Skip to main content

Mail Spoofing: How to keep emails secure and prevent fraud

·5 mins
Prerequisite: Some knowledge of the Domain Name System (DNS) might be helpful for this blog.

Emails have been part of our daily lives for decades, but few realize how easy it is for malicious actors to forge sender information when your organization’s security is not in place. In this blog post, I will explain what spoofing is, explore how it is possible, and provide information to help protect your organization from this form of fraud.

What is mail spoofing? #

Mail spoofing is the falsification of sender information in an email message to make the recipient believe that the email originates from a source other than the actual sender. For example, someone with fraudulent intentions may send emails posing as invoices@my-organization.org to customers, asking for money, without the sender actually having access to this email address.

How is mail spoofing possible? #

Without the right security measures, individuals can easily pretend to send emails via your domain because there is no way to verify the authenticity of these emails. Mail spoofing is possible due to the way the email protocol is set up. Emails contain sender information that can be manipulated by the sender, and email recipients rely on the DNS to validate the accuracy of the sender of an email. When receiving an email, the DNS records of the sender are consulted to determine if the sender is authorized to send emails on behalf of that domain. If these rules in the DNS are not set up or configured correctly, the emails may be considered trusted even if they are not.

Email authentication via DNS #

To address this issue and ensure that emails are properly validated, SPF and DKIM can be used:

  • Sender Policy Framework (SPF): This technique uses a domain’s DNS records to specify which email servers are authorized to send emails on behalf of that domain. Email recipients check the SPF record in the DNS to verify if the sending server is legitimate. If there is no SPF record or if the server does not match the record, the email may be deemed suspicious.

  • DomainKeys Identified Mail (DKIM): It involves using digital signatures to validate emails. The public part of the DKIM key is stored in DNS. When an email is received, the digital signature of the mail is compared with the key stored in DNS to ensure that the email has not been altered since it was sent. If the keys cannot be matched, the email cannot be validated.

It is advisable to set up SPF and DKIM for all tools used to send emails via your domain, such as an accounting tool sending emails to employees from an address like officemanager@my-organization.org. Use SPF to specify which email servers are authorized to send emails on behalf of that domain, and use DKIM to validate that the email has not been altered since it was sent.

The SPF records and DKIM records are often found in the settings of the respective tools, or you may need to contact customer service for this information. You can set up the records in the DNS of your domain. For example, an SPF record can look like this:

v=spf1 include:_spf.google.com ~all

And a DKIM record can look like this:

v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwJ

What to do with emails that do not pass verification? #

Once SPF and DKIM are set up, it is wise to establish a DMARC record. DMARC stands for Domain-based Message Authentication, Reporting & Conformance and enables you to determine what should happen to emails that do not pass SPF and/or DKIM verification.

DMARC has three policy options that instruct email programs on what to do with an email that fails SPF and/or DKIM verification:

  • Quarantine: Emails that fail verification are placed in the spam folder or marked as suspicious, but they are still delivered.
  • Reject: Emails that fail verification are completely refused and not delivered.
  • None: Nothing specific is done with emails that fail verification, but a report is sent to the defined email address in the DMARC rule. This option could be ideal when setting up DMARC without specific actions in mind.

You can also set up a DMARC record in the DNS of your domain. A DMARC record can look like this:

v=DMARC1; p=none; ruf=mailto:person@my-organization.org;

For ‘p’, you can choose the policy option, in this case, ’none’. For ‘ruf’, you can enter the email address where the reports should be sent. In these reports, you can see which emails do not pass verification and what actions have been taken.

Is my organization vulnerable to mail spoofing? #

It is wise to check if your organization is vulnerable to mail spoofing. Fortunately, this can be done easily with a free tool like mxtoolbox.com. Enter your domain name, and if you see a red cross or yellow exclamation mark next to DMARC, you know you are vulnerable to mail spoofing.

Conclusion #

In this blog post, we have discussed what mail spoofing is and how it is possible. We have also looked at security measures that can be taken to protect your organization from this type of fraud, such as using SPF and DKIM. Additionally, we emphasized the importance of a DMARC record to determine the actions to be taken with emails that do not pass verification. Finally, we explored how to check if your organization is vulnerable to mail spoofing.

Jeroen Ekkelkamp
Author
Jeroen Ekkelkamp