“SPF is important because it helps to prevent a malicious attacker from spoofing your address. SPF records help to prevent sender address forgery by protecting the “envelop sender address”, allowing admins to specify which mail servers are allowed to send mail from their domain. Which means it makes it harder for hackers to perform phishing attacks like a spoofed or spear phished attack.”

I am sure many of you reading this article are well in-tune with the risk that phishing emails produce on organizations and individuals alike. We are constantly given training (which is valid) on phishing and told to not click on links or attachments in emails that you are not expecting to receive. We are told to check the email headers and look for abnormal or poor grammar. It seems, at times, that we are better off not opening any emails due to the prevalence of hackers utilizing email as a main gateway into an organization.

Wouldn’t it be nice if there was a way we could implement something to help prevent the risk of phishing emails reaching our inboxes? Well there is, and it deals with these three email authentication protocols – Sender Policy Framework (SPF), Domain Keys Identified Mail (DKIM) and Domain-based Message Authentication, Reporting Conformance (DMARC).

Email addresses contain two “from” addresses: the “envelope from” and the “header from”. The header from address is an address contained in the “From:” field of an email and is visible to all email users. This can be spoofed by hackers. That’s where email authentication comes in.

Sender Policy Framework (SPF) is an email authentication protocol that allows the owner of a domain to specify which mail servers they use to send mail from that domain. When sending email there will be an SPF check. What that is doing is having the email provider verify the SPF record by looking up the domain name listed in the “envelope from” address in the DNS (Domain Name System). If the IP address sending email for the “envelope from” domain isn’t listed in the SPF record, the message fails SPF authentication.

An SPF protected domain is less attractive to phishers and is therefore less likely to be blacklisted by spam filters, which ensures legitimate email from that domain is delivered. But just because a message fails SPF, doesn’t mean it will always be blocked from the inbox. Also, SPF breaks when a message is forwarded, and SPF does nothing to protect us against hackers who spoof the display name or “header from” address in their message.

Domain Keys Identified Mail allows organizations to take responsibility for transmitting a message in a way that can be verified by mailbox providers. Email providers who validate DKIM signatures can use information about the signer as part of a program to limit spam, spoofing, and phishing. DKIM also has the possibility of ensuring that the message has not been modified during transit.

“Domain Based Message Authentication, Reporting & Conformance (DMARC) ensures that legitimate email is properly authenticating against established DKIM and SPF standards and that fraudulent activity appearing to come from domains under the organizations control is blocked.”

DMARC is an open protocol to prevent phishing attacks via impersonation. DMARC compiles the signals from SPF and DKIM. SPF allows a domain owner to specify which IP addresses are authorized to send an email on their behalf. DKIM uses an encrypted signature to verify if an email sender is who they say they are and gives a key to the recipient to check back with the senders DNS record. They both produce individual authentication identifiers that help validate email in different ways. If you have implemented SPF and DKIM, the receiving server can identify who an email is from, but, does not know if all of your traffic is properly configured so cannot act on this knowledge.

DMARC combines the results of SPF and DKIM to accurately identify if an email is either from an authorized sender or a fraudulent impersonator and can therefore, actively block phishing attacks by enforcing a policy. With DMARC, you can instruct receiving servers on how to deal with emails that use your domain by setting your DMARC policy. For example, you can switch your DMARC policy to actively reject malicious emails.

Article Written By: Chad Gutschenritter