Friday, March 25, 2016

SPF, DKIM and DMARC in Prevention of Email Spoofing


Email Spoofing is common nowadays. Cyber criminals often send emails to victims spoofing the emails by forging some other email addresses, and sometimes forging email addresses of someone well-known to us. They often do this for Phishing or spreading malware. SPF or Sender Policy Framework, DKIM or DomainKeys Identified Mail and DMARC or Domain-based Message Authentication, Reporting and Conformance are three technologies using which we can detect as well as prevent Email Spoofing.


Let's understand how they actually help us in detecting and preventing Email Spoofing.


What is SPF or Sender Policy Framework ?






SMTP or Simple Mail Transfer Protocol was first developed in 1982 and at that time it had very few security features. Though at that time there was not much concerns, later it became a major security concern. And, we needed mechanism to counter the security concerns. SPF or Sender Policy Framework is an extension to SMTP which is developed to counter the security concerns of Email Spoofing.


When an email is sent from one email address to another, the mail server corresponding to the sender's email address or the source mail server first resolves the IP address of the mail server corresponding to the receiver's email address or the receiving mail server.


This is done through MX or Mail Exchanger records of the DNS. When the sending mail server makes a DNS query for the IP address of the receiving mail server, corresponding MX records containing the IP address of the receiving mail server is fetched from the DNS Servers.


In SPF, a reverse MX record is published in the DNS Servers by the mail servers. As a result, whenever a receiving mail server gets an email from a sender, it checks the SPF records with the DNS Servers and verifies whether the sender of the email is an authorized person to send email from the corresponding domain.


In SPF, the domain owners publish a list of IP addresses or subnets that are authorized to send emails on their behalf. So, if the SPF records corresponding to the received emails do not match with authorized email addresses, the receiving mail server can detect that the received email is a spoofed one and takes proper steps.


What is DKIM or DomainKeys Identified Mail ?






DKIM or DomainKeys Identified Mail is another technology using which one can detect Email Spoofing. Unlike SPF, DKIM uses digital signatures to detect spoofed emails.


In this technology, the sender of the email signs the email with digital signature using his private key and that signature is added to the message header. And, the public key is published in the DNS Server.


So, when a recipient receives an email, the corresponding public key of the sender is fetched from the DNS Server and the digital signature is verified. If the verification is not successful, that would mean the email is a spoofed one.


What is DMARC or Domain-based Message Authentication, Reporting and Conformance ?


DMARC or Domain-based Message Authentication, Reporting and Conformance is another technology using which the recipient can detect as well as prevent Email Spoofing.


In DMARC, both SPF and DKIM is used in conjunction to detect and prevent email spoofing.


On receiving an email, first the SPF record of the domain is verified to see whether the actual sender is authorized to send emails from the domain. And then, using DKIM the digital signature contained in the header of the message is verified with the public key of the sender received from DNS Server.


If both the verification is successful, that would mean the sender of the email is an authorized person to send the email. If either or both the SPF and DKIM verification fails, that would mean the email is a spoofed one.



How to enable SPF, DKIM and DMARC ?


SPF, DKIM and DMARC can be enabled by the domain owners easily. One needs to follow instructions as given by the domain-host/webhost provider.



No comments:

Post a Comment