Secure your Emails
Written by Ben Friedman, July 30th, 2016
Emailing is a part of daily life. We rarely consider how it could be manipulated, used against us, or otherwise exploited in an undesirable manner. Most people who have email addresses remain unaware that this could happen at any moment. It's not a pleasant experience to find out that someone has been masquerading on the web as you or your business!
The initial response is to assume that you've been hacked, somehow someone must have broken into your system or managed to steal one of your passwords. However, this is usually not the case! Creating a fraudulent email is something akin to writing a fake letter and pretending to be someone you're not. The difficult part is in crafting the letter, after that all you need to do is simply drop it in a mailbox and wait.
In a very similar manner emails can be forged saying they're from you, when in fact there's a more malicious individual or group behind it all. So the question remains, how can I stop this! It turns out there is an effective solution, multiple solutions actually, which when used together help to ensure your emails only come from you.
The answer is in SPF, DKIM and DMARC. Three acronyms for 3 approaches to help lock down your email.
The first, SPF (Sender Policy Framework), is a way to declare who sends email on your behalf. If you used gmail this would be google.com to give an example. Doing so dictates that only the domains you whitelist should be sending email on your behalf, not my-shady-domain.com. I won't go into how you can setup SPF here, that's for another article, but you can look up specifications from www.openspf.org.
The second, DKIM (Domain Keys Identified Mail), is a way to detect email spoofing. Similar to protecting your site with SSL/TLS, DKIM signs emails and your domain provides a public key to validate emails against. If an email is received and the signature doesn't match up it's probably a fake! In this manner most forged emails are easy to identify. Note that although this is a good mechanism it doesn't address the matter if someone manages to steal your private key, allowing them to sign off emails as if they were your own. You can learn about DKIM at www.dkim.org.
This is fantastic! We have a mechanism for whitelisting senders and for authenticating messages from those senders, this is a great setup so far. With all this there is still one matter left to address, what do we do with these emails?
For this we have DMARC (Domain-based Message Authentication, Reporting & Conformance), whew, that's a mouthful. In a nutshell DMARC can provide a protocol to follow when SPF or DKIM fails, it can instruct providers how to handle forged or otherwise non-passing emails. This is a very powerful tool, and it must be carefully used. Generally when setting up DMARC (which does require both SPF and DKIM to be in place beforehand) you are advised to do nothing with failing emails, at least initially. DMARC could accidentally block your own emails if SPF or DKIM is improperly configured. To assist in making sure everything is configured properly DMARC provides a reporting mechanism by which you can receive daily reports on emails that passed or failed. It is encouraged that you use this reporting mechanism to gauge the effectiveness of DMARC as you slowly adjust from blocking nothing, to quarantining, to flat out rejecting emails that fail to pass. You can learn more about DMARC and how exactly to proceed with setting it up (after SPF and DKIM) at dmarc.org.
And that's all there is to it! Using these 3 tools you can help make sure that your emails remain in your control, and you can actively observe any attempts to send forged emails. Now this is a fairly light overview, mostly to inform, but we encourage you to take the time to look up these tools and understand how they work before implementing them. As much as securing your email is a priority, understanding the systems involved is more so. You don't want to make a mistake because you skipped a step and end up blocking your own emails.
At Axolsoft we implement all 3 of these techniques to help prevent email spoofing. We highly recommend if you haven't already that you should as well. Most email service providers offer a means of setting this up today. If you're ever curious about the process beyond the depth of this article, and are unsure about setting it up yourself, you can contact us below. We're always willing to lend a hand to secure the internet.
Questions? Corrections? Concerns? Contact us at firstname.lastname@example.org