When you’re looking in your spambox or inbox, even, it can be difficult to distinguish good from bad emails. Most emails come from a legitimate sender, but some don’t. No matter how many times the news or organisations warn about fake emails – pointing out that they’d never ask for personal data in an email- people continue to believe in the fake emails, and lose a lot of money doing it.
Why (email) domains are susceptible to spoofing
Imagine you’re sending an email to your customer named John. In the email process, the following happens:
You compose a message, which reaches John through various systems (via ‘the cloud’). The message you created – the email – gets a digital envelope from your mail server. John’s mail server checks the envelope, discards it, and allows John to read the message’s contents. In this process, the envelope plays a crucial role.
The envelope has a ‘From’ and a ‘To’ address. In other words: who sends and who receives. If these do not match the names on the letter itself, a bell will ring. John, however, never sees the envelope – and the mail server doesn’t always read the content of the email. This way, the ‘From’-address on the envelope can differ from the one John gets to see. You can write your name on the envelope and pretend to be someone else in the contents of the email – or vice versa.
Vulnerabilities in the email protocol
Standard email protocols have no mechanism to authenticate emails. This allows for various fraudulent behaviour:
Spoofing
By pretending to be you or your company, so-called spoofers can send emails on your behalf. This is commonly used for ‘phishing’ – the attempt to obtain personal or financial information from the person the email is sent to. Thousands of people still fall prey to this type of scam – either via email, phone, WhatsApp, or otherwise – resulting in hundreds of thousands of dollars in damages each year.
Virus Spread
Although sending viruses via email was mainly a problem in the early days of the medium, there are still cases of it today. Recipients receive an email with an attachment in their inbox from an apparently familiar person, which they then open. The attachment seems innocent, but in reality, it is a virus or worm which can spread at lightning speed.
Blacklisting
When your e-mails suddenly stop hitting the inbox, you may have ended up on a blacklist. Even if you’ve never sent any spam yourself, others can send it through your domain or from the same IP address.
Countermeasures
Over the years, email security specialists have developed protocols to protect email domains from the previously mentioned attacks. In chronological order, SPF, DKIM, and DMARC.
Sender Policy Framework (SPF)
With SPF, a domain owner can state which IP addresses are allowed to send emails on behalf of their domain. IP addresses that do not comply with this list but attempt to email on behalf of that domain are then rejected by the receiving mail server. However, SPF alone is not sufficient. The record is difficult to keep up to date, as larger brands often add new email streams or change service providers. An outdated but functional SPF record will not acknowledge these sender and thus reject their emails.
ESPs (like Gmail or Outlook) know this, which is why spam protocols are rarely based solely on SPF. In addition, protecting “the envelope” alone does not prevent the recipient from reading the message. When only SPF is used, it is still easy for spoofers to impersonate someone else. That’s where DKIM comes in.
DomainKeys Identified Mail (DKIM)
Once the server has removed the envelope, the only thing that remains is the message itself. DomainKeys Identified Mail (DKIM) is an email authentication protocol that guarantees the authenticity of the message by cryptographically signing it.
Domain-based Message Authorization, Reporting & Conformance (DMARC)
If you take email security and authentication seriously, let the world know with a DMARC record. The DMARC protocol ensures that your legitimate emails reach your customers’ inboxes and that they are protected from phishing. With a functional DMARC record, you let the receiving mail server know what should happen with emails that do not match your SPF and DKIM protocols. As the domain owner, you have three options:
- a ‘none’ policy – where nothing has to happen with failing checks, so everything is allowed;
- a ‘quarantine’ policy – if the email doesn’t pass the checks, it’s temporarily held back & not delivered;
- a ‘reject’ policy – which forwards illegitimate e-mails directly to the trash can/spam box.
The latter is the most ideal situation. With ‘reject’, you have already reached the point where your domain can no longer be spoofed. Unfortunately, the adoption rate of DMARC worldwide is still relatively low.
