As spammers, scammers, and other ilk continue to up their game, it is up to messaging engineers to be on the ball. This is a challenge because the average messaging engineer is more likely to be spending their time ensuring email reliability and performance for their users. Email security is ever-evolving, so keeping up to date on message security is key for all messaging engineers.
One common question I receive during my project engagements is:
How do I ensure that my email is secure?
This is a great question and one that goes beyond just enabling anti-spam filtering services. Scanning your messages for viruses and spam is a great first step, but don’t just stop there.
“And, what are you doing about email authentication?”
The answer to that question is, of course, a question (following the Socratic method of answering a question with another question).
What do I mean by email authentication? Wikipedia defines email authentication as follows:
Email authentication, or validation, is a collection of techniques aimed at providing verifiable information about the origin of email messages by validating the domain ownership of any message transfer agents (MTA) who participated in transferring and possibly modifying a message.
Basically, email authentication (or email validation) means you have taken the necessary steps to protect the integrity of your domain to safeguard against widespread message fraud attempts such as phishing and spam.
The remainder of this blog review’s the three main email authentication methods; SPF, DKIM, and DMARC.
Is your SPF record current?
Sender Policy Framework (SPF) is a DNS record created in your public DNS zone for your various SMTP domains. This0record authorises your mail to be delivered by those DNS or IP records that are listed in the SPF record. An example SPF record could look like this:
v=spf1 ip4:64.10.10.10 ip4:64.10.10.11 include:email.company.com include:antispam.company.com -all
In this example, the two IP addresses may be the Public IP addresses that are assigned to your email servers. The host A records may be your hosted spam provider and a known mass mailing provider that you have authorised to send bulk email.
Receiving messaging servers will run checks to verify sender authorization. If the IP address is not listed, this will result in a hard fail. A hard fail will cause messages to be rejected or may cause messages to go to spam folders.
To view a domain’s SPF record, you can use this tool to output the results.
Some domains still do not have an SPF record associated with them. If you want to control what servers or IP addresses should have the ability to send as your domain (or modify the message in some cases), you need to ensure an SPF record exists which it accurately represents the list of authorised senders for your domain.
Have you created your DKIM keys?
DomainKeys Identified Mail (DKIM) became an internet standard back in September of 2011 defined initially in RFC 6376. So what does it mean in laymen’s terms? Essentially when an email is sent or modified, DKIM confirms with the receiving domain that the sending domain has authorised the message.
DKIM adds a digital signature to the end of each externally bound message. The signature is visible to systems that perform the confirmation but not visible to the end-user. DKIM consists of two keys: the public and private key. The private key is used to create the encrypted signatures and is stored on the sending domain server which is only accessible by the owners of that domain. The receiving domain verifies authorization by comparing the signature with a public DNS record created by the owners of the sending domain.
Enabling DKIM helps to protect the integrity of the sending domain, as receiving domains will know the message received was indeed delivered by the sending domain.
How’s your DMARC going?
If you thought that the acronym for DKIM was bad, wait until you hear what DMARC stands for! Domain-based Message Authentication, Reporting, and Conformance. Like DKIM and SPF, DMARC is another email authentication protocol used to prevent others from spoofing your domain.
DMARC works with SPF and/or DKIM by informing the receiving domain that the messages are protected by SPF and/or DKIM. If SPF or DKIM fails, DMARC instructs the receiving domain of the actions to be taken (reject, quarantine, etc.). This is accomplished by publishing two DNS records – one informing DMARC is in use and the second on the actions to be taken if email authentication fails.
How can I help you with email authentication?
If you would like to learn more about email authentication, please feel free to reach out to me directly or contact. We would be glad to assist your company in setting up SPF, DKIM, and DMARC.
