Adversaries commonly conduct social engineering and spear phishing attacks against organisations using fake emails. By modifying the sender’s address, or other parts of an email header to appear as though the email originated from an intended source, an adversary can increase the likelihood of their target complying with a request, such as opening a malicious attachment or disclosing information.
Organisations can reduce the likelihood of their domains being used to support fake emails by implementing Sender Policy Framework (SPF), Domain Keys Identified Mail (DKIM) and Domain-based Message Authentication, Reporting and Conformance (DMARC) records in their Domain Name System (DNS) configuration.
SPF, DKIM and DMARC records are publicly visible indicators of good cyber hygiene. The public can query a DNS server and see whether an organisation has SPF, DKIM and/or DMARC protection.
SPF Stands for Sender Policy Framework
SPF is an email verification system designed to detect fake emails. As a sender, a domain owner publishes SPF records in DNS to indicate which mail servers are allowed to send emails for their domains.
When an SPF-enabled mail server receives email, it verifies the sending mail server’s identity against the published SPF record. If the sending mail server is not listed as an authorized sender in the SPF record, verification will fail.
SPF ‘from’ header weakness
SPF has a known weakness. Mail servers applying SPF policies check the RFC5321.Mailfrom header (commonly called the ‘envelope from header’) while email clients typically display the RFC5322.Mailfrom header (commonly called the ‘message/letter from header’) to the users as the source of an email.
Adversaries are aware of this weakness and use it to bypass SPF checks by using a domain they control in the envelope from header, and the domain they wish to spoof (but don’t control) in the message/letter from header.
DMARC addresses this weakness by checking that these two headers align.
Domain-based Message Authentication, Reporting and Conformance (DMARC)
DMARC enables domain owners to advise recipient mail servers of policy decisions that should be made when handling inbound emails claiming to come from the owner’s domain.
DMARC’s alignment feature prevents spoofing of the “header from” address by:
- Matching the “header from” domain name with the “envelope from” domain name used during an SPF check, and
- Matching the “header from” domain name with the “d= domain name” in the DKIM signature.
To pass DMARC, A message must pass SPF authentication and SPF alignment and/or DKIM authentication and DKIM alignment.
A message will fail DMARC if the message fails both (1) SPF or SPF alignment and (2) DKIM or DKIM alignment.
DMARC allows senders to instruct email providers on how to handle unauthenticated mail via a DMARC policy, removing any guesswork on how they should handle messages that fail DMARC authentication. Domain owners can request that recipients:
- Allow, quarantine, or reject emails that fail SPF and DKIM verification
- Collect statistics and notify the domain owner of emails falsely claiming to be from their domain
- Notify the domain owner how many emails are passing and failing email authentication checks
- Send the domain owner data extracted from a failed email, such as header information and web addresses from the email body
,ProDMARC as a product built on a mission to achieve a secure and spoofing free email channels across all of internet space; makes reporting of DMARC, providing volumes and trends of the outbound mails including that of phishing campaigns and yield confirmation for reliability of the outbound mails in terms of SPF, DKIM & DMARC conformance; smooth and uncomplicated. Summarizing, ProDMARC helps improve customer and third party trust in email communications.
Sign up for your 1 month ProDMARC trial by writing to us on , email@example.com ,So that while you stay home safe from COVID-19, your email domains are safe from email spoofing !!