Partner of:
As someone who has grown up with the internet throughout my child hood, there has never been a shortage of emails containing outlandish promises or truly hilarious premises. From the prince of a far away land promising wealth in exchange for a small sum to Jeff Bezos wife informing me she is giving away $5.2 million, there’s always a spam email trying to get your attention. In more recent times, however, many people have noticed that these emails are getting quietly placed into spam and away from the spotlight. Why is the inbox of today show so much less spam? The answer lies in the fact that email security has quietly been making amazing advancements unbeknownst to most people. As a user, it means less unimportant emails in your inbox, but as a business owner, it means there are less chances for employees/clients to fall for tricks that could expose company data or put money in the wrong hands. Being email security is such a broad topic, we are going to cover the mail authentication methods that a business owner can do right now to make mail more secure, for free. Next months article will cover the advancements in email security in areas such as spam detection, attachment scanning, and more.
Email security starts with enabling mechanisms that allow for the origin of mail to be validated; we refer to this as authentication. The kinds of attacks this mitigates include phishing emails, impersonation emails, and certain types of spam. In order to fully understand how, we first need to understand how the origin of mail is labeled, and will be using a credit card statement enclosed in a physical envelope as an example. When we receive our envelope in the mail, the outside clearly shows Chase Bank, and shows it was “mailed” from them. This is equivalent to the header from in an email; the sender could write anything they wanted here to make it seem legitimate! Just because the outside of our envelope says it came from Chase Bank, Joe Biden, or Steve Jobs, doesn’t mean we should believe it. Now, we open our envelope which is instructing us to pay the bill to a different address than was on the outside of the envelope; this would be the envelope from. This wasn’t immediately apparent by looking at the envelope from the outside, it is only when we need to send our actual data back when the envelope from, also aptly named the return path, is used. It is worth noting that there are certainly situations where the header and envelope from will not match, such as with ticketing systems or mass newsletters, but for most legitimate mail the domains of the header and envelope should match. As we can imagine, though, it’s easy to see the outside of our virtual envelope and hit reply without really understanding where our reply is going unless we dig a little deeper, and this reality is exactly what attackers have been preying on.
As a user, the case pretty much ends here, and you can now identify mail beyond what its face value is. As a business owner, this is sounding troublesome as there would be risk of our clients being poached by fake emailers. Thankfully a triad of email authentication mechanisms come to save the day: SPF, DKIM, and DMARC. Each of these rely on DNS records that carry specific information, which is also where we host the information for our email. The records required for each are called TXT records, and simply hold bits of information that can be used to validate parts of the email.
First we have Sender Policy Framework (SPF), and it works to specify which servers are allowed to send on our behalf. Each email server has a unique IP on the internet, and if we were only sending mail from Office 365, we would specify those servers as the only servers that can send as us. We can then specify that anyone that isn’t sending from those servers be held or rejected. If we compare this to our letter, it would be like having a book of addresses that would be allowed to send as Chase Bank. If we were looking to implement this, we could use an online SPF generator that specifies which servers can send as us, what to do with the mail if it fails, and add it to our DNS records.
Next, we have DomainKeys Identified Mail (DKIM) which works to verify that mail sent has retained its integrity. When we talk about integrity, we are speaking about ensuring that our mail hasn’t been tampered with, similar to how some envelopes use a material that indicates if it has been opened or not. Using encryption(Read the last post to learn about how encryption works), we can sign our messages in such a way that when the receiver opens them, they can compare what they have to what they should have. This allows us to make sure the contents haven’t been changed, and the way it looked when it was sent is identical to how it was received. If we were looking to implement this, we would check if the service sending our mail supports DKIM, and if so, simply activate the feature and add the record it specifies to our DNS records.
At this point, we have the capacity to make sure our mail is coming from a valid source, and make sure that it hasn’t been tampered with. Our last method helps track of when any of these fail in order to know if people are trying to send as us, and is named Domain-based Message Authentication, Reporting and Conformance (DMARC). Using DMARC, we can set special addresses called RUA and RUF which send summaries to us, wherein the RUA sends a summary of all mail that was sent as us and the RUF sends a summary of all mail that tried to send as us and failed either SPF or DKIM. Along with giving us visual into how our mail is being received, it also does the special job of making sure that our header from and envelope from domain are the same. Using our envelope example, it would ensure that the outside of the envelope is the same as the address inside that we actually send our information to, and is done at the domain level. (Example: A header from of support@microsoft.com and envelope from of DavidTheEngineer@microsoft.comwould pass since they share the same domain.) Implementing a DMARC record is similair to SPF, in that we can use a record generator online to make our own parameter for where to send mail to, what to do when it fails, then and simply upload it as a DNS record.
Knowing all of this, it makes sense why many people have been receiving less spam email in their normal inbox than before. Most big email companies honor the policies mentioned, and their use has greatly reduced how easy it is to send mail as someone you aren’t! As a user, it is good to know how they work to protect yourself, but as a business it is even more important to ensure your clients are not going to be receiving fake emails. No matter if you are sending mail to 1 person or 10,000+ people, ensuring mail is properly authenticated is the first step to quietly upgrade your email security, and will help keep bad actors away from where they shouldn’t be: your inbox.
Copyright © 2022 Security Connections. All rights reserved.
