is that cybersecurity insurance providers assess email performance and history as part of your risk profile. If you’re ready and achieve these standards, you will be better prepared when you need the right insurance coverage and are subject to an audit.

Some big names are using the standards

DMARC has helped companies like PayPal, which stopped an estimated 25 million email attacks using the standard(Postmark).

Google itself mandated in November 2022 that new users who send email to a personal Gmail account must set up either SPF or DKIM (Google). The search giant performs random SPF checks on emails from new senders to personal Gmail accounts to verify they are authentic.

Google rejects emails or marks them as spam without at least either SPF or DKIM. If you are an existing sender, this requirement does not apply.

Conclusion: Configure Your Email Right

We recommend you always set up SPF and DKIM to protect your organization’s email and to support future authentication requirements (Google). We also recommend setting up a custom Return-Path with your domain instead of your provider’s to achieve 100% alignment with the DMARC standard.

For the technical setup of SPF, your IT experts must create your SPF record and update your domain’s DNS settings.

For DMARC, you must:

1. 1. Generate a DMARC record and start monitoring.

1. 1. Analyze your DMARC reports, identifying passing, failing, or missing sources. The report comes in an XML format that needs to be parsed.

1. 1. Convert all known email sources to have DMARC aligned with DKIM and SPF.

DMARC requires technical analysis to read the reports once configured to fully realize its benefits.

You may need help to make these settings as simple as possible for your organization. Tech Kahunas provides our customers with a custom DMARC platform that ingests the data and gives you a readable report on email delivery.

Tech Kahunas can help you follow the best email practices that will protect your company’s reputation, help shield you from legal disaster, and further the fight against cybercriminals and spam.

Tech Kahunas Defend Your Island.