Email phishing is one of the most effective methods for hacking. Businesses can protect themselves by implementing SPF, DKIM, and DMARC. Along with GDPR, DMARC compliance is now becoming a government requirement — DHS is requiring it in the US and NHS is requiring it in the UK.
These three features should be a priority for every company that uses email. They increase email security, helps get your email to its intended destination, and prevents being blacklisted. Best of all, these are relatively easy to set up and FREE!
- make your email system more secure
- prevent your email from ending up in spam or trash
- prevent malicious spoofing of your email account
What is an SPF record?
We’d like to ask, what systems send your business email? You may use GSuite, Outlook, or some other service to send emails while at work so you might expect it to be one of those. However, there are other places that might send email using your domain. Do you have a company website? How do those emails get sent? Or how about a service like Hubspot or Salesforce? Creating an SPF Record in your DNS allows you to make a list of where emails should be expected to be sent from.
One example is Google for your work email, AWS for your website’s notifications, and Hubspot for your marketing efforts. If a server gets an email from you, it can detect what service sent it. If you have an SPF record listing those three services and an email was sent from Google, AWS, or Hubspot, everything checks out and it will send the email to the end-user. If it comes from another source, the server may put it in a spam folder or delete it entirely.
SPF is a TXT record that has a list of allowed email servers for sending email for a specific domain
What is DKIM?
Think of DKIM like an SSL certificate for your email. It is used to validate your email and detect if it is coming from a malicious source. To enable DKIM, your email service will generate one or more DNS entries that will be used to securely verify that your email was sent by a validated source . It also automatically adds a code into the email header of all of your emails. That code is like a special lock that can be unlocked by using the keys within the DNS entries that we just mentioned.
Google,Outlook, AWS, Hubspot, Salesforce and many other service all offer DKIM.
DKIM is a CNAME record that is used to securely validate email with a key stored in the email’s header.
What is DMARC?
DMARC is a way to tell email servers what to do if the SPF and/or DKIM fail to validate. Imagine a server gets an email from a source that appears to be malicious, without DMARC, the server has to determine what to do with the email and tells no one about the problem. With DMARC, the servers can email an administrator or IT professional in your company with a report of the validation failure. It can also specify what to do with emails that fail validation. You may choose to reject the email before delivery.
One possibility is that something isn’t setup correctly or is missing from your SPF or DKIM. In that case, emails that you would expect to reach their destination end up in the trash! This report will give your team the information needed to update the SPF/DKIM to make sure that your emails are validating and get where they should.
Another possibility is that someone is spoofing your email — someone is sending email as though it is sent from your company. This can be used for malicious purposes like phishing. It can also get your domain BLACKLISTED! When your domain is blacklisted, most email systems won’t deliver your email and it takes quite some time and effort to get removed from the Blacklist systems. You can test your domain on MXToolbox to see if you are on any blacklists.
DMARC is a TXT record that allows reports to be emailed to your system administrator when an SPF or DKIM check fails.
We recommend sending an email from your business email to your personal email (e.g. email@example.com) from every system that sends email with your domain. Example: Gravitate uses Google (work email), AWS SES (website notifications), and Hubspot (marketing email). We sent an email from all three of those sources to a personal @gmail.com account. Within that personal account, we viewed the email header to verify SPF, DKIM, and DMARC. Gmail works great for this!
In Gmail, open each email (from those three sources above)
- Click the ▼ next to the reply arrow
- Select “Show original”
- Verify SPF, DKIM, and DMARC have a status of ‘PASS’