In our private life, for daily communication we use instant messaging, but in business we can not imagine communication without e-mails. Yes, we can use products like Teams and Slack, but for official correspondence we need e-mails.
But what’s about our e-mail security today? What are SPF, DKIM and DMARC?
How safe is an e-mail?
The security during sending e-mails has improved in the last years.
Encrypted connections are an “old hat” and implemented in the most environments. However, encrypted e-mail messages unfortunately not!
Not least because of the terrible implementation of the most end-to-end encryption technologies.
But before we can think about message encryption, let’s talk about simpler ways to improve the e-mail communication.
Is what you see, is what you get?
If I receive an e-mail from Amazon, is it really from Amazon?
Let’s hope so, but it’s not so easy. Not only because the sender is “amazon.com” we really get this message from Amazon. For clarity, Amazon is doing a great job to protect you from receiving wrong “amazon.com” messages.
What can we do to protect our domains?
Each domain need to protect against abuse by his owner. To improve the overall security of e-mails we can use the following features. SPF, DKIM and DMARC are single steps to archive a full validation chain.
SPF – everyone should have it!
Its the simplest step to get a minimum protection for your own e-mail domain. An SPF record is simple TXT record in your public DNS. With this record you list all servers who have the right to send e-mails with your domain. Sadly, many small and midsize companies don’t have this record. Most e-mail servers are checking the SPF records for incoming e-mail messages and if a domain don’t have a SPF record their messages will flagged as spam. So, if your send messages flagged as spam, check your SPF.
DKIM – next level of security
With a SPF record you provide other e-mail systems a list of valid servers for your domain. So this e-mail system can be sure that the message originally send from a valid server, but not if a message is modified from an other system. That is the point, where DKIM can help us.
A e-mail server with implemented DKIM will sign outgoing messages with a private key. All receiving systems can check the signature and if it was changed, we know that the message is manipulated.
To ensure that the signature check works, we need to provide a public key to the receiving systems. Because nobody likes to send the public key to every receiving system, DKIM use a public DNS entry for this.
DMARC – coronation of SPF and DKIM
SPF = list of valid senders for a domain
DKIM = signature based validation, if a message was changed after leaving the sender
Sound like we have a good base for secure e-mail communication, now let’s take the last step with DMARC.
After adding SPF and DKIM we can use DMARC to get an end-to-end validation of booth.
The sender, who have implemented SPF and DKIM, can add a public TXT record with a DMARC policy. This policy helps the reviver to determine how to proceed when messages fail SPF and DKIM checks.
Detailed and technical information can be found here: https://blogs.technet.microsoft.com/fasttracktips/2016/07/16/spf-dkim-dmarc-and-exchange-online/
Every person or company who wants to use a public domain for e-mail communication should have a SPF record, because this is one of the main reasons why messages flagged as spam.
And to implement this, you only need to create a public TXT record!