How to Prevent Email Spoofing

 3/3/2024 12:00:00 AM
Views: 645
7 Minutes, 38 Second
 Written By John Marx
Tags:DMARC, Email, SPF

How to Prevent Email Spoofing

When it comes to email security, YOU are the first line of defense to protect your customers and YOUR business's reputation. Phishing attacks account for one-third of all security violations in business today. Reducing your domain from being used in phishing attacks can be easily done, and we will cover everything you need to do. We'll do our best to make this non-technical while providing you with enough technical knowledge that you can speak with knowledge about the subject. 

Below, we will cover SPF, DKIM, and DMARC. You can improve your sending reputation and email deliverability by implementing these three items together.


What is Email Spoofing?

Email spoofing occurs when an attacker forges an email's "From" address to make it appear as if it's coming from a legitimate source. Spoofed emails can deceive recipients into believing they are from a trusted sender, leading to security risks and potential fraud.


What is Phishing, and Why Is It So Prevalent

There are billions of emails sent per day, and many are spam messages. By taking these measures, you are helping curb the number of spam messages sent out on the Internet today. 

Phishing is when malicious actors forge email headers to impersonate legitimate senders, and it can be prevented by using a combination of technical measures and user awareness.


Implementing SPF

Specifies which IP addresses are allowed to send emails for a particular domain. When you add an SPF record to your DNS domain, you are adding the first level of protection to prevent spammers from spoofing your domain.


As a side benefit, this will be the first step, of many, in making your email arrive in the inbox and not be flagged as spam or bounced back by your recipient's mail servers. 


A downside to using the SPF record in your DNS is that it's only part of your spoofing protection. Not every mail server checks for a SPF record, so it's only part of the solution. 


The most basic level to set as an SPF record is by adding a TXT record to your DNS that says "v=spf1 mx -all" (without the quotes).

Technical Information: DKIM is exhaustively described in RFC 7208


Implementing DomainKeys Identified Mail (DKIM)

DKIM is your next step in email compliance and makes it so businesses can take responsibility for the emails that come from your email server. The outbound emails will be digitally signed with the mail server's domain digital signature.


Technical Information: DKIM is exhaustively described in RFC 6376.


Implementing Domain-based Message Authentication, Reporting, and Conformance (DMARC)

DMARC builds upon your configuration of SPF and DKIM. This is the step most will either skip or get wrong, yet it's the most important piece in your DNS records being set up for reliable email delivery to your recipient's inbox. When setup, DMARC covers how:

  • Email Authentication
  • Email Reporting Capabilities
  • How to handle SPF and DKIM Checks

Technical Information: DMARC is exhaustively described in RFC 7489.

DMARC Reports & Why You Should Read Them

You'll start receiving email reports once your DMARC is configured correctly. You will need to start reading and seeing what the reports say. These reports will let you identify people who are trying to send on your behalf outside of your mail server. By reading the reports and making adjustments, you can refine your email authentication policies and detect potential spoofing attempts.

DMARC Record Setup

When you set up your DMARC record, you will add a TXT record, and it will start with _dmarc. The structure of a DMARC record will be like the following:

  • The first step is determining the policy that you want to configure as.
    • Policy Mode: Specifies how email servers should handle messages that fail authentication (none, quarantine, reject, or %).
      • If using %, you will have a pct=100; where 100 is the percent to reject. When moving from none to reject you will want to start with a lower number and move it up as you optimize your DMARC record.
    • Reporting Options: Determine whether you want to receive aggregate and/or forensic reports about email authentication activity.
    • Alignment: Decide whether to enforce strict alignment between the domain in the DKIM signature, the domain in the SPF record, and the "From" header domain.

The format will be similar to the one below:

v=DMARC1; p=reject; rua=mailto:dmarc-aggregate@yourDomain.com; ruf=mailto:dmarc-forensic@yourDomain.com; sp=reject; aspf=s; adkim=s; fo=0;

DMARC records are hard to understand when you just look at them. Here is the breakdown of what you have above:

  • v=DMARC1;
  • p=reject;
  • rua=mailto:dmarc-aggregate@yourDomain.com;
  • ruf=mailto:dmarc-forensic@yourDomain.com;
  • sp=reject;
  • aspf=s;
  • adkim=s;
  • fo=0;

Notes:

  • Replace 'yourdomain.com' with your actual domain name.
  • Adjust the 'p' parameter to specify your desired policy mode ('none', 'quarantine', or 'reject').
    • Gradually Enforce Strict Policies: If you initially set the DMARC policy to 'none', consider gradually enforcing stricter policies ('quarantine' or 'reject') after analyzing DMARC reports and ensuring that legitimate emails are not being mistakenly blocked.
  • Modify the 'rua' and 'ruf' parameters to specify the email addresses where you want to receive aggregate and forensic DMARC reports, respectively. You want this email address being sent to a valid email address and actually look at the email so you can adjust. We break the two into two separate emails so we can better classify the emails received.
  • Optionally, adjust other parameters like 'adkim' and 'aspf' to control alignment and specify other configuration options.


Two Factor Authorization (MFA, TFA, or 2FA)

You've got your DNS now all set up according to the latest best practices, but you're not done. The next step is securing your server by using TFA to secure your mail server further. You can have everything set up correctly, but if you have a weak login process and someone logs into your mail server, they will be able to send AS YOU without any issues.


Education of Your Users (and yourself)

The next step is to educate and inform your users on what to look for. This should be a continual education and never stop. Key items to look for are:

  • Zero Trust: Have zero trust in any message received. Go with your gut on if you should do something or not. If you are not sure, ask someone you know who understands technology better than you.
  • Links: Hover over the link before clicking on it. If the link says, https://google.com/ and when you hover over it, you see https://microsoft.com/ (e.g., it's falsifying what you see), do not click on the link. Anything that is suspicious should not be clicked and reported to your mail server administrator.
  • Attachments: PDFs, Documents, and Spreadsheet attachments are some of the biggest sources of phishing attacks and malware. Do not trust that your mail server spam and malware detections are perfect. They are not!


Mail Server Protection

Inbound

Make certain your mail server, virus definitions, and malware definitions are constantly updated. Configure your mail server to reject any incoming email that fails SPF, DKIM, or DMARC checks. This will help protect your users from dealing with a good majority of spoofing attacks.


Outbound

Monitor for all outbound traffic. This will be your first notification that someone may have logged onto your mail server and is sending emails under your domain.


Email Testing

To test our DNS email setup and the spamminess of our emails we utilize two sources.

Validate MX Record

  • Go to MX Toolbox, https://mxtoolbox.com/, and enter your domain name (e.g., without https:// or www. Just enter yourDomain.com).
  • Fill in yourDomain.com and press the MX Lookup button.
    • You should get all green checkboxes.

Test spamminess of our emails

The next level level is to test your email configuration. We personally use a service called 

  • Go to https://www.mail-tester.com/
  • You will be given an email to send for testing.
    • Note: Leave this window open!
  • Take a regular email or a newsletter and send it to this address.
  • Wait a few seconds, and go back to the window you left open. Click on the button that says "Then check your score" to see how you rate. Strive for a perfect 10 or as high as you can get.
    • Note: Even with a score of 10/10 there can be suggestions for improvement.

Conclusion

By staying proactive, rather than reactive, on security, you will be protecting your business and your customers. By keeping security awareness at the top of your and your user's minds, you will be less prone to having your computers compromised.