Email is an important asset for any organisation - for communicating with customers, reaching new clients, and liaising with vendors. However, if your organisation's email is not secure an attacker can impersonate you in order to trick people into giving them information, access, or money.
It's important to implement security policies for domains that don't use email as well. Even if you know you don't send emails from that domain, other email providers may not realise this, and so attackers can still send emails that seem to come from your domain.
At CERT NZ we often see attackers spoofing emails to send spam or gain sensitive information. Email spoofing is when an attacker sends an email appearing to come from your organisation’s domain. If your domain doesn't have SPF, DMARC, and DKIM security policies set, an attacker can spoof your email. This often results in your:
- clients replying to spoofed emails with sensitive information
- customers paying fake invoices sent by attackers impersonating your organisation
- vendors granting access to attackers after receiving a spoofed email request.
This guide will explain the benefits of email security controls and outline the things to consider when implementing them for your organisation.
What are SPF, DKIM, and DMARC?
There are three key email security controls that help prevent spoofed emails. You'll need to understand the first two before coming to grips with DMARC.
SPF (Sender Policy Framework)
This is a Domain Name System (DNS) record that specifies which servers can send emails for your organisation's domain. This might be both your email servers and another server if you use another company to manage and send newsletters.
DKIM (DomainKeys Identified Mail)
This is a public key for your organisation's domain that you hold in a DNS record. When you send emails, your mail server will sign each message with your private key. The signature is compared with your public key to make sure the message actually came from your organisation and wasn't changed after you sent it.
DMARC (Domain-based Message Authentication, Reporting, and Conformance)
This is a security policy you set for your organisation's domain. It specifies if you want to protect any emails from this domain with SPF, DKIM, or both. It also allows you to decide what to do when an email fails these checks such as:
- allow the email through
- mark as suspicious
- block it from reaching your inboxes.
Few resources and little effort required to configure the controls.
Your organisation will need to determine where your email is sent from, and how you want spoofed, or failed, email messages to be dealt with.
Attackers will not be able to impersonate your email domain.
Attackers can still make their own domains that look similar to yours, but DMARC does prevent them from using your real domain name. Even better, with properly configured DMARC you’ll know if someone is trying to spoof your domain, as you’ll be notified about email that gets rejected based on your DMARC settings.
Be sure to include all email campaign services you use in your DNS records
Email providers often have built-in security and spam filters. Without SPF, DKIM, and DMARC an email provider might mistakenly mark your email campaign as spam because it appears to come from an email campaign system rather than your normal mail server.
Use strict settings
SPF works as a whitelist or 'allow list'. This means only addresses that are identified on the list are allowed through. Adding too many unnecessary or shared IPs to your SPF records makes it easier for an attacker to access a server on one of these IPs and send a spoofed email.
SPF and DMARC both allow you to decide what to do when those checks fail. It's important to use strict settings so that emails that fail the checks are rejected.
Test your email after setting up DNS records
After setting up your DNS records, it's important to test them to make sure your legitimate mail gets through. These technologies can be set up in a 'soft fail' mode while you are testing, so that you can check your email would have been delivered. You can then set it to 'hard fail' once you're reassured that your legitimate email is getting through.