Skip to content

Email Security

SPF

Sender Policy Framework is an email authentication method designed to detect forging sender addresses during the delivery of the email. SPF alone, though, is limited to detecting a forged sender claim in the envelope of the email, which is used when the mail gets bounced. Only in combination with DMARC can it be used to detect the forging of the visible sender in emails email spoofing, a technique often used in phishing and email spam.

SPF allows the receiving mail server to check during mail delivery that a mail claiming to come from a specific domain is submitted by an IP address authorized by that domain's administrators. The list of authorized sending hosts and IP addresses for a domain is published in the DNS records for that domain.

Pages: * How to setup SPF

Tools: * MXToolbox - SPF Record Check - Lookup SPF Records

Source: * https://en.wikipedia.org/wiki/Sender_Policy_Framework * https://datatracker.ietf.org/doc/rfc7208/

DKIM

DomainKeys Identified Mail is an email authentication method designed to detect forged sender addresses in email (email spoofing), a technique often used in phishing and email spam.

DKIM allows the receiver to check that an email claimed to have come from a specific domain was indeed authorized by the owner of that domain.

It achieves this by affixing a digital signature, linked to a domain name, to each outgoing email message. The recipient system can verify this by looking up the sender's public key published in the DNS. A valid signature also guarantees that some parts of the email (possibly including attachments) have not been modified since the signature was affixed. Usually, DKIM signatures are not visible to end-users, and are affixed or verified by the infrastructure rather than the message's authors and recipients.

Pages: * How to setup DKIM

Tools * MXToolbox - DKIM Record Lookup

Source: * https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail * https://www.rfc-editor.org/info/rfc6376

DMARC

Domain-based Message Authentication, Reporting and Conformance is an email authentication protocol. It is designed to give email domain owners the ability to protect their domain from unauthorized use, commonly known as email spoofing.

DMARC brings SPF and DKIM together, DMARC states the policy for breaking SPF and DKIM rules. Receiving mail-server will reject emails if DMARC policy is to reject any emails that break the rules.

You can tell the receiving mail-server to report any rule breaking via email. When implementing DMARC it's common practice to make receiving server report but not reject for a month or so to know about the mail flowing out to not break anything important.

Pages: * How to setup DMARC

Tools: * MXToolbox - DMARC Check Tool - Check DMARC Records for Errors

Source: * https://en.wikipedia.org/wiki/DMARC * https://datatracker.ietf.org/doc/html/rfc7489

TLS-RPT

TLS Reporting (TLS-RPT) is a standard for reporting email delivery issues that occur when an email isn’t encrypted with TLS. It supports the MTA-STS protocol which is used to guarantee that any email sent to your domain gets TLS encrypted.

TLS encryption ensures that every email sent to you gets delivered securely. However, an attacker might attempt an SMTP downgrade, a type of attack where the email gets sent to you without being encrypted, allowing them to read or tamper with the contents. MTA-STS combats this by making it necessary for all emails to be encrypted before being sent to you. If an attacker tries to perform an SMTP downgrade, the email will not be sent at all.

TLS-RPT makes it possible for you, the domain owner, to receive reports on every email that doesn’t get encrypted and fails to be sent to you. You can then identify the source of the problem and fix your delivery issues.

  1. Draft and publish the policy on a public, secured web server
  2. Enable SMTP TLS-RPT via a TXT record
  3. Signal MTA-STS support via a TXT record

O365 just recently started supporting TLS-RPT and MTA-STS, enable with caution.

Source: https://knowledge.ondmarc.redsift.com/en/articles/6061362-setup-mta-sts-and-tls-rpt https://www.rfc-editor.org/rfc/rfc8460.txt

BIMI

BIMI: Adds your logo to your emails in the inbox so that subscribers can quickly identify your messages and trust that you sent them.

BIMI stands for Brand Indicators for Message Identification. Developed by the Authindicators Working Group, it’s a standard that attaches your brand’s logo to your authenticated email messages. With this simple, visual verification, recipients can recognize and trust the messages you send.

Note that BIMI is not supported on Microsoft Office 365 when this is written in 2022. They still prefer that you register your business at Bing.