The current COVID-19 climate has resulted in an ever-changing environment that is providing less certainty as to what tomorrow will hold. The introduction of lockdown restrictions has affected our daily routines. Thanks to the existence of cloud-based systems and the ability to access information using an internet connection, many of us have been able to adapt and continue working in a remote environment. This increase in remote working has resulted in many users working on less secure networks as they connect through their own home or public networks, which do not necessarily provide the same level of cyber security as office systems. This has resulted in the necessary addition of various security controls.
Invented in 1965, email has become one of the most critical business tools insofar as communication is concerned. However, with this increased reliance on emails, comes the increased threat of a cyber-attack. One of the common threats is email spoofing. This method of attack creates an email address with a forged sender address, which is aimed at misleading the recipient, by disguising the true source of that email to execute a larger cyber attack. Another common threat is email phishing. This involves the impersonation of legitimate organisations using sources such as emails or text messages to steal sensitive information, usually through a link that will require the user to enter in their login details.
While the risk of email phishing and spoofing cannot be avoided entirely (given the dependence on the user’s ability to identify such), successful spoofing and phishing attacks can be mitigated against by setting up controls on your Domain Name System (DNS). The DNS is an internet system for mapping alphabetic names to numeric IP addresses like a phonebook maps a person’s name to a phone number. The DNS is made up of three records, the Sender Policy Framework (SPF), Domain Based Message Authentication Reporting and Conformance (DMARC) and the Domain Keys Identified Mail (DKIM). It is critical for email administrators to ensure that these three verification tools are activated in order to prevent impersonation and phishing attempts. Your domain administrator can be contacted to verify if these records are in place, alternatively you can have a domain health scan conducted. Should these records not be implemented, your domain administrator would be able to activate these records by following a series of steps.
The SPF record is the oldest domain record having been first published in 2000. It is an authentication protocol in an email which allows the domain owners to provide an approved list of email senders by adding an SPF record onto their DNS. The recipient server cross checks the emails against the list of approved email domains. The SPF was designed to be used in conjunction with the Simple Mail Transfer Protocol (SMTP), which is a basic protocol used to send an email and does not include authentication mechanisms. Adding a SPF record is important as it reduces the number of valid emails that bounce back to recipients or are flagged as spam. Businesses especially need to implement SPF, and DMARC records to improve deliverability, but saliently, to protect against cyber criminals. ASPF and DMARC protected domain is less attractive to phishers and spammers as it is harder to hack and/or impersonate.
The DKIM record is the second oldest DNS record having been first published in 2004. It is an email security standard designed to make sure messages are not altered in transit between the sender and recipient servers. It uses public key cryptography method to do this. The recipient’s server uses the public key published by the DNS to verify the source of the message, and that the body of the message has not changed during transit. The DKIM record will filter emails, rejecting suspicious email addresses and only allows through the legitimate emails into your inbox. If the email sender does not match the list of approved senders, this email would be marked as spam, or would be rejected.
The DMARC is the more recent DNS record having only been published in 2012 to further enhance email abuse. The DMARC record leverages DKIM and SPF records and adds an important reporting function. Thus, further preventing the ability of spammers from using your domain to send email without your permission i.e spoofing. It is set to reject mails that do not match the SPF and DKIM records. The DMARC ensures these fraudulent emails get blocked before they reach your inbox. In addition, its reporting function gives you great visibility and reports into who is sending emails on behalf of your domain, ensuring only legitimate emails are received.
There are several other standards that provide a sender authentication, such as an Open PGP, S/MIME and Domain Keys/DKIM. The SPF and the DMARC protect against phishing by default. Although the SPF serves as a useful control against phishing attacks, it is not a full solution to cyber-attacks as it does have some limitations to its functionality such as:
1) It does not include any encryption or content verification
2) It does not guarantee the actual ownership of the sender
3) It can only verify the domain of the sender i.e whether the email is from lifestyle.com as opposed to SteveJoe@lifestyle.com
Considering the limitations of the SPF, it is of great value to utilise the SPF tool along with the DKIM that verifies the recipient’s mail server to ensure it has not been altered during transit, and the DMARC that is set to reject mails that do not match the SPF and DMARC records.
There is no single standard that will resolve the issues associated with fraudulent behavior or unsolicited emails - several standards must co-exist. Implementation of the DNS records, along with other standards including the ongoing prevention measures such as keeping software and systems fully up to date, backing up data, installing firewalls, controlling access to systems and employee awareness trainings are all essential to minimizing cyber risks.
With 70% of global emails being malicious and 76% of organisations having been reported as victim of phishing attacks, these records are key controls’ cyber underwriters seek to see in place. It could also mitigate the business risks that are not always covered by insurance policies, for example, where the user inputs their banking credentials after clicking a suspicious link, which results in an unauthorised access to the user’s bank account and subsequently the theft of funds. It is crucial that organisations and individuals consider implementing these tools into their systems to add verification and trust to their email services, while improving email delivery capabilities.
-What is DMARC, Available: https://www.dmarcanalyzer.com/dmarc/ [22 November 2021]