In this day and age, no one can afford to ignore cyber threats. Cybersecurity is extremely important, and email security is not an exception. Moreover, as email security has been overlooked by so many organizations, it is now considered to be a significant vulnerability for businesses that fail to protect their email channels. As the latest research by Verizon states, 94% of all malware gets on the computer through email. And out of all cyber incidents, 80% were made possible through phishing. That is why it is important to understand how to prevent email spoofing and phishing.
What are Email Spoofing and Phishing?
Email spoofing is sending an email with a falsified email address. The sender forges an email header to make a recipient think that the letter came from a different source than it actually did, and the goal is for a recipient either to open an email or to re-send it to someone else.
The common ways of, and reasons for spoofing are:
- Hiding the real name of a sender
- Avoiding blacklisting
- Identity theft
- Impersonating someone who the recipient knows
- Impersonating a business that the recipient works with.
Email Phishing is accomplished through email spoofing (pretending to be a trustworthy source of email). It is a process of obtaining sensitive information like data, passwords, credit card details, etc. An email can also contain malicious links and attachments that install malware and ransomware.
If the domain is unprotected, malicious actors can pretend to be anyone: a company’s top-level executive, a vendor that the company is working with, or anyone else they see fit to use in order to successfully obtain information or money. If you don’t know whether your domain is protected - run a fast and free DMARC check.
Why aren’t you secured when you’re using email as it is? Because unfortunately, Simple Mail Transfer Protocol (SMTP) has no built-in protection of any kind. So how to prevent email spoofing? Luckily, there are ways, and we’ll look at each of them.
What are the 3 Steps Towards Ultimate Security?
To protect oneself, the incoming messages must be properly authenticated. Meaning, it should show proof that it was sent from a legitimate sender. Today, three globally adopted protocols help accomplish this goal: SPF, DKIM, and DMARC.
Step #1 - Implementing SPF
The first step that will lift your security level from zero is to implement the SPF record
What is SPF?
SPF stands for Sender Policy Framework – a protocol that identifies servers that are allowed to send emails on behalf of a certain domain name. How to prevent email spoofing with SPF? It comes in the form of a simple TXT record in the DNS records with the list of email addresses that have permission to send messages from your domain.
SPF is the first security protocol that people widely accepted, and still, many mailbox providers require you to deploy it on your domain to deliver your messages. For example, Gmail and G Suite will throttle emails sent from a domain that doesn’t have a valid SPF record.
How Does SPF Work?
SPF record helps the server answer two main questions:
- Who sent the email?
- Is he authorized to send emails from this domain?
When you send an email, the SPF mechanism needs to identify the domain’s SPF record. To do this, the SPF mechanism contacts the domain with the help of the ‘From’ header (also known as Envelope From, or Return email address). As we know by now, the SPF record contains a list of all email addresses with permission to send messages from the domain. So, the receiving server goes through the list, and if the sender of this particular email is unauthorized, the recipient’s server may mark it as spam.
Benefits of SPF
Implementing an SPF record has several advantages:
- The domain is harder to spoof.
Although SPF alone will not provide ultimate protection against malicious actors, it is a very important step towards it.
- Improved deliverability.
After installing an SPF record, your emails will have better chances of getting into the inbox, because, since mailbox providers will be able to verify the sender, you will look legitimate in the eyes of mailbox providers
Why SPF is Not Enough
SPF is a much-needed layer of protection, but it has its weak sides.
First of all, this protection mechanism will fail when the message is being forwarded. The email “From” domain will stay the same, but the SMTP Mail FROM header will contain the domain of the forwarding mail server.
One of the SPF downsides is that it doesn’t examine the header that the recipient sees. In this case, the malicious actor can use SMTP headers to tell the target’s mail server to check a domain that they control. This domain contains an authorizing mechanism for the mail server the attacker is using while spoofing a completely different domain for the recipient to see in the message From header field.
Step #2 - Implementing DKIM
What is DKIM?
DKIM stands for Domain Keys Identified Mail. It is an authentication protocol that specializes in detecting forged email header fields and content. DKIM allows the receiver to check whether email headers and content have been altered in transit. This mechanism is a little more complicated than SPF, and unlike SPF, DKIM will not fail if the email is being forwarded.
How Does DKIM Work?
DKIM provides two keys - public and private. The private key goes to your server and the public key – to your DNS. When you send an email, the receiving server checks the DKIM signature in the header and uses the public key from the DNS to validate it.
You can think of DKIM as a package security seal that ensures no one has opened it during the delivery.
Benefits of DKIM
- Improved deliverability.
Just like SPF, DKIM increases the chances of getting into the inbox because the email domain is verified as a legitimate one by mailbox providers.
- Email content protection.
With the DKIM signature, it is easy to verify if the content of the email was not altered in the process of sending it.
Why DKIM is not Enough
While DKIM protects the content of the email, it cannot validate the sender’s id. It also cannot secure the domain in the visible header from spoofing. So to cover the weak sides of both SPF and DKIM, you need to make the third step - implement DMARC.
So what else can we do as we’re looking at how to prevent email spoofing? The answer is DMARC.
Step #3 - Implementing DMARC
What is DMARC?
DMARC (Domain-Based Message Authentication, Reporting, and Conformance) is the third authentication protocol that makes sure that an email was sent from a specific sender. DMARC is built on top of the two protocols we’ve talked about: SPF and DKIM. This is the third and most important layer of defense against spoofing.
How Does DMARC Work?
DMARC protocol has three policies: none, quarantine, and reject. The ‘none’ policy is used when you first start using DMARC to monitor what is going on in your domain. The ‘reject’ policy is an ultimate protection level you would want to adopt with time.
Here is what happens to the email during the DMARC check:
- The mail server completes the SPF and DKIM alignment.
- If the check is complete with no problems, the server applies DMARC policy and defines what to do with the email.
- After deciding on what to do with the email, DMARC sends a report with the conclusion on actions towards this particular email, as well as all other emails sent from this domain.
Additionally, you may want to use third-party tools like a DMARC analyzer to make the analysis and storing process simpler, since original DMARC reports are not easy to read and understand.
Benefits of DMARC
DMARC worldwide adoption grows every year, and it is no wonder. Here are the benefits you get when implementing this protocol:
With DMARC you can protect your partners and clients by instructing mailbox providers to reject any message sent from your domain that didn’t pass a DMARC check.
Mailbox providers are interested in delivering legitimate emails to their users. Legitimacy means email authentication. DMARC alignment allows for a better email placement because it proves that the email sent from your domain was actually sent by you, not a scammer.
- Control and Visibility
You will get full visibility and control over who and what is sending emails on your behalf across the Internet. If any suspicious activity is happening, you will see it in a DMARC report.
If you want to receive your reports in a comprehensible form and also get instant notifications about any changes in the domain activity - you can try one of the third-party tools, like Glock Apps DMARC analyzer.
Email phishing and spoofing threats cannot be underestimated, as 94% of all malware gets on the computer through email. So it is important to understand how to prevent email spoofing. Even though there is no silver bullet from malicious actors, you can always fortify your email domains in three steps: by implementing authentication protocols - SPF, DKIM, and DMARC.
- SPF verifies that the email was sent from the source authorized by the domain owner, but as a downside, SPF will fail if the email is forwarded.
- DKIM provides a special signature that ensures that the email content was not altered during the delivery. But it cannot validate the sender’s id or secure the domain in the visible header from spoofing.
- DMARC runs on top of the first two protocols. With in-depth DMARC reports, the domain owner receives full visibility, security, and control over everything that’s happening in their domain.
As a bonus, this three-leveled authentication process will increase your email deliverability, since mailbox providers will see you as a legitimate sender, not a spammer.
Now it is your turn - make the first step towards protecting your domain, your brand, and your customers.