Given malicious email is such a big problem, it makes sense that stopping it from being received is a priority. All organisations understand and pay attention to their primary email domains with spam filters and anti-malware checks. The other side to this equation – often not as well understood - is hardening your email to prevent fraudulent actors from sending emails on behalf of your domain name. These settings can also impact whether recipients will reliably receive your mail.

What may be even less well-known is that all your domains should have this protection, including those not used for email like parked domains, legacy domains, testing domains, or any other domain that may be used for applications other than email. Without it they too can be used for fraudulent activity including impersonating your organisation.


What are the elements of this kind of email security hardening?

SPF, DKIM, and DMARC are the acronyms you might come across in email security. What do they do, and how do they work? (Already know the differences and just want to see if there are any configuration gaps on your domains? Find out here.)


Sender Policy Framework – the basics

SPF stands for Sender Policy Framework and is the most basic security method for email. With SPF, you publish a list of authorised senders who can send email on your domain.

By default, any computer connected to the internet can send to any email inbox with any sender name. This allows for identity fraud, spam, etc. The Sender Policy Framework (SPF) standard aims to prevent email identity fraud and is used as one of the factors in detecting spam messages.

When an email server receives an email message, the receiver uses SPF to determine if the computer that sent the message was allowed to do so. If the sender does not pass SPF validation, the message is likely to be rejected or flagged as spam.

A domain owner can publish their SPF policy through the Domain Name System (DNS) by adding a DNS record. This record, which must conform to the SPF standard, tells any receiving servers which sending servers are allowed.


What about DKIM?

The goal of Domain Keys Identified Mail (DKIM) is also to reduce email spam and fraud. With DKIM, the sending email service adds a cryptographic signature to the email that the receiver can use to verify the email source.  

In simplified terms, the sender signs the emails using their private (encryption) key. The sending domain also publishes their public key in the DNS of their domain. By doing so, the receivers of the email can look up that public key and use it to verify the message and, therefore verify that the sender indeed holds the corresponding private key, and so can be trusted as authorised to send email for the domain.

Like SPF, DKIM requires DNS entries be created and follows a specific standard for formulating these.  

Is DKIM better than SPF?

SPF is easier to set up than DKIM, but DKIM has other advantages:

  • DKIM proves the authenticity of the email body itself so the receiver can be sure the email was not changed in any way while in transit.
  • DKIM signatures stay intact when emails are automatically forwarded (forwarding breaks SPF).
  • DKIM is unique to the domain, so it can be used on email services that serve many domains.

SPF alone is limited to detecting a forged sender claim in the envelope (outside) of the email, which is used when the mail gets bounced. Only in combination with DMARC can it detect the forging of the visible sender inemails (spoofing), a technique often used in phishing and spam.

So DKIM and SPF are very effective when combined with DMARC, but what is DMARC?


What is DMARC, and how does it work

Domain-based Message Authentication, Reporting and Conformance (DMARC) is an email authentication and security policy protocol. DMARC extends SPF and DKIM validation by adding a third validation known as alignment. It is intended to mitigate the weaknesses that exist in both DKIM and SPF. DMARC allows domain owners to specify a policy on how the receiver should handle email from the domain.

Alignment is a little complicated. Essentially though, the email standard allows the ‘sent from’ email addresses in emails to be set in more than one place in the email, and alignment means these need to line up with the authorised domain from either/both SPF and DKIM. On top of that, relaxed or strict versions of this policy and settings control what to do if email fails the rule – ie, do nothing (‘none’), quarantine or reject the email. Typically, you set it to ‘none’ for testing purposes and then move it to one of the other settings. Leaving it set to none is a bad idea as it does not provide any protections. You can read more about DMARC here.


How to set up SPF and DMARC to harden emails

If you are not using a domain for email, nobody else must be using it either.  

The best way to do this is to set up the SPF and DMARC as follows:

  • SPF: Add an SPF rule (-all) means all email sent on behalf of the domain will fail SPF validation
  • DKIM: Just remove any DKIM rules you have
  • DMARC: With SPF set to ‘-all’, DMARC rules will fail alignment, so you just need to make sure you have a DNS record that tells receivers to check your DMARC policy i.e. Create a DNS TXT type recordat with the following content: “v=DMARC1;p=reject;”
  • To prevent inbound email and give anyone who sends email to your domain a proper error message you can specify a null MX record.

Today, spam and malware filtering are commonly deployed by email service providers. However, additional protections like DMARC, DKIM and SPF are usually managed internally. While all three are powerful alone, they work better when deployed together.

Our recommendation is to harden email with DMARC in addition to SPF and/or DKIM. The additive nature of DMARC will give your email domains and any others that you own extra validation.

Wondering how Glasstrail can help? Glasstrail detects if you have configured DMARC and SPF correctly on all your domains. We do not check for DKIM because your DKIM settings can only be detected when receiving emails from you, while DMARC and SPF can be checked by inspecting your DNS entries.

Take a 14-day free trial of Glasstrail today and let Glasstrail spot the gaps and misconfigurations in your entire external attack surface (not just email).