EMAIL & WEBSITE SECURITY - PART 2
How to prevent illegitimate use of your company email addresses
Part 2 of our info-series explores the various checks & processes that authenticate your mail server. Whether or not your administrators have configured these rules of action will determine, for example, if the emails you send end up in the recipients’ junk folders. As with Part I, this will be a little technical, but absolutely something you can get your head around. Our mission is to inform those of us who are not IT professionals, but curious about website and email security. Here we go.
The domain name identifies your organisation
Your email address email@example.com typically reflects the domain name www.companyname.com, however nothing prevents a user from adopting your alphabetic domain name in e-mails they send. Users can create an invented name in their e-mail settings that hides the underlying actual one (and hovering over the sender’s address without clicking on it with your cursor usually reveals what lies beneath).
There are two types of inbox-clogging activities that use this technique: phishing aims to appropriate login credentials and other sensitive data by imitating your company’s domain, while spamming is a tactic for promoting goods and services by sending unsolicited emails to bulk mailing lists using the domain of credible companies.
In sum, senders of spam and phishing emails use valid domain names as “From” addresses to avoid being blocked and deceive recipients. While you cannot stop someone from sending e-mails with an adopted domain name, you can assist e-mail servers around the world to identify if e-mails sent from a given domain name actually originated from there and are legitimate e-mails, so that any others can be discarded outright or end up in the “Junk” folder.
Prove to servers that senders are genuinely authorised to send email
Several checks or processes, specifically SPF, DKIM and DMARC, are used to authenticate your mail server. When properly set up you can identify whether the sender is legitimate and that they are not sending an email on behalf of someone else. You must therefore inform the DNS and email servers you are using for your domain, by creating DNS records that essentially provide rules of action.
SPF is an acronym for “Sender Policy Framework”. As with all three checks, SPF is a DNS record that specifies which IP addresses and/or servers are allowed to send emails “From” that particular domain. To draw an analogy to the way we send physical mail through the postal services, it is the return address that is placed on a letter or package that lets the recipient know who sent the communication. Having the reassurance of knowing who sent them the letter, makes it more likely the recipient will open it. Technically, the “recipient” is the receiving email server, not the actual person being emailed.
DKIM is an acronym for “Domain Keys Identified Mail”. It is also known as “email signing”. Just like an SPF record, DKIM is also a record that is added to a domain’s DNS. As much as SPF is akin to a return address on a traditional posted letter, DKIM is similar to sending that letter via certified mail as it further builds trust between the sending server and receiving server. DKIM’s intent is to prove that the contents of an email message have not been manipulated, that the headers of the message have not changed and that the sender of the email actually owns the domain that has the DKIM record attached to it (or is at least authorised by the owner of the domain to send emails on their behalf).
DMARC is an acronym for “Domain-based Message Authentication, Reporting and Conformance”. It is an email authentication, policy and reporting protocol that is built around both SPF and DKIM. It has three basic purposes: it verifies that a sender’s email messages are protected by both SPF and DKIM, it tells the receiving mail server what to do if neither of those authentication methods passes, and it provides a way for the receiving server to report back to the sender about messages that pass and/or fail the DMARC evaluation.
Having all three records in place shows that your email domains are who they say they are
It also shows that your domain administrators are serious about ensuring you are following best practices and doing your part to prevent spam, phishing and other email security issues.
The growth of internet usage, both friendly and malicious, is driving more and more ISPs and email providers to strictly enforce all three “rules of action” as the basis of good governance in the internet system.
This concludes Part 2 of our info-series. Next we bring you Part 3: What security vulnerabilities lie behind your website code.
We hope you enjoy reading our research, designed for professionals who are not IT experts but thirsty for knowledge about the everyday tools to operate a business – your email and website.