Imagine standing outside of your business, or any larger office you\u2019ve been to. From the moment you walk through the front door, there are visible measures to keep the building secure: a receptionist, visitor check-in, ID badges, cameras, you name it. Email security works the same way. When an email arrives at your mail server, you need to have similar measures available to prevent unauthorized \u201cvisitors\u201d from sneaking in. This is ultimately the purpose of SPF, DKIM and DMARC.<\/p>\n\n\n\n
Here\u2019s the most important part of this article – you\u2019re not behind on this topic. It doesn\u2019t matter if you\u2019re a leader in your organization who makes policy decisions, or if this morning was the first time that you\u2019ve ever checked an email inbox. Everyone has issues understanding email security; especially when it comes to SPF, DKIM and DMARC. That being said, now is the time to learn. We\u2019ll talk more about what the pass or fail means in the DMARC area.<\/p>\n\n\n\n SPF (Sender Policy Framework)<\/strong><\/p>\n\n\n\n DKIM (DomainKeys Identified Mail)<\/strong><\/p>\n\n\n\n DMARC (Domain-based Message Authentication, Reporting, and Conformance)<\/strong><\/p>\n\n\n\n Securing an office building is a continual process. You need to be able to welcome your visitors while simultaneously keeping intruders out of your halls. The same principles apply to your email environment. <\/p>\n\n\n\n SPF, DKIM and DMARC coupled with legitimate training to identify malicious emails are the number one way to keep your company’s information safe and under your control. I hope that now, understanding what they are is no longer a roadblock and the only thing left to do is to make sure that they are set up in your environment too!<\/p>\n\n\n\n Email security is crucial! Consult<\/a> our experts and discover how we can help you strengthen your organization’s security.<\/p>\n\n\n\n
As engineers at CCB, my peers and I have worked with many companies to help harden the security in their email environments. It wasn\u2019t until the massive uptick in phishing attempts<\/a> and the recent DMARC requirements with Google and Yahoo<\/a> that the d<\/span>rive for these tools changed.
We went from recommending these tools to our clients to working with new companies that can\u2019t function because they\u2019re forced to utilize these tools and don\u2019t understand the information their vendors are asking them to incorporate!
But there was still one issue. The topic is very technical, yet businesses still need to understand it. Why? Because there\u2019s a high likelihood that they will need to be updated or reconfigured as their business evolves.
So, let’s assume that you\u2019re non-technical and want to understand what SPF, DKIM and DMARC are and what they actually do.
It\u2019s simple – you just need to secure your corporate office!<\/strong> (not literally, although that\u2019s a great idea as well\u2026)<\/p>\n\n\n\nSPF (Sender Policy Framework)<\/h2>\n\n\n\n
In our analogy, SPF is your receptionist. When a visitor enters the building, the receptionist is there to identify who they are and whether or not they should be in the building. Let\u2019s say they look at a list of meetings for the day to find out which visitors are expected to show up. That list is the SPF record. If the visitor is expected, they are given a badge and allowed to go to their meeting. If the visitor isn\u2019t expected, no entry is allowed!
When it comes to your email, SPF looks at the background information of the incoming email and compares it to a record (list) of allowed visitors. If the server used to send the visiting email is on the authorized list, the email is marked with an SPF Pass! If it isn\u2019t an expected visitor, the email is marked with an SPF Fail.
This is the main tool that needs to be updated regularly.<\/strong><\/a> Let\u2019s say you start using a new marketing company that sends emails for you. When one of your customers receives an email from that company using your email address, their server checks your SPF record to make sure that it\u2019s an expected sender. If it isn\u2019t, the email is marked with an SPF Fail.[HS1]<\/a> <\/p>\n\n\n\nDKIM (DomainKeys Identified Mail)<\/h2>\n\n\n\n
Now that the visitor is past the lobby and has their badge, they\u2019re free to go to their meeting. If someone in the halls questions them to see whether or not they should be there, they can present their ID badge for verification. That badge is DKIM.
DKIM adds a unique digital \u201cbadge\u201d to every outgoing email, called a \u201csignature\u201d.
Now let\u2019s take a page out of a spy book quickly and imagine the visitor, halfway down the hall, ducks into a doorway and changes the name on their badge to try and impersonate one of their competitors. They hurry to the meeting, but once they arrive, they find out they need to swipe their badge. They swipe their badge but get pulled aside when their name doesn\u2019t match the information in the system.
With email, DKIM looks at the contents of a message and gives it the signature described above. When that email is received, the server checks the email to make sure that while it was in transit (\u201cwalking the halls\u201d), the content wasn\u2019t changed. If the content is identical, it marks the email with a DKIM Pass. If it was edited in any way after it was sent, it will be marked with a DKIM Fail.<\/p>\n\n\n\nDMARC (Domain-based Message Authentication, Reporting, and Conformance)<\/h2>\n\n\n\n
In a well-oiled corporate environment, there may be security rules that define what to do in the event that an unexpected visitor shows up, or you find someone wandering your halls without proper credentials. Security might escort them out of the building right away, or maybe they\u2019re taken to a holding area for questioning. This is the function of DMARC.
DMARC is the overarching policy that tells receiving servers what to do if an incoming email fails SPF and DKIM. Should the server block the email? Should it be quarantined for review? Or should it turn a blind eye and deliver it anyway? (and let the meeting attendees deal with figuring out if the visitor is legitimate or not.)<\/p>\n\n\n\nIn Review:<\/h2>\n\n\n\n
\n
\n
\n
That\u2019s all<\/h2>\n\n\n\n
\n\n\n\n