Email again. Seriously?
One of my personal mantras is death to email, so I completely understand. However, since email is the primary communication vessel for everyone, it is a primary target for malicious actors. Therefore, making sure you can secure your business email should be a top priority when evaluating your business risk. In the following article, we will walk you through ways you can directly decrease your risk and some strategies to consider.
Be sure to read our previous blog post in this series, Get a Real Email Solution – You Get What You Pay For (Part 1 of 8), to make sure you have the right type of email setup to support the steps in this article.
“Without securing your email domain properly, bad actors can easily target your employees, customers, and partners and impersonate you, potentially causing widespread disruption to your business.”
What is Spoofing or Impersonation?
Similar to identity fraud, spoofing or impersonation is when someone sends an email claiming to be you or your company. There are many forms of spoofing or impersonation, but the main differences are described as follows:
Spoofing – When someone pretends to send from your email domain by sending from an illegitimate email source (no domain verification) and masking the source to look like they are sending from your company email domain.
Impersonation – When someone registers a legitimate domain to pass security checks but changes the sender to look like it is sent from someone at your company.
Another form of this is also known as domain squatting. For example, your domain is company.com, and the impersonation is happening from c0mpany.com. This article does not cover domain squatting protection, but many email providers have some protection solutions to address this.
Both approaches can be dangerous for your company, customers, and vendors and result in widespread compromise.
What are SPF DKIM and DMARC?
Let’s level-set at a high level to understand each of these and why they matter.
What is SPF?
SPF stands for Sender Policy Framework. It is a technology developed between 1997 and 2003 to help the email recipient verify the email sender. It does this by comparing the email sender’s source information to a record in your DNS hosting provider to see if they match.
Why it matters.
If a sender is sending an email from a service hosted in mail.company.com but is not present in your SPF record (or you don’t have one), the recipient of the message will mark the message as SPF FAIL. After that, the second part of the SPF record tells the recipient what to do with that message in the event of a failure – whether to accept the message or deny it.
This simple action allows you to declare the mail servers permitted to send as your email domain.
What is DKIM?
DKIM stands for DomainKeys Identified Mail. It is a technology that was developed shortly after SPF in 2004. It works like a signature verification system that allows an organization to sign their emails so that recipients can verify the message came from the actual sender.
Why It matters.
DKIM was created as a follow-up to SPF as malicious attempts to compromise SPF were widely successful.
DKIM works by adding a public record to your DNS (just like SPF) that allows anyone who receives a message that claims to be from you to verify the source. When you send a message to someone, your mail servers sign your message with a secret identifier that only your mail servers know and have the ability to sign. Then, upon receiving your message, the recipient mail server will look to see if the DKIM record in your DNS allows the verification of the message.
There are no parameters in the DKIM record to tell the recipient what to do in the event of a missing signature. It is only there to verify the message was signed by you. This is where DMARC comes in.
What is DMARC?
DMARC stands for Domain-based Message Authentication Reporting & Conformance. It is a technology developed in 2012 that verifies email senders by analyzing the outcome of SPF and DKIM and determining confidence levels.
Why it matters.
Even with SPF and DKIM in place, malicious attempts to compromise message integrity were still thriving. There was an apparent need for another level of protection.
DMARC is another record in your DNS hosting provider and requires proper implementation of SPF and DKIM. When someone receives a message from someone claiming to be sent by you, the recipient mail servers check SPF, then DKIM, and then DMARC. The recipient lets the sending mail server know that SPF or DKIM has passed or failed and then reaches out to check the DMARC record for which action to take based on the result. You, as a sender, set these rules in your DNS record.
As you can see, each of the above protections supports each other in a comprehensive verification ecosystem.
How do I check if I have SPF, DKIM, or DMARC records?
There are so many tools on the internet to check this information. One such tool is DMARCLY. DMARCLY has some easy explanations, can let you know if you have any errors in your record, and can even help you build your records as needed.
How do I create or modify my SPF, DKIM, or DMARC records?
Every provider is different on specific steps for configuring different records. But here are instructions for GoDaddy on creating SPF, DKIM, and DMARC. When enabling DKIM, you will also need to generate a DKIM record from your mail provider. For Office 365, the instructions are here. For Google Workspace, the instructions are here.
How do I know what to add to the SPF, DKIM, or DMARC records?
This exercise can typically take some time or the expertise of a third-party consultant. Here are some of the high-level steps to help you identify this.
Determine what services you use to send email
The easiest place to start is your email provider. Who do you pay for email services? They usually will have guides on what you need to add to your SPF record for them to send your emails to the world in a secure manner. Some email providers like Microsoft 365 or Google Workspace can walk you through this and even automatically add the record for you.
Secondly, consider all the other services you use to send emails. Things like marketing platforms (constant contact, Mailchimp, etc.) and line of business applications (Shopify, CRM system, support desk software, etc.).
It is critical that you understand where your email is sent from when implementing SPF. Omitting something could result in emails failing SPF checks and undeliverable messages when sent to your customers.
Once you have identified and completed the setup of SPF, DKIM and DMARC are somewhat generic in that the source isn’t necessary. You will need to ensure that for every service that sends an email on your behalf, you generate a DKIM record for each of them. Each provider should have instructions on how to accomplish this as well. Some of them can even publish for you automatically.
DMARC is not dependent on the source, so that process should be relatively consistent. However, there are some precautions to take when setting up DMARC. Google has a pretty good explanation of the process of rolling out a phased approach here. Failure to implement a phased approach can result in valid messages being denied delivery.
Additional protections for your email.
We wanted to also provide you with some additional insights for making your email systems as protected as possible and give you some strategies for keeping your email hygiene squeaky clean.
Use MFA for everything.
In our previous post, Start using MFA for everything – MFATS (Part 3 of 8); we discuss the importance of using Multifactor Authentication (MFA) for everything. We mention it again in this post because of its importance. Setting up MFA for your email services is one of the most critical steps to ensuring that only authorized people access it.
Separate people and services.
This is a strategy that comes as a surprise to some. It is especially true with it being so high up the list. However, what happens to organizations over time is that they subscribe to more tools and processes that rely on email. If they are following the rest of the recommendations in this guide, they are making sure that they have SPF DKIM and DMARC for all of those services. One of the things we failed to mention above is the limitation of those technologies.
The limitations are too numerous to go into detail here, but you will want to make sure that your corporate domain used by employees is only authenticated for employees. Anything else should have a separate domain altogether or use a subdomain.
For example, if you send from company.com for your corporate mail, and you have a service like Mailchimp reaching out to your customers for marketing purposes, you will want to have that sending as marketing.company.com or companymarketing.com.
We have been called in to help a company that was blacklisted (for more than 24 hours) and unable to send any email due to oversight by someone in the company who followed bad sending practices or by sending too much mail in an allotted amount of time. Imagine not being able to reach customers for 24 hours because of a mistake like this.
Subscribe to an encrypted email service.
If you send sensitive data to people outside your organization, a great strategy is to ensure that you use encrypted mail services. This would be applicable by law for sensitive information like health or financial information or any other identifiable information that can be used to identify a person.
There are many encrypted email solutions available today. If you are on Office 365 or Google Workspace, they have services available natively for purchase that integrate seamlessly. Some email gateway services also have this as an add-on. That brings us to our next recommendation.
Utilize an email gateway service.
An email gateway service is a solution that sits in front of your email provider. This solution intercepts mail inbound and outbound and performs in-depth security services that go above and beyond the services available in most email providers. Companies like Proofpoint, Mimecast, and Sophos are just a few that offer gateway solutions.
The other advantage of a gateway solution is that it allows much more advanced message customization and routing. This can be beneficial if you have needs beyond traditional message customization.
Subscribe to an email archive service.
Lastly, we come to email archiving. Email archiving typically sits in front of your email service that intercepts messages inbound and outbound, makes a clone of those messages, and stores them in a secure, searchable solution.
This is great for HR or legal that may need a record of email that cannot be altered by anyone other than the administrators. There can also be settings to destroy mail after a certain period or retain it long-term.
When it comes to compliance, an email archiving service can undoubtedly fulfill a need.
We hope this blog post at least gave you some insight into identifying your first steps into securing email for your business. While there is a plethora of information here, there can be much more to consider when implementing the strategies mentioned in this article. As each business is unique, so are its mail needs and, more importantly, its email risks.
How StrataNorth Can help.
If you are ready to transform your business’s security landscape and are looking for experts to guide you, StrataNorth has security consultants with decades of experience. We can help you reach security nirvana and give you a roadmap for success. Reach out for a no-cost, no-obligation chat with a security expert today.