Preventative: Email Security Technology Flashcards
This lesson is going to focus on email security technologies that can help organizations identify malicious or suspicious emails, and prove or disprove that emails have come from the domain they appear to have been delivered from in an attempt to discover if spoofing has taken place, the act of forging a sending email address to make emails look as if they have come from a legitimate source. The technologies we will cover are SPF, DKIM, and DMARC.
Anti-Spoofing Records
Domain (DNS) records can be used for a wide variety of purposes, such as enabling a mail server to use a custom domain, hosting a website, and also offering the ability to set up anti-spoofing records as well. With many cyber-attacks coming from phishing emails and spoofing, these domain records help protect custom domain names from being exploited by an attacker. The following three record types: SPF, DKIM, and DMARC; can be used together to help strengthen the security of an organization’s email service.
SPF Records
A Sender Policy Framework (SPF) record is a type of DNS (TXT) record that can help prevent an email address from being forged. This record is established to identify the hostnames or IP addresses that are allowed to send emails for your custom domain. When having an SPF record specified on your domain, helps prevent a malicious actor from spoofing your domain. The SPF TXT record contains three parts: the declaration of the record type, the IP addresses and external domains that can send on your domain’s behalf, and an enforcement rule.
The basic syntax of the record is:
v=spf1
For example, securityblue.team has the following SPF record:
v=spf1 a: include:mailgun.org protection.outlook.com -all
We can see that the record declares that it’s an SPF record, that it allows mail to be sent from mailgun.org and protection.outlook.com, and the -all specifies that the email will show a hard fail if the domain is spoofed by an unauthorized sender.
DKIM Records
Domain Keys Identified Mail (DKIM) is a method of email authentication that cryptographically verifies if an email has been sent by its trusted servers and hasn’t been tampered with during transmission. The way that DKIM works is that when the mail server sends an email, an encrypted hash of the email contents is generated using a private key and then it adds this hash to the email header as a DKIM signature. The receiving server will be able to verify whether the email contents have not been tampered with by looking up the corresponding public key in the domain’s DNS records. Once the receiving mail server decrypts the email with the public key, it calculates a new hash and verifies whether the original and the newly generated hash match to ensure email message integrity.
The basic syntax of the record is:
V=DKIM1
DMARC Records
Domain-based Message Authentication, Reporting & Conformance (DMARC) is an email authentication, policy, and reporting protocol. DMARC is built largely off of concepts taken from SPF and DKIM, but it adds several improvements to those protocols. This type of record allows the domain owner to specify what should happen if emails fail both SPF and DKIM checks. There are three basic options that the mail server can take: none, quarantine, and reject.
The basic syntax of the record is:
v=DMARC1
For example, securityblue.team could have the following DMARC record:
v=DMARC1; p=quarantine; rua=mailto:contact@securityblue.team
We can see that the record declares that it’s a DMARC record, that it sets emails to go to the quarantine/spam folder when failing both checks, and that aggregate reports are sent to contact@securityblue.team of emails that have failed DMARC.
Conclusion
When all three of these email security technologies are set up properly, it provides a great defense to stop phishing actors from successfully impersonating your organization, and also helps to detect cases where someone is trying to imitate your domain!
