91% of cyberattacks target users email accounts through phishing emails. A phishing email is a form of social engineering, where a cybercriminal sends a fraudulent email in hopes of tricking the receiver into revealing sensitive data such as bank details, credit card numbers or sensitive business data.
You’re probably thinking, that’s ok, I always spot those fake emails and delete them straight away. However, phishing emails are becoming more modern and less recognisable with fewer obvious mistakes, and better seamless integration into emails you’d expect to see every day.
Forget those emails from a foreign prince asking for help (and your bank details), these are the next generation of phishing emails, known as email spoofing
Spoofing, though sounds quite funny, is a form of phishing attack used to trick a user into thinking an email came from a known and trustworthy person or organisation. This is done by the sender disguising the ‘From’ address as a name or organisation the receiver recognises.
Only changing the appearance of the ‘from’ address means many spam/phishing emails can slip through email security and can make their way into unexpecting individuals inboxes.
So how are we meant to better protect ourselves from these email attacks?
What is Email Authentication
The answer (or part of it) is email authentication. Email authentication is a technical solution that assists internet service providers to more accurately identify the sender of an email which in turn helps reduce the amount of spam, phishing, and spoofing emails.
Email authentication relies on 3 standards that cover different areas of email authentication to create a comprehensive and layered approach.
DKIM (Domain Key Identified Mail)
DKIM is an email authentication technique that gives an email a digital signature (DKIM signature) that allows the receiver of the email to check that the email was sent and authorised by the owner of the sender’s domain. Usually, the DKIM signature is not visible to the end-user, as authentication is done at the server level.
A DKIM signature uses hash values which are made up of a unique string of characters, created by a Mail Transfer Agent (MTA). Using the public key registered in the DNS, the receiver can verify the DKIM signature, by decrypting the Hash Value and recalculating the hash value from the received email. If the two DKIM signatures match, the MTA can verify that it came from the listed domain and the email has not been altered.
SPF (Sender Policy Framework)
Similarly, like DKIM, SPF is a technical standard and email authentication technique that assists with validating and authenticating an email senders’ original source. SPF works by creating an SPF record, that is stored in the DNS, which specifies which IP address or mail server the domain owner uses to send an email. SPF authentication involves the receiving mail server verifying the domain by comparing the “envelop from” address in the email header and the IP address to ensure it matches the SPF record.
DMARC (Domain-based message authentication, reporting and conformance)
DMARC is a technical standard that needs to be set up by the sender to help authenticate and validate their identity to the receiver.
Simply put, DMARC helps an email receiver system identify whether an email is or is not sent from an organisation’s approved domains, and then tells the receiver systems how to appropriately deal with the unauthorised email.
DKIM and SPF have limited abilities when verifying emails. For example, SPF does not work when messages are forwarded on and, as SPF only checks the header from address (the address that is visible to the end-user) it cannot protect against spoofing emails.
To overcome these limitations, businesses should employ DMARC alongside DKIM and SPF as a layered approach that will create a more secure and reliable process to help eliminate spam, phishing, and spoofing emails. DKIM and SPF provide a framework to ensure the integrity of an email, however, DMARC allows for more control for the sender to help them ensure their email is received correctly and is the only way for senders to identify to the receiver that the email they are sending is in fact from them.
The elements DMARC adds are Identity Alignment, Policy Management and Reporting.
Identity Alignment allows senders more control of how their emails are authenticated, which helps to ensure that the end-user receives the original sent email.
Policy Management lets senders check the ‘from’ address that is shown in the email to the end-user. Policy Management also provides instructions on what to do upon failure.
Unlike both DKIM and SPF, DMARC provides the sender of the email reasoning of why certain actions were performed under the policy.
How does DMARC work?
DMARC works by using the established DKIM and SPF standards for email authentication, as well as piggybacking on the Domain Name System (DNS). How DMARC works can be broken down into 4 steps…
Domain Owner Publishes DMARC Policy
First, the owner of the domain must publish a DMARC record that outlines the email authentication policy. This is then stored on the domain DNS which can be accessed during the email authentication process.
Mail Server Checks
Secondly, the receivers mail server will check for a DMARC policy that uses the “from” address in the sender’s email. This includes checking for a matching IP address in the senders SPF records, a valid DKIM signature, and will also text for domain alignment.
Application of DMARC policy
Using the results of the mail server checks, the server will then either accept, quarantine, or reject the email.
The receiving server will then send a report of the outcome to the email specified in the DMARC record. DMARC reports can come in two formats: Aggregate or Forensic.
What are the benefits of DMARC?
DMARC’s main benefit is that it adds a much-needed extra layer of email security to your pre-existing protocols. As it works at the DNS level, it protects your inbox before emails even reach them. Other benefits of DMARC include, but are not limited to:
- Brings transparency to email activity
- Identify threats, spoofing and phishing attacks from a specified domain
- Reduces Spam
- Authenticates emails content and from address
- Improves email score and deliverability
- Creates reports of failed sends
- Defines policies
Does your business need DMARC?
If you’re unsure whether you should employ DMARC protocol in your business, answer one simple question…
Do you use email in your business?
If you answered yes, then the answer to if you need DMARC is also yes.
Verizon reported that 94% of malware is delivered by email, which means businesses must put more emphasis on their email security. Using DMARC reduces the likelihood of your business’s domain being spoofed which means your customers, suppliers and all contacts are better protected. Furthermore, being able to tell clients/suppliers etc that your business uses DMARC will make your brand look more reputable, as well as build confidence and trust amongst the business’s stakeholders.
- IT Security audit checklist for small and medium businesses
- Cyberattacks during the pandemic: How to protect your data
- How to prevent cyber attacks on your business
- How to protect your digital assets from cybersecurity threats
- Phishing frequently asked questions
- Four types of security audit your business should conduct
- Is Antivirus Dead?