Email Spoofing – How SPF, DMARC and DKIM Help Detect and Prevent Attacks

Finjan TeamBlog, Cybersecurity

Finjan Email Spoofing   How SPF, DMARC and DKIM Help Detect and Prevent Attacks

As email remains one of the primary communications channels for private individuals, commercial or non-commercial organizations, and government institutions, it’s little wonder that it also continues to be a medium of choice for hackers and cyber-criminals.

Two of their preferred attack methods are impersonation and fraud – both of which may be readily accomplished by spoofing the internet domains associated with legitimate email entities so that the perpetrators can send messages to their intended victims which seem to originate from the email accounts of trusted names.

This problem has escalated to the extent that the US Department of Homeland Security (DHS) has been forced to issue a directive mandating all US federal government agencies to authenticate their email so as to prevent spoofing. But it’s not only government that should be taking such precautions. And in this article, we’ll be looking at how secure email protocols such as DMARC and DKIM can help detect and prevent email spoofing.

Email Spoofing – The Scale of the Problem

Of the more than 100 billion business emails sent during 2013, only 20% were actually legitimate – and 92% of all the illegitimate emails housed links to potentially malicious software or content.

Flash forward to the present, and in a 2017 Proofpoint study of email metadata from around 70 million messages, over 8.5 million fraudulent messages were found. This statistic is particularly significant as the research covered 4,989 unique .gov (US government registered) parent domains, spanning federal, state, and local agencies. Almost 10% of the fraudulent emails discovered were sent from IP addresses outside the United States.

Besides the “usual suspects” – like Russia, which accounted for 27% of malicious emails spoofing institutional identities since January 2016 – the study observed spoofed .gov emails originating from 187 different foreign countries, in the month of October alone. In fact, 12.4% of all the emails sent from .gov domains in that month originated from foreign IP addresses.

In 98.5% of email fraud cases, cyber-criminals spoofed the domain of a US government entity, effectively hijacking 3,134 different domains across 296 federal agencies and departments, plus hundreds of state and local government organizations.

Because of statistics like these, the US Department of Homeland Security issued BOD 18-01 – a directive mandating federal agencies to authenticate their email as a measure towards eliminating the ability of fraudsters to impersonate US federal agencies.

And to achieve this end, organizations and individuals are advised to implement their best combination of the email security standards that we’ll now describe.

Sender Policy Framework (SPF)

The Sender Policy Framework or SPF was one of the earliest attempts to counter email spoofing activities. Still in existence today, SPF is an open standard which specifies a method for preventing sender address forgery. Email sender forgery is typically associated with spam (unsolicited bulk mail), fraud, malware distribution, and phishing attacks.

Under the SPF protocol, senders use an SPF record published in DNS (the Domain Name System) to specify which servers are allowed to send email for a particular domain. So you can use SPF to identify your internet domain’s legitimate email sources and prevent unauthorized sources from sending illicit or fraudulent emails from your domain.

SPF is all about controlling and preventing attempted sender forgeries, rather than proactively eliminating spam. However, the method only works on the domain in the SMTP (Simple Mail Transfer Protocol) sending protocol, which is known as the MAIL FROM envelope address. Consumer-level email software doesn’t display this address – and as a consequence, SPF is of most value as a lower-level warning sign for email service providers.

Preventing Email Spoofing with DKIM – DomainKeys Identified Mail

DomainKeys Identified Mail or DKIM is a text-based (TXT) record published in the Domain Name System, which allows a particular domain owner to cryptographically sign parts of a message so that a recipient can validate that they haven’t been altered in transit.

Under DKIM, public and private encryption key pairs are generated to ensure that mail servers and communications can be authenticated. Each Simple Mail Transfer Protocol server must have the correct private key and prefix in order to match a public DNS record which the receiving mail server then verifies.

Generally speaking, if an email recipient validates a communication sent under DKIM, the body content and specified headers (From:, To:, Subject:, etc.) have not been modified by anyone along the way.

Using the DKIM standard, an email recipient can associate a single domain or multiple domains (if multiple DKIM signatures have been placed on an email) with each signed message. So a log of “trusted” and “untrusted” emails may be built up over time and associated with given domains, IP addresses, From: identities, and other criteria.

The system can stutter under certain conditions. For example, if DKIM signing isn’t implemented across all departments of a particular organization, this may generate some confusion. Also, as DKIM signatures may be made using any domain name, it can be difficult to establish which domains of origin are actually trustworthy.

Preventing Email Spoofing with DMARC – Domain-based Message Authentication, Reporting, and Conformance

Domain-based Message Authentication, Reporting, and Conformance or DMARC takes a combined approach, by allowing a message sender to indicate whether their messages are protected with SPF and/or DKIM. By publishing a record in the Domain Name System (DNS), domain owners can specify what email recipients should do with any email received from their domain.

If you publish a DMARC record for your domain, email recipients should first check that the From: header domain matches the DKIM signing domain (this is known as alignment) and that the DKIM signature is valid. They may also verify that the From: header domain matches the SMTP MAIL FROM domain and that the sender’s IP address is validated by SPF. If either or both conditions are true, the email passes the DMARC test.

A DMARC policy will clearly stipulate what a message recipient should do if an email doesn’t pass SPF or DKIM authentication. For example, they may be instructed to reject the message or delete it. In addition, DMARC will send a report back to the sender about messages that PASS and/or FAIL the DMARC evaluation.

DMARC is considered as a strong anti-phishing protocol. Since measures are in place to ensure that the domain in the From: address of an email can’t be forged (for domains which DKIM sign their emails and publish a DMARC policy), identity spoofing becomes that much harder for the enterprising fraudster.

There is, of course, a caveat, here. Since DMARC allows you to use either SPF or DKIM to verify a message, some users rely solely on SPF, and don’t DKIM sign their messages. If a message created in this way is forwarded from one email provider to another, the DMARC test will fail. So organizations and individuals are advised to always DKIM sign their mail if they have a DMARC policy in place.

Deploying These Standards to Prevent Email Spoofing

Depending on the software and email platforms being used, there are a number of methods for implementing SPF, DKIM, and DMARC to prevent email spoofing. Google publishes a guide for configuring SPF records to work with Google Apps – which is a good place to start for those new to the standard.

Likewise, the articles Authenticate email with DKIM (published by Google) and Enhancing Email Security: Stop Sender Fraud with SPF, DKIM, and DMARC (on give step-by-step examples on setting up DKIM and DMARC spoof protection.

Share this Post

Finjan Email Spoofing   How SPF, DMARC and DKIM Help Detect and Prevent Attacks
Article Name
Email Spoofing | How SPF, DMARC and DKIM Can Provide Protection
Of 100 billion+ business emails sent during 2013, only 20% were actually legitimate, and 92% of the bogus emails had links to potentially malicious content.
Publisher Name
Publisher Logo