stop-email-spoof

How you can stop email spoofing easily

There was a time, when mail spoofing was an art, was a thing to impress people, was a way to phish attack someone.
With increasing intelligence in spam filters – it became harder, you need good IP reputation to deliver mail to box.
But now it has become almost impossible to spoof address like someone@hotmail.com . Why ? Have computer turned intelligent ? No.

The problem of spam protection isn’t new to market. So people came up with DNS based solutions which can allow sender to list IP addresses authorized to send mails.
“Sender Policy Framework (SPF) for Authorizing Use of Domains in E-Mail” – You can read rfc at https://www.ietf.org/rfc/rfc4408.txt (if you want to dig).

The standard was good, Not good it was best! It block all ways to prank people, but mails were still being delivered, because Network administrator weren’t smart enough to add all server. So as workaround big providers ran algorithms on top to make sure genuine mails which are failing spf are not delivered to spam.

This is all good – but for hardcore phishers it became little hard, people do check mails regularly & getting into network is just distributing malware.
Attacker can perform MITM alter content of mail while its being delivered.

There wasn’t any check.

Solution was DKIM – DomainKeys Identified Mail (DKIM) Signatures , it allows all mail servers to sign messages & certain header fields using defined hashing algorithms & verification using public/private key. Public key is published as DNS record, but private key is kept private.

Acquiring private key is little hard. Its hardest thing. You need to regulate keys to make sure that no one cracks it – if you keep key size 2048 it will make mail delivery slow, if you keep it 512bit with present computing its easy to crack.

DKIM provides way to authorize only certain application to send mail, but there was still no way to get reports on how effective is measure, how many mails are being spoofed & what to do with spoofed mails.

Mails were being delivered even after DKIM failure.

People came with DMARC standard – again it was published using DNS TXT record – it helps in getting reports & also blocking mails. Check the rfc at https://datatracker.ietf.org/doc/rfc7489/

Certainly as every security system comes with an overhead, These standard make mail processing resource intensive. There are many ways to reduce processing cost keeping security upto-date.

There were many spamming attacks originating on behalf of our site, post implementation of DMARC using DMARC Sonar, they almost reduced 80% after few months.

One thing to note – if you make a single mistake in any of DNS record you can miss all your mails – So its better to take advice from someone who knows Standard well & can help you in deploying. 

One thing to note – if you make a single mistake in any of DNS record you can miss all your mails – So its better to take advice from someone who knows Standard well & can help you in deploying. 

This post was originally posted here back in 2016.

dmarc-blog

How DMARC protects organization from phishing attacks?

Phishing is one of the biggest threats that an organization faces today. According to a report. DMARC has already proven hugely beneficial for organizations looking to protect their brand and customers. According to this report valid DMARC policies published in the DNS increased by 250% in 2018.

DMARC is the new and biggest breakthrough in email encryption, a technological framework that helps protect email senders and recipients against spam, spoofing and phishing.  It is based on two existing email standards: SPF and DKIM. 

SPF SPF is a DNS text entry which displays a collection of servers that should be  permitted to send mail for a specific domain. It enforce the principle that the list of people is authoritative for the domain, since the owners/administrators are the only people allowed to add / change the key domain. Hosts are permitted to use a particular domain name is published in the Domain Name System (DNS) records for that domain, as a TXT record. Mail receivers can use that records to check the authorisation. SPF’s advantage is the receiver can then use the sender’s domain to determine email acceptance or rejection.

DKIM DKIM is a signature-based Email Authentication technique. It is the result of merging the DomainKeys and Identified Internet Mail specifications.It allows a domain owner to tag and email message with a digital signature. Verification of the email is done using the signer’s public key, which is published in the DNS. A valid signature ensures that at some part of the email have not been modified since the signature was attached.

DMARC has three settings: monitor; quarantine; and reject, and organisations decide how they want to hande unauthenticated emails.To know more about how DMARC works, check out our blog on DMARC.

How it protects organization from Phishing?

  1. DMARC confirms if the received email is real or not. Before DMARC it was unstable as some of the legitimate mails are tagged in spams.
  2. DMARC creates consistency for dealing with messages that fail to authenticate.This helps the mail ecosystem as a whole become more secure and more trustworthy.
  3. Publishing a DMARC record protects brands reputation by stopping unauthorised hosts from sending mail on behalf of your domain.
  4. DMARC reports give you visibility of who is sending mail from your domain.
  5. It increases control and security.

Implementing DMARC on your organization’s mail servers domains is the first step to protecting your enterprise from phishing attacks. To ease up the implementation we offer DMARC+ solution, which provides easy implementation dashboard which can your journey easy.

55525735-min (4)

What is SPF? Why use SPF & What are its limitations?

Sender Policy Framework(SPF) is a technological framework that helps to protect email senders and receivers against spam, spoofing, and phishing. In particular, it defines a way to validate the sending of an email message from an authorized mail server to detect forgery and prevent spam.

SPF Record: An SPF record is included in the DNS database of an organization. It is a specifically formatted version of a standard DNS TXT record.

How does it work ?

SPF lays out a system for receiving mail servers to check that incoming mail from a domain has been sent from a host allowed by the administrators of that domain.

  • A domain administrator publishes the rules for mail servers allowed to send email from that domain. Its regulation is referred to as an SPF record and is classified as part of the overall DNS records of the domain.
  • When an incoming email is opened by an inbound mail server, it will look up the domain rules in DNS. Then the inbound server compares the mail sender’s IP address with the approved IP addresses set out in the SPF log.
  • The receiving mail server instead uses the rules defined in the SPF record of the issuing domain to decide whether to accept, deny or flag the email message otherwise.

Why use SPF ?

  • SPF may not be fine, but it’s much safer for you than not to use it. By setting up SPF, emails can still be sent but doing so will improve your chances.
  • Using an SPF scheme provides ISPs with an extra confidence signal to increase the likelihood that your communications will arrive in the inbox.
  • The SPF framework can also help mitigate the bounce and error warning backscatter as spammers seek to misuse the domain.

Limitations

SPF is a perfect email security tool. Nevertheless, it has certain limitations that you need to be conscious of.

  • SPF will not verify the header “From.” This header is shown as the real source of communication in most clients. The “header from” is not checked by SPF, but the “envelope from” is used to evaluate the domain received.
  • SPF is going to break when an email is forward. At this stage, the ‘ forwarder ‘ becomes the message’s current ‘ sender ‘ and the new destination’s SPF tests may fail.
  • SPF is deficient in the documentation, making it more difficult to manage.

Click here to get insight about another email security tool DKIM.

55525735-min (4)

What is DKIM? All you need to know about DKIM

Domain Keys Identified Mail (DKIM) is a technological norm that helps deter spam, spoofing, and phishing from email senders and recipients. This is a type of email authentication that allows an individual to assert accountability for a message in a manner that the receiver may validate.

DKIM uses a “public-key cryptography” approach to verify that an email message has been sent from an authorized mail server to detect forgery and prevent harmful email delivery such as spam.

DKIM Signature- A DKIM signature is an email address header. The header includes values that enable a receiving mail server to confirm the email message by looking for the DKIM key of a sender and using it to check the signature encrypted.

How it works ?

DKIM operates by applying a digital signature to an email message header. You can then check this signature against a shared cryptographic key stored in the DNS database of the company.

  • A cryptographic key is released by the domain holders. 
  • This is formatted specifically as a TXT record in the overall DNS record of the domain.
  • The application produces and applies the special DKIM signature to the document header after a letter is sent by an outbound mail server.
  • Inbound mail servers then use the DKIM key to detect and decrypt the signature of the message and compare it to a fresh version. 
  • The message can be proven authentic and unchanged in transit if the values match, and therefore not forged or altered.

How is it related to SPF ?

DKIM and SPF are all protocols that require various aspects of email authentication. Complementary issues are addressed.

  • SPF requires senders to specify which IP addresses for a particular domain are allowed to send mail.
  • DKIM offers a digital signature and security key to ensure that an email message has not been faked or updated.

Advantages

  • Bypass spam filters.
  • Avoid getting phished.
  • Improve Reputation.

Click here to get insight about SPF.

Print

Mistakes while Implementing DMARC

DMARC, or Domain-based Message Authentication Reporting & Compliance, protects corporate trusted domains from email spoofing attacks. Due to the rapid expansion of Email fraud and the fact that domain spoofing attacks make up a large percentage of these attacks, it is no surprise that many organizations are looking to implement DMARC authentication to validate emails sent on their behalf. Following the 5 common mistakes to avoid when deploying DMARC.

Don’t account for all valid mail sources, like third party senders

Many organizations have many senders, including third parties, to send emails on their behalf. It may be difficult to locate all valid senders, especially given that different departments within the organization use third-party email senders. Furthermore, if not all appropriate senders are detected and allowed to send emails on behalf of the company, essential messages may be interrupted, possibly damaging the enterprise. Organizations will ensure that members from all related areas are updated and active.

Don’t set up inactive domains

All organizations are applying DMARC for their effective domains. Nevertheless, many organizations have also inactive domains and do not enforce DMARC for them. Not setting up DMARC for inactive domains is a common error. You may not be sending emails to your parked domains, but someone might be exploiting the domain. Since these domains are not running, it is easy to protect these domains. Do not miss these domains in the DMARC implementation plan.

Let a subdomain comprise the rule of the top-level domain

Usually, the company targets the DMARC implantation on the top-level domain and can easily avoid configuring specific policies for each of its sub-domains. The DMARC framework applied to the top-level domain trickles down to subdomains automatically. This may allow legal email to be inadvertently blocked unless all subdomains are listed separately.

In your SPF file, more than 10 lookups

A common mistake when installing DMARC is to have more than 10 lookups in your SPF file. SPF helps the load on the email receiver side to be minimized by up to 10′ lookups.’ If you have more than 10 requests, the products may not qualify as legitimate SPF sources after the 10th quest. If you have more than 10 requests, the number of searches will need to be through.

Not using DKIM signature

DKIM is one of two methods for encryption to render DMARC compatible messages. DMARC Analyzer advises signing outgoing emails with a DKIM signature from your direct mail outlets. Using DKIM will not only make DMARC compliant with your emails, but it will also help with transmission problems.

Not working on your alignment

An important aspect of DMARC is to ensure that the message’s correct source is the email in the’ From’ header. Senders were tested using DKIM and SPF. Alignment ensures that the term’ From’ fits the domain that is sent. We often see businesses change their strategies while not yet fully aligned with DKIM and SPF. This is a common error. Until modifying the DMARC rule, please make sure your DKIM and SPF are fully aligned.

Using wrong syntax or content of DMARC

Although guidelines are accessible to set up DMARC records, they can be vague at times. Inaccurate formatting and/or text and inaccurate rule principles are often common.
A couple important items to consider:

  • Use the right policy principles
  • Test the typos
  • Missing characters or extra characters
  • If you have multiple reporting addresses separated with a comma, don’t include a space after the comma, and ensure the second address starts with Mail To

Use our DMARCPlus service and get started.

dmarc-blog

DMARC Alignment – All You Need To Know

DMARC attempts to check that the address in the header ‘From’ is the real message origin or not. DKIM and SPF do not include the From header and Username.

Alignment ensures that when using a relaxed configuration, all domains will align perfectly.

Difference between Header from Domain and Mail from Domain

Header from DomainMail from Domain
The domain portion of the email address that is most frequently available to end-users in an email recipient’s “From” area.The SPF authorization method is using this code. It is the domain part of the email address commonly found in the message header “Return-Path.” This is also commonly known as the location of the rebound.

SPF Alignment

SPF alignment for DMARC: Alignment of the sender policy framework (SPF) ensures that the domains of your email match.

  • Mail-Address (MFrom)
  • From the url of the header

There are two types of SPF alignment

Relaxed alignment: For relaxed alignment, only the MFrom address’s root domain will suit the Header From address’s root domain. Relaxed alignment helps to use a sub-domain and still meet the criteria of domain alignment.

Strict alignment: The scope of the MFrom address with strict alignment is an exact match for the address of the Header From domain.

DKIM Alignment

DKIM alignment for DMARC: DKIM matching is when the DKIM signature domain parent of your email meets the domain Header From.

There are two types of DKIM alignment

Relaxed alignment: That method of alignment allows the domain of the DKIM to suit the domain of the parent header. Relaxed alignment helps to use a sub-domain and still meet the criteria for domain alignment.

Strict alignment- That method of alignment includes an exact match of the DKIM domain to the Header “From” domain.

Make anti-phishing solutions ride shotgun in your company’s modus operandi

What is DMARC? How is DMARC Deployment done?

DMARC (Domain-based Message Authentication, Reporting, and Conformance) is a type of email protocol that uses SPF (Sender Policy Framework) and DKIM (Domain Keys Identified Emails). It controls the situation when email fails authentication tests. It is published on the side of the domain.

It needs some preliminary work before you implement DMARC, including, of course, corporate consent, because it covers the entire company.

  1. Identify all your company domains

    The first phase of your DMARC implementation project is to analyze all your organization-owned domains. Identify all domains that sent an email, active and parked (inactive) domains, on behalf of your client. Don’t ignore your own inactive domain.

  2. Attach all domains known to your dashboard

    The next step is to include in your account all the domains that you found in the previous step. Also, don’t forget to add your inactive domains.

  3. Create DMARC record

    The next step is to generate your domains with a DMARC record. Your DMARC record is the core of a DMARC implementation. The DMARC record is a text that is connected to the parent domain.

  4. Publish the DMARC record created in your DNS

    The next step is to publish in your DNS the DMARC record generated in the previous step. It is essential to publish DMARC records in the DNS. You can do this yourself or ask your DNS provider if the appropriate DMARC record can be put.

  5. Analyze the data of your DMARC

    Analyzing data is the most important part. Once DMARC is implemented the data needs to be viewed before applying policy. It may take up to some time to see your account’s DMARC details. You will gain insight into your email channel(s) with these reports, using this data to better understand your mail sources.

Implementing DMARC on the mail server domains of your company should be the first move to defend your corporation from phishing attacks this year. DMARC+ offers a simple installation interface with deployment assistance for an easy journey towards your DMARC journey.