3 email security protocols that help prevent address spoofing: How to use them

DMARC, DKIM and SPF will help cut down on malicious emails from spoofed addresses. Setting them up is easier than you think.

If you are not using global email security standards SPF, DKIM and DMARC, you should be. They’ve been around for many years and used and trusted by millions of people. They can only help.

Sender Policy Framework (SPF), Domain Keys Identified Mail (DKIM) and Domain-Based Message Authentication, Reporting and Conformance (DMARC) allow you to prevent malicious third parties from spoofing your email domain to others who use it. They don’t work perfectly, but when enabled will absolutely cut down on some forms of email maliciousness.

For these protocols to work, the sender’s email domain administrator enables them in DNS using TXT records. (TXT records are a particular type of DNS record, like an A record is), or by enabling it in their email host provider’s administrative console. When enabled, receivers (actually their email servers or clients on their behalf) of emails from activated domains can check additional information to verify whether a particular email  came from the email domain from which it claims to be sent.

It’s a little confusing. Sending domains enable the protocols so that receivers can verify that emails are really from the sender’s domain. Senders enable these protocols so other people can’t claim to be them. Receivers enable them so they can verify whether a particular email is from where it says it’s from. Both sides must be enabled. Enabling them can’t hurt anything, unless you decide to take the draconian step of rejecting all emails that fail any of the checks. Hint: This will cause far too many false positives, so choose to quarantine instead.

SPF works by preventing spoofing of a legitimate email real return address (i.e., the email address that you would be sending a reply to) domain. This email address is known as the 5321 address, because it is defined in RFC 5321, which defines Simple Mail Transfer Protocol (SMTP). Depending on the email client, the 5321 address may not always be displayed. This is especially true of small form-factor email clients such as the ones you see on smartphones.

DKIM works by preventing the spoofing of the “Display From” email address (from RFC 5322, Internet Message Form email standard) domain. The Display From address is almost always shown to an end-user when they preview or open an email, hence its name. The figure below shows the difference between the 5321 and 5322 email addresses.

To continue reading this article register now

Get the best of CSO ... delivered. Sign up for our FREE email newsletters!