Boosting Email Deliverability with DMARC, DKIM, and SPF

by Jul 24, 2024Cybersecurity Corner, Small Business Bulletin0 comments

Have you ever sent an email, but the recipient never responded? Were you certain your email was received? In both corporate and personal settings emails are common methods of communication. Email deliverability is an important feature of digital communication that ensures emails reach their intended recipients’ inboxes. High deliverability rates are critical for businesses to communicate successfully with their customers, partners, and stakeholders. However, achieving peak email deliverability can be difficult due to typical challenges including spam, spoofing, and phishing. These criminal behaviors not only hurt the sender’s reputation but also lower the likelihood that legitimate emails will be delivered successfully.

Emails flying through a digital arena

Understanding Email Authentication Protocols

SPF (Sender Policy Framework)

Definition and Purpose

SPF is an email authentication technique that detects and prevents email spoofing. It allows domain owners to choose which mail servers can send emails on their behalf.

How does SPF work?

When an email is sent, the receiving mail server checks the sender’s domain’s DNS for an SPF record. If the email is sent from a legitimate server, it will pass the SPF check. If not, it fails, and the receiving server may reject or flag the email as spam.

Importance of Having SPF Records

SPF helps to prevent unauthorized users from sending emails from your domain, lowering the risk of phishing and spoofing attacks. It is an important step in maintaining the integrity of your email exchanges. Having SPF Records is important for several reasons:

  • Prevent Email Spoofing: By verifying the sender’s IP address, SPF helps prevent attackers from sending emails that appear to come from your domain.
  • Improves Domain Reputation: Implementing SPF demonstrates to email services and blacklist sites that your domain is secure, which helps maintain a good domain reputation.
  • Improves Email Deliverability: Emails from domains with properly configured SPF records are less likely to be marked as spam, improving overall deliverability.

DKIM (DomainKeys Identified Mail)

Definition and Purpose

DKIM is an email authentication method that enables the sender to associate a domain name with an email message by adding a digital signature. This signature is linked to the domain, confirming that the email was not altered during transit.

How does DKIM work?

DKIM adds a signature to the email header that is created with the sender’s private key. To validate the signature, the receiving server utilizes the sender’s public key as published in the DNS. If the signature is legitimate, it confirms that the email was sent from the domain and was not tampered with.

Benefits of Implementing DKIM

Implementing DKIM adds another degree of protection, confirming the validity of your emails. It promotes confidence among email recipients and ISPs, increasing the likelihood of effective email delivery. Here are some added benefits, very similar to that of SPF:

  • Prevents Email Tampering: Ensures that the email content remains unchanged during transit.
  • Enhances Email Deliverability: Emails with valid DKIM signatures are less likely to be marked as spam.
  • Improves Domain Reputation: Inform email providers that your domain is secure and trustworthy.

DMARC (Domain-based Message Authentication, Reporting, and Conformance)

Definition and Purpose

DMARC is an email authentication technique that detects and prevents email spoofing through the use of SPF and DKIM. It allows domain owners to designate how unauthenticated emails should be treated and includes a reporting method for tracking email authentication.

How DMARC Integrates SPF and DKIM

Secure Email

DMARC analyzes both SPF and DKIM information to confirm that emails are valid. If an email passes SPF or DKIM and matches the domain in the “From” header, it passes DMARC. If not, DMARC directs the receiving server to treat the email in accordance with the domain owner’s policy.

Setting Up DMARC Policies

DMARC policies can be set to none (monitoring only), quarantine (mark questionable emails as spam), or reject (block suspicious emails). This enables domain owners to gradually adopt DMARC and alter policy based on the findings from reports. Simplified outline:

  1. Create DMARC Report: Publish a DMARC record in your DNS specifying your policy (none, quarantine, or reject) and the email address for receiving reports. 
  2. Monitor Reports: Regularly review DMARC reports to identify and address issues.
  3. Adjust Policies: Based on the reports, adjust your DMARC policies to improve email security and deliverability

Why are DMARC, DKIM, and SPF Crucial for Email Deliverability?

  • Preventing Email Spoofing and Phishing Attacks: DMARC, DKIM, and SPF can help enterprises limit the risk of email spoofing and phishing assaults. These protocols ensure that only legitimate emails reach their intended recipients.
  • Building Trust with Email Recipients: When recipients perceive that emails are properly authenticated, they gain faith in the sender’s domain. This trust increases engagement rates and the likelihood of emails being opened and acted on.
  • Improving Inbox Placement Rates: Emails passing DMARC, DKIM, and SPF checks are more likely to reach the inbox than the spam bin. This increases email deliverability and ensures that your communications reach their intended recipients.

The Importance of Monitoring DMARC Reports

What are DMARC Reports?

DMARC reports include detailed information about the authentication outcomes of your emails. They include information about whether emails passed or failed SPF and DKIM tests, as well as insights into potential spoofing attempts.

How to Access and Read DMARC Reports

DMARC reports are usually sent in XML format to the email address specified in the DMARC record. Tools and services are available to help parse and interpret these reports, making it easier to understand the data.

Benefits of Monitoring DMARC Reports Regularly

Regular monitoring of DMARC reports helps identify and address issues promptly. It ensures compliance with your email authentication policies and helps maintain the effectiveness of your email security measures.

  • Identifying and Addressing Issues: DMARC reports identify any anomalies or failures in email authentication, allowing you to take appropriate action. This proactive strategy contributes to a high level of email deliverability and security.
  • Ensuring Compliance and Effectiveness of Email Authentication Policies: Regularly examining DMARC reports can help you confirm that your email authentication policies are working properly. This contributes to maintaining a secure email environment and boosting overall deliverability.

Real World Case 

Computer Security

APT43/ Kimsuky Group

An article published by Forbes on May 8, 2024, focused on a joint cybersecurity warning issued by the Federal Bureau of Investigation, the National Security Agency, and the U.S. Department of State. The threat was found to be a North Korean hacking group that goes by the name APT43 or the Kimsuky Group. The group used email authentication bypass to impersonate journalists, researchers, and other academics as part of coordinated spear-phishing campaigns intended to “provide stolen data and valuable geopolitical insight to the North Korean regime by compromising policy analysts and other experts.” The joint security advisory advised all those responsible for their email domain, or where an email is served, whether in a personal or organizational capacity, to update their Domain-based Message Authentication, Reporting, and Conformance (DMARC) security policy immediately. Kimsuky’s principal aim appears to be to compromise expert targets such as policy analysts to obtain data that will provide significant geopolitical insights. 

The function of DMARC is something that most email users are unaware of but is essential to the safety and security of their email communications. Google just adopted new email authentication rules, which will result in non-authenticated emails from bulk senders to Gmail addresses being returned unopened. They took this action to limit the amount of spam and malicious emails, which reduces the possibility of hazardous content being delivered to Gmail users. 

Although spear phishing attacks do not trigger Gmail bulk sender limitations, the Kimsuky attackers are bypassing the same authentication measures that Google requires bulk senders to securely configure. Kimsuky takes advantage of the fact that many DMARC policies have been left blank or tagged with no action to be taken if an email fails the tests. Kimsuky will generate bogus usernames while using authentic domain names to impersonate people from think tanks and higher education institutions. These emails are sent from a hacker-controlled email address and domain, rather than the legitimate organizations. This is possible because the DMARC policy (or lack of DMARC policy) is insufficient to protect the domain from being used in an impersonation attack.

As per the FBI and NSA, to help lower the risk of becoming an unwitting accessory in these attacks, individuals and organizations should update their DMARC security policy. To accomplish this, make sure that your DMARC policy, which can be changed in your email domain’s DNS settings, is one of two configurations: “v=DMARC1; p=quarantine,” which instructs the email server to quarantine emails that fail DMARC testing as spam, or “v=DMARC1; p=reject,” which instructs the server to reject or block the email. This configuration step is required for any custom business domains. If you are using a personal account with Gmail, Hotmail, or others, this configuration step has already been handled by them.

Conclusion

Implementing and maintaining DMARC, DKIM, and SPF is crucial for better email delivery. These strategies help to reduce spoofing and phishing efforts, raise recipient confidence, and increase inbox placement rates. Monitoring DMARC reports regularly ensures that your email authentication procedures are effective and helps to maintain a secure and reliable email communication route. Organizations may safeguard their email reputation and guarantee that communications reach their intended recipients by prioritizing email authentication.

If you or your organization are receiving reports from your recipients that your messages are landing in their spam mail, it’s likely a DMARC misconfiguration. If you’re not sure how to get this fixed, you can reach out to a cybersecurity company like Managed Nerds to securely configure your email server.

Author’s Note

If you’ve read this article in its entirety and still don’t fully understand everything that you’ve read, that’s okay. I’ve included some helpful links below so you can take the initiative to do your own research to improve your understanding and protect yourself and your organization. I didn’t fully understand these terms before doing my research for the article either, but now I have a better grasp of them. I’m sure you could do it too.

References

Amy. (2024, August 14). How to read a DMARC report—and actually understand it! MailerCheck. https://www.mailercheck.com/articles/how-to-read-a-dmarc-report-and-actually-understand-it

Bahirat, T. (n.d.). What Is DKIM and How Can It Boost Your Email Security? https://learn.g2.com/dkim

EasyDMARC. (2024, September 18). Understanding and Analyzing DMARC Reports. EasyDMARC. https://easydmarc.com/blog/understanding-dmarc-reports

What Is DKIM? – How It Works, Definition & More | Proofpoint US. (2024, January 12). Proofpoint. https://www.proofpoint.com/us/threat-reference/dkim

What Is SPF? – Sender Policy Framework Defined | Proofpoint US. (2024, February 26). Proofpoint. https://www.proofpoint.com/us/threat-reference/spf

Winder, D. (2024, May 10). FBI Issues Advisory As Hackers Strike: Email Admins Do This 1 Thing Now. Forbes. https://www.forbes.com/sites/daveywinder/2024/05/08/new-fbi-warning-as-hackers-strike-email-users-must-do-this-1-things-strike-email-users-must-do-this-1-thing

0 Comments

Submit a Comment