Mastering email security with DMARC, SPF and DKIM

The three main email security protocols complement one another, so implementing them all provides the best protection. That’s easier said than done, but these tips can help.

Become An Insider

Sign up now and get FREE access to hundreds of Insider articles, guides, reviews, interviews, blogs, and other premium content. Learn more.

Phishing and email spam are the biggest opportunities for hackers to enter the network. If a single user clicks on some malicious email attachment, it can compromise an entire enterprise with ransomware, cryptojacking scripts, data leakages, or privilege escalation exploits.

Email security protocols have been invented to reduce these opportunities. Like much in the IT world, the multiple solutions don’t all necessarily overlap. Actually, they are quite complementary to each other, and chances are good that the average business will need all three of these solutions:

  • Sender Policy Framework (SPF), which hardens your DNS servers and restricts who can send emails from your domain.
  • DomainKeys Identified Mail (DKIM), which ensures that the contents of your emails remains trusted and hasn’t been tampered with or compromised.
  • Domain-based Message Authentication, Reporting and Conformance (DMARC), which ties the first two protocols together with a consistent set of policies.

The reason for the three different approaches is partly because each solves a somewhat different piece of the email puzzle to prevent phishing and spam. This is accomplished via a combination of standard authentication and encryption tools, such as public and private key signing, and adding special DNS records to authenticate email coming from your domains.

It also has to do with the evolution of the internet email protocols themselves. In the early days of the internet, email was mostly used among university researchers, where like the Cheers TV bar, everyone knew your name and trusted each other. Sadly, those days are long gone.

The message headers (such as the To: and From: and Bcc: addresses) were deliberately separated from the actual content of the message itself. This was a feature (and if you think about how Bcc: works, you realize why it is important), but that separation has brought new worlds of pain for IT administrators of the modern era.

Use SPF, DKIM and DMARC together

If your email infrastructure implements all three protocols properly, you can ensure that messages can’t be easily forged and that you can block them from ever darkening your users’ inboxes. That’s the idea anyway, and as you’ll see, a big if.

Over the past year, the trio of protocols has received more attention because of several factors. First, spam and spear phishing continue to be issues, and as more networks are compromised because of them, IT managers are looking for better security solutions. Second, the feds have become involved. The Department of Homeland Security issued an order last year requiring all agencies to come up with action plans to implement these protocols. Agencies in the UK and Australia have followed suit.

Third, email providers such as Google’s Gmail, Yahoo, and Fastmail have implemented the trio across their hosted email solutions, because they want to keep their customers protected. Finally, some decent protective products and SaaS tools can be used to implement these protocols. Vendors such as Valimail, Agari, Barracuda, and others  are gaining traction. (Note: I tested Valimail on my own email infrastructure and used the experience in writing this report.)

So that is all good news. Let’s look at the complicating factors.

To continue reading this article register now

Shop Tech Products at Amazon