SPF, DKIM and DMARC are essential components in order to ensure the protection of your company’s email environment.
Among other things, they help protect from the imitation (or spoofing) of domains, and therefore protect your customers and providers from phishing, spear-phishing or business email compromise (BEC) attacks that would impersonate your company.
If these three elements are set up correctly, they will authenticate and ensure the legitimacy of an email and its sender.
But in detail, what are SPF, DKIM and DMARC, and, importantly, how can you set them up?
In order to answer this and help you protect your company, Mantra’s IT Security teams have prepared this article.
It can be hard to track all these acronyms. No worries though, here’s a quick recap:
To summarize, the SPF, DKIM and DMARC trifecta protects your domain name and its use in emails: this prevents hackers from using your domain (and your company’s reputation) to communicate with other parties.
In 2021, 2 out of 3 Fortune 500 companies didn’t have their DMARC setup. What risk does this pose and why should you set up SPF, DMARC and DKIM?
Protecting your company’s domain name with SPF, DKIM and DMARC therefore means contributing to protect your customers, suppliers and other companies from cyberattacks that would seek to capitalize on the credibility and reputation of your company.
SPF is linked to the sender on the email’s envelope and DKIM to a domain declared during signing. These aren’t necessarily the same as the sender shown in the email’s from field.
The DMARC checks that the from field shown (visible by the reader) is the same as for the SPF or DKIM policies.
It would therefore be possible to create a malicious.com domain that would have SPF and DKIM and to send an email specifying a different from domain like example.io
Without DMARC, this mail would be valid because the SPF and DKIM tests (the envelope sender is malicious.com) would check the policies of that domain.
Only DMARC would notice that example.io is a different than the domain of the SPF and DKIM policies and therefore that something is off.
Without SPF, DKIM and DMARC, it’s therefore easy to spoof an email from a trusted company.
For example:
You want to check whether or not SPF, DKIM and DMARC are set up on your domain? There are quite a few tools out there but MxToolbox is a good one: you can look up, for a domain name, whether or not SPF, DKIM and DMARC have been set up (https://mxtoolbox.com/)
And if they haven’t? Here’s a guide.
Name: @ or leave blank
TTL: 3600 or leave the default value
Value/answer/destination: enter v=spf1 include: _spf.google.com ~all (Beware, this will only work if Google is your email provider. If not, check with your email provider which value to input)
Then save and wait for it to take effect (this can take a few days).
DMARC is a rule that tells your email provider what to do if SPF and DKIM have not been authenticated. There are 3 options: none, quarantine or reject.
Name: _dmarc
Value: (this is an example that you can reuse by replacing example@ex.com by an address that exists and belongs to you) v=DMARC1; p=quarantine; rua=mailto:exemple@ex.com; ruf=mailto:exemple@ex.com; fo=sw where
Once DMARC is set up, it will provide instructions to mail servers on how to deal with emails that pass (or fail) SPF/DKIM tests.
In order to be delivered, your emails therefore need to pass SPF and DKIM tests.
This works well, and is enough, for simple mailboxes like your Outlook or Gmail company mailboxes.
However, you may be using services (like Mailchimp, ticketing tools, customer service tools…) that send emails using your domain. You don’t want these emails to be blocked if they don’t have an SPF and DKIM signature!
Will SPF, DKIM and DMARC prevent phishing? No, of course not.
It will still be possible to trick users by using look-alike addresses. But it does prevent hackers from usurping the identity and reputation of a legitimate business.
SPF, DKIM and DMARC are therefore an important building block of a more cybersafe world.
However, users can still be fooled by near domains (customer-amazon.com, Linkedln.com - the second i is in fact a lower-case L - or service-dashlane.com for example) which present a serious threat as they are difficult to detect.
Indeed, it is easy to set up credible near domains while on the other hand unprepared users receive so many emails that they do not pay enough attention to these details.
What are the differences between the ISO 2007 and SOC2 standards? And which one is right for your company?
Why does a simple phishing email threaten an entire company? How do hackers move on from a low-level account to significant privileges, and, eventually, deploy a ransomware?