In this day and age, no one can afford to ignore cyber threats. Cybersecurity is extremely important, and email security is no exception. Because email protection has been overlooked by many organizations, it is now a major vulnerability for businesses that fail to secure their channels.
As research by Verizon states, 94 percent of all malware gets onto computers through email, and 80 percent of cyber incidents occur through phishing. That is why understanding how to prevent email spoofing and phishing is critical.
Email spoofing is sending an email with a falsified address. The sender forges the header to make the recipient believe the email came from a different source, aiming to make them open or forward it.
Common reasons for spoofing include:
Hiding the real name of the sender.
Avoiding blacklisting.
Impersonating someone who the recipient knows
Impersonating a business that the recipient works with.
Email phishing is often accomplished through spoofing. It aims to obtain sensitive data such as passwords or credit card details and can contain malicious links or attachments that install malware and ransomware. Financial institutions are commonly used in phishing attempts, with emails crafted to look legitimate.
If the domain is unprotected, malicious actors can pretend to be anyone: a company’s top-level executive, a vendor that the company is working with, or anyone else they see fit to use in order to successfully obtain information or money. If you don’t know whether your domain is protected - you can search domain names you own using a free DMARC check to find out.
SMTP (Simple Mail Transfer Protocol) has no built-in protection, so email alone is not secure. Fortunately, there are ways to fix this.
To protect oneself, the incoming messages must be properly authenticated. Meaning, it should show proof that it was sent from a legitimate sender. Today, three globally adopted protocols help accomplish this goal: SPF, DKIM, and DMARC.
The first step that will lift your security level from zero is to implement the SPF record
SPF (Sender Policy Framework) identifies servers authorized to send emails on behalf of a domain. It is a TXT record in DNS listing allowed senders. How to prevent email spoofing with SPF? It comes in the form of a simple TXT record in the DNS records with the list of email addresses that have permission to send messages from your domain.
SPF is widely accepted, and many providers require it. For example, Gmail and G Suite throttle emails from domains without valid SPF records. For example, Gmail and G Suite will throttle emails sent from a domain that doesn’t have a valid SPF record.
SPF record helps the server answer two main questions:
Who sent the email?
Is he authorized to send emails from this domain?
When you send an email, the SPF mechanism needs to identify the domain’s SPF record. To do this, the SPF mechanism contacts the domain with the help of the ‘From’ header (also known as Envelope From, or Return email address). As we know by now, the SPF record contains a list of all email addresses with permission to send messages from the domain. So, the receiving server goes through the list, and if the sender of this particular email is unauthorized, the recipient’s server may mark it as spam.
Implementing an SPF record has several advantages:
The domain is harder to spoof.
Although SPF alone will not provide ultimate protection against malicious actors, it is a very important step towards it.
Improved deliverability.
After installing an SPF record, your emails will have better chances of getting into the inbox, because, since mailbox providers will be able to verify the sender, you will look legitimate in the eyes of mailbox providers
SPF is a much-needed layer of protection, but it has its weak sides.
SPF fails when emails are forwarded since it checks the Mail FROM header of the forwarding server, not the visible From header. Attackers can exploit this to bypass SPF by using domains they control.
One of the SPF downsides is that it doesn’t examine the header that the recipient sees. In this case, the malicious actor can use SMTP headers to tell the target’s mail server to check a domain that they control. This domain contains an authorizing mechanism for the mail server the attacker is using while spoofing a completely different domain for the recipient to see in the message From header field.
DKIM (Domain Keys Identified Mail) authenticates that email headers and content have not been altered in transit. Unlike SPF, DKIM remains valid even when an email is forwarded. DKIM allows the receiver to check whether email headers and content have been altered in transit. This mechanism is a little more complicated than SPF, and unlike SPF, DKIM will not fail if the email is being forwarded.
DKIM uses public and private keys. The private key resides on your server, and the public key is stored in DNS. The receiving server validates the DKIM signature in the header with the public key.
It works like a tamper-evident seal ensuring no one opened the package during delivery.
Improved deliverability.
Just like SPF, DKIM increases the chances of getting into the inbox because the email domain is verified as a legitimate one by mailbox providers.
Email content protection.
With the DKIM signature, it is easy to verify if the content of the email was not altered in the process of sending it.
DKIM protects email content but cannot validate the sender’s ID or prevent header spoofing. To fill SPF and DKIM gaps, implement DMARC. So to cover the weak sides of both SPF and DKIM, you need to make the third step - implement DMARC.
So what else can we do as we’re looking at how to prevent email spoofing? The answer is DMARC.
DMARC (Domain-Based Message Authentication, Reporting, and Conformance) is the third authentication protocol that makes sure that an email was sent from a specific sender. DMARC is built on top of the two protocols we’ve talked about: SPF and DKIM. This is the third and most important layer of defense against spoofing. This will go a long way in ensuring cybersecurity.
DMARC protocol has three policies: none, quarantine, and reject. The ‘none’ policy is used when you first start using DMARC to monitor what is going on in your domain. The ‘reject’ policy is an ultimate protection level you would want to adopt with time.
Here is what happens to the email during the DMARC check:
The mail server completes SPF and DKIM checks.
If alignment passes, DMARC policy defines how to handle the email.
A DMARC report logs results for all messages from the domain.
Additionally, you may want to use third-party tools like a DMARC analyzer to make the analysis and storing process simpler, since original DMARC reports are not easy to read and understand.
DMARC worldwide adoption grows every year, and it is no wonder. Here are the benefits you get when implementing this protocol:
Security
With DMARC you can protect your partners and clients by instructing mailbox providers to reject any message sent from your domain that didn’t pass a DMARC check.
Deliverability
Mailbox providers are interested in delivering legitimate emails to their users. Legitimacy means email authentication. DMARC alignment allows for a better email placement because it proves that the email sent from your domain was actually sent by you, not a scammer.
Control and Visibility
You will get full visibility and control over who and what is sending emails on your behalf across the Internet. If any suspicious activity is happening, you will see it in a DMARC report.
If you want to receive your reports in a comprehensible form and also get instant notifications about any changes in the domain activity - you can try one of the third-party tools, like Glock Apps DMARC analyzer.
Email phishing and spoofing threats cannot be underestimated, as 94% of all malware gets on the computer through email. So it is important to understand how to prevent email spoofing. Even though there is no silver bullet from malicious actors, you can always fortify your email domains in three steps: by implementing authentication protocols - SPF, DKIM, and DMARC.
SPF verifies that the email was sent from the source authorized by the domain owner, but as a downside, SPF will fail if the email is forwarded.
DKIM provides a special signature that ensures that the email content was not altered during the delivery. But it cannot validate the sender’s id or secure the domain in the visible header from spoofing.
DMARC runs on top of the first two protocols. With in-depth DMARC reports, the domain owner receives full visibility, security, and control over everything that’s happening in their domain.
As a bonus, this three-leveled authentication process will increase your email deliverability, since mailbox providers will see you as a legitimate sender, not a spammer.
Now it is your turn - make the first step towards protecting your domain, your brand, and your customers.
