What the SPF is DKIM and who is DMARC?
If you have ever looked at email security you probably looked away as fast as you can and attempted to forget you ever tried to wade through the sea of acronyms and mind numbing detail. I understand, it happened to me but through my pain I believe that I can now help you understand email security without wanting to go back to the old days of writing letters and sending them in the post. This blog post will focus on explaining the basics of how SPF, DKIM and DMARC work.
The Threat
So why is everyone making such a fuss about DMARC and email security? Well, to answer that question we should first look at the threat: it’s easy for cyber criminals to send emails pretending to be you. For example if your domain is not protected then someone could send an email that looks like it’s from the CEO asking the CFO to transfer money to an outside account and that email would arrive in the CFO’s inbox looking like it came from the CEO! This is just one example of the types of attack companies and individuals could face that don’t involve any hacking or password theft if they are not protected by DMARC. You can see some recent examples here: Another homebuyer loses £67k as solicitors fail to warn of email fraud, NHS trust cyber attack, How Hillary’s emails may have lost her the election, and stealing from Tesla.
Email is a widely used communication tool and is surprisingly vulnerable to impersonation attacks and poses a significant threat to both individuals and organisations. But then why don’t people do something about it and get protection? Well because people either feel that they would not be a worthwhile target or because they just assume that their mailbox provider is protecting them. You can easily identify how well protected your domain is by using the free OnDMARC domain checker.
OnDMARC conducted a study and analysed 3,004 government domains and 71,000 charity domains. The results showed that only 6.4% of government domains and 1% of charity domains were DMARC enabled. The NCSC has now required that all government bodies implement DMARC on all government domains.
My domain mail is managed by G Suite or Office 365, why am I not protected?
DMARC configuration is the responsibility of the domain owner, not the email provider. A typical business will send emails from their domain name via several email providers, i.e.: human emails from G Suite, marketing campaigns via MailChimp, CRM emails via SendGrid, etc. In order to have your domain protected by DMARC you need to make sure that all these different email sources are correctly configured. That’s the reason why email providers cannot offer automatic DMARC protection to their users.
My personal account is with Gmail or Yahoo, am I protected?
Yahoo was one of the first providers to protect their consumer email accounts with DMARC therefore personal accounts using their services are protected. At the time of writing this post Gmail has their DMARC record in reporting-only mode therefore users are not yet protected however some media sources report that they are planning to enable enforcement soon. If you own your own domain, you can use and implement DMARC irrespective of who your mail provider is. DMARC was actually created by Google, AOL, Yahoo and a few others who came together in 2011 to “collaborate on a method of combating fraudulent email at internet-scale”.
DMARC is the answer and it’s here to stay
DMARC stands for, Domain-based Message Authentication, Reporting & Conformance. Put simply, DMARC ensures that emails are authenticated properly and allows senders to define how email recipients deal with unauthenticated emails in order to block malicious emails and increase the deliverability of authorised emails. The way that DMARC does this is by using SPF and DKIM, two foundational technologies that help secure different aspects of email. The problem with only using only SPF and DKIM is that they do not work together or enforce a policy.
DMARC uses the validation results from both SPF and DKIM to provide a more comprehensive validation. SPF verifies if an email was sent from an authorised IP address whereas DKIM verifies if an email has been signed by the same domain it was sent from or from a domain that is authorised to send on behalf of that domain. They both produce what is known as authentication identifiers that DMARC uses to authenticate emails and set rules about how receiving servers should treat mails if it fails authentication checks.
DMARC is a little bit like a club bouncer who lets people in or rejects them based on what the owner tells him is acceptable, for example dress code, age and if they are still able to stand up.
The diagram below shows how SPF, DKIM and DMARC work with each other:
Now let’s take a more in depth look at DMARC and where OnDMARC comes in. The diagram below explains the process of how DMARC works but don’t be put off if it looks complicated, it’s much simpler than it looks.
1a and 1b — An authorised message is sent or an unauthorised message attempt is initiated to the receiver’s email server.
2 — The receiver’s server then checks the sender’s DNS for DMARC, SPF and DKIM records.
3 — The receiving server then verifies the incoming message against SPF and DKIM and if either SPF or DKIM validation passes it sends the message onto the recipient.
4 — If the validation fails, based on the DMARC policy configured it will either send the message to a spam folder or completely reject it and the end user will never see the failed message.
5 — At least once a day, all email servers that received messages from your domain will submit a report to OnDMARC containing information about the origin and number of messages that passed and failed validation.
OnDMARC uses these reports to analyse a domain’s traffic in order to suggest the appropriate actions for implementing and maintaining a secure DMARC policy for the domain. OnDMARC will allow you to see exactly what is happening on your domain so you can easily identify authorised and unauthorised traffic.
And that’s it! The basics of how DMARC, SPF and DKIM works and protects domains! I hope that you have been able to follow all that but the truth is that you only need to know the very basics as OnDMARC takes care of all the complicated stuff for you.
OnDMARC guides you through a step by step process of implementing and maintaining DMARC. I decided that I would try and set up OnDMARC on my own domain to see how easy or hard it was. Now before we start remember that I am not an IT person in fact I work in marketing.
The first thing I did was add my domain to the OnDMARC app and I was given a report of my current security status and an action to add to my DNS records. I then opened up my DNS records and copied and pasted in the snippet OnDMARC gave me. And that that was it! My DMARC settings are now in reporting mode and I am waiting for the next action that will be suggested to me after 7 days. While in reporting mode I can see all the activity on my domain like in the image above. If you want to try OnDMARC, you can try it for free by visiting the website and starting your free trial.
Stay tuned for our next posts that will explain in detail how SPF and DKIM work or if you can’t wait, check out the OnDMARC learning material and our YouTube channel.
