Secrets behind DMARC, DKIM & SPF and how they support BIMI and what is MTA-STS for?

DKIM Dmark and SPF oh my 1 Secure IT
Secrets behind DMARC, DKIM & SPF and how they support BIMI and what is MTA-STS for? 1 Demand ITS

Communication has always been the most crucial thing in building the foundation of trust in your business. In business, one of the most common forms of communication is through email. However, without the proper checks and balances in place, your organization is at genuine risk of losing professional trust. If you communicate by email, you NEED to make it secure. Otherwise, you run the risk of spoofed emails reaching your contacts, harming your reputation.

The most common attack vector for cybercriminals is through email compromise, and this can come in the form of an account takeover or a spoofed message. 

While we advise everyone to have regular cybersecurity training to detect spoofing and phishing emails, not everyone can tell the difference, so attackers take advantage of that.

  1. The attacker creates a fake account at your domain, i.e., [email protected]
  2. They send thousands of emails worldwide, including your contacts, asking for login credentials, credit card, health information or offering a link to a malicious document or application.
  3. The resulting loss of data and money breaks your customer’s trust in you and lowers the reputation of your domain with email servers around the world. 
  4. Legitimate emails you send are more now less likely to reach people’s inboxes, impacting your ability to communicate. 

The truth is without SPF, DKIM and DMARC, and you may never even know if this attack occurred. Then, suddenly, you start getting non-delivery reports (NDR) or messages from upset people. Meanwhile, your messages have been tagged as spam for weeks or months, never reaching their recipient.

Frequently asked questions about email security

What is SPF?

Sender Policy Framework (SPF) is one of the oldest and most widely used email security standards in use today. The premise is simple, only allow messages from the listed servers to send emails.

What is DKIM?

Domain Keys Identified Mail (DKIM) creates a digital signature, allowing the sender mail system to sign the message. The recipient’s mail server then checks that signature to know if it came from an authorized source and is unaltered.

What is DMARC?

Domain-based message authentication, reporting and conformance (DMARC) is an authentication method for email systems that helps to protect your organization from spoofing, phishing and other cybercrime activities by combining SFP and DKIM with a security policy.

What is MTA-STS?

Mail Transport Agent-Strict Transport Security (MTA-STS) is a security protocol designed to mitigate man-in-the-middle attacks (MITM) and ensure messages remain encrypted during transmission.

What is BIMI?

Brand Indicator for Message Identification (BIMI) helps you boost email credibility, boost engagement rates, and improve email deliverability and open rates. BIMI requires a valid DMARC policy and a registered trademark.

SPF, the first step in securing your email.

We start with SPF, the oldest and most widely used email security standard today. When an email server sees a message from your domain, it will check the SFP record to see if the server is an authorized source. If the DNS or IP address matches, it can be sent to the inbox. If it doesn’t, then it should be deleted or marked as spam. 

v=spf1 include:spf.protection.outlook.com include:autotask.net -all

a sample SPF record

The SPF record lists that outlook.com (aka Microsoft) and auttask.net are authorized to send emails on behalf of my domain.

The ‘-all’ will tell the server to fail any email that does not match; if it had ‘~all’, that would say to it tag the message but does not mean it won’t be delivered. The reality is, it was up to the receiving email server on how it interprets ~all vs -all, that was until DMARC came along.

DKIM, let’s own our messages.

Email is popular because of how easy it is to use and communicate, you don’t have to know much about the recipient other than an email address, and you can send a message. But, unfortunately, that ease of use also is why it’s prone to cybersecurity risks. 

Emails servers have little protection from Cybercriminals who can intercept emails, spoof them or even have their content altered. 

DKIM protects you against this form of attack by digitally signing every email you send. This signature can be read and is then provided more trust by the receiving server.

If a cybercriminal attempted to modify a message before delivery, the DKIM signature would preventing the receiving server from decrypting and delivering the message. 

Should they try to send a spoofed message from your domain, it would lack the DKIM signature and fail to authenticate, providing a warning to the receiving server to question the message’s legitimacy.

Since DKIM now exists, it dramatically reduces the chance of your emails ending up in the junk mail folder, especially with an email marketing campaign because it’s from a verified source in the eyes of your contact’s mail system.

DMARC – building on SPF and DKIM putting you in control.

The reality is, SPF and DKIM alone cannot protect your email; if you recall, earlier, I mentioned some things were left up to the receiving server on how to deal with messages. Therefore, DMARC introduces a set of rules you define on how the receiving email server should treat your messages.

The DMARC system also provides for monitoring threats in real-time should malicious sources attempt to spoof your domain.

v=DMARC1; p=none; rua=mailto:[email protected]; ruf=mailto:[email protected]; fo=0:1:d:s;

a sample DMARC record

When setting up DMARC, you should initially have it configured with p=none and a reporting server; the receiving mail servers will ignore DMARC but report if the message ‘is aligned’ with DKIM and SPF or not.

p=none – do nothing, but report if it passes or fails

p=quarantine – tag the message as spam, but allow delivery

p=reject – reject the message and prevent delivery

rua = Where to send aggregate reports; these are received and used to identify what sending sources are and if they are in or out of alignment.

ruf = This is to send forensic reports; since this can compromise privacy, most servers ignore this setting.

How DKIM, DMARC, SPF work together
How SPF, DKIM and DMARK work in your email flow

MTA-STS, let’s enforce encryption

Years ago, the internet was a different place; emails were in plain text, telnet was standard, and most people had little to no concept of cybersecurity. 

It was easy to intercept and read messages sent between systems; you might have heard today discussing end-to-end encryption. MTA-STS helps ensure your email communications are end-to-end encrypted.

With adequately configured MTA-STS records, we ensure that communication between Simple Mail Transfer Protocols (SMTP) servers always uses Transport Layer Security (TLS). This added layer of security prevents man-in-the-middle attacks (MITM) by providing a policy file hosted on HTTPS secured servers. 

MTA-STS requires a mail server with SMTP over TLS1.2 or, later, an HTTPS secure web server. Your domain MX server uses a TLS certificate issued by a trusted root certificate authority that is not expired and matches your domain name.

BIMI, letting the world trust your brand.

BIMI is an exciting new technology that expands on DMARC and provides brand recognition in all your email communications. It allows supporting mail servers to display your brand’s logo inside the email application showing trust for your domain.

BIMI before and after image as represented in a generic message
let, without BIMI, right, with BIMI, notice the HBO and YELP logo’s in the email client

There are a few things to know about BIMI. 

  1. BIMI requires DMARC with p=reject 
  2. BIMI requires a special certificate hosted online
  3. BIMI needs a trademarked logo

To trademark a logo in Canada, you can go to the IC.GC.CA, from there, apply for and register a trademark. Although there are online services that can do this, the typical cost appears to be 700-1200.00CAD for one logo. 

The requirements put it out of the realm of most small businesses, but if you’re looking to establish trust in your emails, then it might be worth pursuing.

Conclusion

The truth is the technical jargon is far more complicated than it really is; set up SPF, your email provider will tell you what to use for DKIM, create your DMARC record with p=none and start monitoring your emails. Once this is complete, and your legitimate emails pass DKIM and SPF change it to p=reject.

Setting up DMARK, DKIM and SPF should only take about an hour, then monitor it for a month, adjusting for any marketing services you may have forgotten.

If you have any questions about implementing the technologies mentioned in this article, feel free to reach out to set up a meeting with Robert Picard at Demand ITS, and we would be more than happy to review how we can help you accomplish your goals.