Email is the lifeblood of all organizations, especially small- and midsize businesses (SMBs). It’s how you communicate with customers, partners, and employees.
It also happens to be one of the primary vectors for bad people to do bad things. To reduce risk, you must keep your communications channels #secure. With #phishing attacks, spam, and other cybersecurity threats on the rise, emailsecurity must be one of your top priorities.
In today’s blog, we explore the importance of three fundamental technologies in the mail protection space: SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting, and Conformance). We’ll even explain how the Regency period (from Bridgerton, for the uninitiated) used an early form of messaging security! We delve into what each technology does and how it helps protect your business’s email communications. Let’s get started with explaining SPF, DKIM, and DMARC and how they protect and ensure better email safety.
SPF
SPF is a very simple technology designed to make sure incoming emails were sent from a place on the Internet that is expected to be sending emails from your company. It is dependent on a #DNS record that lists all IP addresses authorized to send emails on behalf of your domain. When an email server receives a message claiming to be from your domain, it checks the sender’s IP address against this list. If it doesn’t match, the email is likely spam or a phishing attempt.
For instance, if bob@ACompany.com receives an email from sue@BCompany.com, ACompany’s email server confirms the server sending the message is one BCompany has listed as a valid source of ACompany emails. If not, ACompany’s email server might send the message to a Junk Mail folder or worse, block it entirely—it all depends on how Acompany’s security people configured the mail server’s behavior.
DKIM
DKIM is slightly more complicated than SPF and serves a very different and very important purpose. DKIM confirms that nobody has modified an email from when it was to sent to when it was received. It also makes sure that the message truly originated from the sender’s email servers.
Think of DKIM as the wax seal on messages sent in the days of Bridgerton. QueenCharlotte writes her missive and then uses her unique wax seal to “lock” her message. If the recipient sees the seal is broken or has been replaced, he or she can assume the Queen’s message has been tampered with.
DKIM is the digital version of the wax seal—it generates a unique digital signature that verifies the authenticity of every email message as it’s sent. When you send an email, your email server generates a custom “blob” of ciphertext and attaches it to the message. The recipient’s email server decrypts and verifies this text to ensure the email is from your domain and wasn’t tampered with during transit. LadyWhistledown would be impressed!
DMARC
DMARC is the third component of email security and and is dependent on SPF and DKIM. DMARC is a simple set of instructions that lets the email recipient’s servers know what to do if the message fails SPF or DKIM verifications. Should it go through anyway? Should it be quarantined? Or should it be denied outright?
DMARC is the set of instructions that lets the recipient’s email filtering system know how important you take your email’s security. While it doesn’t act on emails itself, it tells your recipient that under normal situations, your emails will be signed and sealed, coming from predictable locations — and any deviation should be treated seriously.
Common Misconfigurations
- SPF
- I often see companies whose main email system (perhaps Microsoft 365) is properly configured with an SPF record. But today it’s very common to grant third-party applications (e.g., billing, marketing, or customer service systems) permission to send emails on a company’s behalf. If you don’t add those third-party applications’ servers to your SPF record, those messages might never get to their destination! Ever wonder why your customers often tell you that your monthly marketing newsletter never arrived? HubSpot or MailChimp was likely never added to your SPF record!
- Another issue I see is companies with “+all” at the end of their SPF record. This means that, even if SPF fails, the recipient should treat it as a PASS. That’s pretty silly. For the techies, change that to a “-all” (FAIL), or at least a “~all” (SOFTFAIL), which will tell the recipient to consider it a suspicious message if it arrives from an unexpected source.
- DKIM
- The biggest misconfiguration I see with DKIM is people just not doing it! Because it involves creating private and public keys—a subject some sysadmins don’t fully grasp—DKIM is sometimes moved to the bottom of the priority list. But #configuration is usually much easier than people think. If you use one of the big #SaaS mail vendors (e.g., Microsoft365 or Google Workspaces), there are very well-authored instructions accessible with a simple Google search. You can be up and running in minutes.
- DMARC
- Unfortunately, a lot of companies think they’re compliant with security requirements by just having a DMARC entry in their DNS but they are just paying it lip-service. To throw in a little #techspeak, DMARC can be set with the p=none setting, which means that there is no policy to quarantine or decline a message that failed authentication. If your mail system has enabled p=none, DMARC is NOT configured.
Is Your Company Securely Configured?
So, how do you know if your company email is properly configured? The answer lies in tools like mxtoolbox.com, which offers free email configuration tools. These tools check your SPF, DKIM, and DMARC configurations for any issues or misconfigurations. If you identify something that’s not quite right, raise it with your IT team to resolve the issue immediately.
Note that, to test DKIM, you need to know your “selector” as well. This is often selector1 or selector2, but it can be anything. You might need to talk to your mail administrator if those don’t work when you’re using mxtoolbox.
Conclusion
In today’s digital landscape, SPF, DKIM, and DMARC are #non-negotiables for any business wanting to protect their email communications. These technologies may seem complex on the surface, but they’re relatively easy to configure. By implementing these core technologies, you’ll not only prevent email-based attacks but also maintain the trust of your customers and partners.
Take a page from Bridgerton and don’t underestimate the importance of message security. As a small or medium-sized business owner, it’s crucial to prioritize email as part of your organization’s security infrastructure. With the right tools and configurations in place, you can rest assured that your communications are secure, reliable, and trustworthy.
