When you’re looking in your spambox or inbox even, it can be difficult to distinguish good from bad emails. Most emails come from a legitimate sender, but which don’t? No matter how many times the news or organizations warn for fake emails – pointing out that they’d never ask for personal data in an email: people continue to believe in the fake emails, and lose a lot of money doing it.
Why (email) domains are susceptible to spoofing
Imagine you’re sending an email to your customer named John. In the email process, the following happens:
You compose a message, which reaches John through various systems (via ‘the cloud’). The message you created – the email – gets a digital envelope from your mail server. John’s mail server checks that envelope, discards it and allows John to read the contents of the message. In this process, the envelope plays a crucial role.
The envelope has a ‘From’ and a ‘To’ address. In other words: who sends and who receives. If these do not match the names on the letter itself, a bell will ring. John, however, never sees the envelope – and the mail server doesn’t always read the content of the email. This way, the ‘From’-address on the envelope can differ from the one John gets to see. You can write your name on the envelope and pretend to be someone else in the contents of the email – or vice versa.
Vulnerabilities in the email protocol
Standard email protocols have no mechanism to authenticate the emails that are sent. This allows for various fraudulous behavior:
By pretending to be you or your company, so-called spoofers can send emails on your behalf. Commonly, this is used for ‘phishing’ – the attempt to gain personal or financial information from the person the email is sent to. Thousands of people still fall prey to this type of scam – either via email, phone, Whatsapp, or else – resulting in hundreds of thousands of dollars in damages each year.
Although sending viruses via email happened mainly in the early days of the medium, there are still cases of it in this day and age. Recipients receive an email with an attachment in their inbox from an apparently familiar person, which they then open. The attachment seems innocent, but in reality it is a virus or worm, which can spread at lightning speed.
When your e-mails suddenly stop hitting the inbox, you may have ended up on a blacklist. Even if you’ve never sent any spam yourself, others can through your domain or when they’re on the same IP address.
Over the years, email security specialist have developed protocols to protect email domains from the previously mentioned attacks. In chronological order, SPF, DKIM, and DMARC.
Sender Policy Framework (SPF)
With SPF, a domain owner can state which IP addresses are allowed to send emails on behalf of their domain. IP addresses that do not comply with this list but attempt to e-mail on behalf of that domain, are then rejected by the receiving mail server. However, SPF on its own is not sufficient. The record is difficult to keep up-to-date, as larger brands often add new email streams or change service providers. An out-dated but functional SPF record will not acknowledge these sender and thus reject their emails.
ESPs (like Gmail or Outlook) know this, which is why spam protocols are rarely based on SPF alone. In addition, only protecting “the envelope” does not affect the fact that the recipient can only read the message. When only SPF is used, it is still easy for spoofers to impersonate someone else. That’s where DKIM comes in.
DomainKeys Identified Mail (DKIM)
Once the server has removed the envelope, the only thing that remains is the message itself. DomainKeys Identified Mail (DKIM) is an email authentication protocol that guarantees the authenticity of the letter by cryptographically signing the message.
Domain-based Message Authorization, Reporting & Conformance (DMARC)
If you take email security and authentication seriously, let the world know with a DMARC record. The DMARC protocol ensures that your legitimate emails arrive in the inbox and that your customers are protected from phishing. With a functional DMARC record, you let the receiving mail server know what should happen with emails that do not match your SPF and DKIM protocols. As the domain owner, you have three options:
- a ‘none’ policy – where nothing has to happen with failing checks, so everything is allowed;
- a ‘quarantine’ policy – if the e-mail doesn’t pass the checks, it’s temporarily held back & not delivered;
- a ‘reject’ policy – which forwards illegitimate e-mails directly to the trash can/spam box.
The latter is the most ideal situation. With ‘reject’ you have already reached the point where your domain can no longer be spoofed. Unfortunately, the adoption rate of DMARC worldwide is still relatively low.