Imagine standing outside of your business, or any larger office you’ve been to. From the moment you walk through the front door, there are visible measures to keep the building secure: a receptionist, visitor check-in, ID badges, cameras, you name it. Email security works the same way. When an email arrives at your mail server, you need to have similar measures available to prevent unauthorized “visitors” from sneaking in. This is ultimately the purpose of SPF, DKIM and DMARC.
Here’s the most important part of this article – you’re not behind on this topic. It doesn’t matter if you’re a leader in your organization who makes policy decisions, or if this morning was the first time that you’ve ever checked an email inbox. Everyone has issues understanding email security; especially when it comes to SPF, DKIM and DMARC. That being said, now is the time to learn.
As engineers at CCB, my peers and I have worked with many companies to help harden the security in their email environments. It wasn’t until the massive uptick in phishing attempts and the recent DMARC requirements with Google and Yahoo that the drive for these tools changed.
We went from recommending these tools to our clients to working with new companies that can’t function because they’re forced to utilize these tools and don’t understand the information their vendors are asking them to incorporate!
But there was still one issue. The topic is very technical, yet businesses still need to understand it. Why? Because there’s a high likelihood that they will need to be updated or reconfigured as their business evolves.
So, let’s assume that you’re non-technical and want to understand what SPF, DKIM and DMARC are and what they actually do.
It’s simple – you just need to secure your corporate office! (not literally, although that’s a great idea as well…)
SPF (Sender Policy Framework)
In our analogy, SPF is your receptionist. When a visitor enters the building, the receptionist is there to identify who they are and whether or not they should be in the building. Let’s say they look at a list of meetings for the day to find out which visitors are expected to show up. That list is the SPF record. If the visitor is expected, they are given a badge and allowed to go to their meeting. If the visitor isn’t expected, no entry is allowed!
When it comes to your email, SPF looks at the background information of the incoming email and compares it to a record (list) of allowed visitors. If the server used to send the visiting email is on the authorized list, the email is marked with an SPF Pass! If it isn’t an expected visitor, the email is marked with an SPF Fail.
This is the main tool that needs to be updated regularly. Let’s say you start using a new marketing company that sends emails for you. When one of your customers receives an email from that company using your email address, their server checks your SPF record to make sure that it’s an expected sender. If it isn’t, the email is marked with an SPF Fail.[HS1]
We’ll talk more about what the pass or fail means in the DMARC area.
DKIM (DomainKeys Identified Mail)
Now that the visitor is past the lobby and has their badge, they’re free to go to their meeting. If someone in the halls questions them to see whether or not they should be there, they can present their ID badge for verification. That badge is DKIM.
DKIM adds a unique digital “badge” to every outgoing email, called a “signature”.
Now let’s take a page out of a spy book quickly and imagine the visitor, halfway down the hall, ducks into a doorway and changes the name on their badge to try and impersonate one of their competitors. They hurry to the meeting, but once they arrive, they find out they need to swipe their badge. They swipe their badge but get pulled aside when their name doesn’t match the information in the system.
With email, DKIM looks at the contents of a message and gives it the signature described above. When that email is received, the server checks the email to make sure that while it was in transit (“walking the halls”), the content wasn’t changed. If the content is identical, it marks the email with a DKIM Pass. If it was edited in any way after it was sent, it will be marked with a DKIM Fail.
DMARC (Domain-based Message Authentication, Reporting, and Conformance)
In a well-oiled corporate environment, there may be security rules that define what to do in the event that an unexpected visitor shows up, or you find someone wandering your halls without proper credentials. Security might escort them out of the building right away, or maybe they’re taken to a holding area for questioning. This is the function of DMARC.
DMARC is the overarching policy that tells receiving servers what to do if an incoming email fails SPF and DKIM. Should the server block the email? Should it be quarantined for review? Or should it turn a blind eye and deliver it anyway? (and let the meeting attendees deal with figuring out if the visitor is legitimate or not.)
In Review:
SPF (Sender Policy Framework)
- Verifies the sender’s IP address against a list of authorized senders
- Ensures that only authorized servers can send emails from a domain
DKIM (DomainKeys Identified Mail)
- Digitally signs and authenticates email messages
- Confirms that messages haven’t been tampered with in transit
DMARC (Domain-based Message Authentication, Reporting, and Conformance)
- Determines how to respond to emails that fail SPF or DKIM authentication
- Helps domains address domain spoofing and phishing attacks
That’s all
Securing an office building is a continual process. You need to be able to welcome your visitors while simultaneously keeping intruders out of your halls. The same principles apply to your email environment.
SPF, DKIM and DMARC coupled with legitimate training to identify malicious emails are the number one way to keep your company’s information safe and under your control. I hope that now, understanding what they are is no longer a roadblock and the only thing left to do is to make sure that they are set up in your environment too!
Email security is crucial! Consult our experts and discover how we can help you strengthen your organization’s security.
