Securing your emails

Email has been one of the most important communication tools on the internet for decades now. It's used by billions of people every day. That makes it a popular attack surface for hackers. In this post, we'll teach you some of the essential steps to protect your email identity on the internet.

SPF

SPF is a DNS record that allows an email identity to specify which servers are allowed to send emails on their behalf. This is a great way to prevent spoofing attacks. SPF is a TXT record that is added to your DNS. It looks like this:

v=spf1 include:spf.example.email ~all

The v=spf1 part indicates that this is an SPF record. An SPF record is only valid when it starts with this tag. The include:spf.example.email part indicates a third-party provider that is authorized to send emails on behalf of our domain.

Who checks SPF

SPF is checked by the receiving mail server. When an email arrives, the receiving email server will look at the SPF record of the sending domain. It will then cross-compare the IP address of the incoming email with the authorized IP addresses or domains in the SPF record. Depending on the client, the email will either be marked as spam or rejected entirely.

What could happen if you don't have SPF

A domain without SPF is vulnerable to spoofing attacks. This means that someone else can emails using your domain. This is a common technique used by spammers. They send emails from your domain to trick people into giving up personal information like passwords or credit card information.

DKIM

DKIM is a DNS record that allows an email identity to sign their emails. This is a great way to prevent man-in-the-middle attacks. DKIM is a TXT record that is added to your DNS. It looks like this:

v=DKIM1; p=MIIBIjANBgkqhkiG9w0BAQEF

Just like the SPF record, the first part indicates that this is a DKIM record. The p= part is the public key that is used to verify the signature of the email. The private key is used on the sending server to sign the email. The public key in the DNS record is then used to verify the signature on the receiving server. If the signature is the same, the email is considered valid and not tampered with.

What could happen if you don't have DKIM

Without DKIM it is possible for malicious actors to tamper with your emails. They could potentially intercept and modify your emails. They could replace links in your emails with phishing links that try to steal personal information from recipients.

DMARC

DMARC is the third and final DNS record that we'll be discussing in this post. DMARC is a TXT records and looks something like this:

v=DMARC1; p=reject; rua=mailto:dmarc@example.com

Just like the SPF and DKIM records, the first part indicates that this is a DMARC record. The p= part is the policy that is used to determine what to do with emails that fail SPF and DKIM checks. In this case we reject the email entirely. The rua= part is the email address that will receive reports about emails that fail SPF and DKIM checks. You can use these reports to monitor the health of your email and detect potential attacks.

What happens if you don't have DMARC

Without DMARC it is possible for malicious actors to send emails that fail SPF and DKIM checks. This means that they can send emails that appear to be from your domain, but are actually not. In most cases, the receiving email server should mark these emails as spam. However, it is possible that the receiving server will not reject the email. This means that the email will end up in the recipient's inbox.

By adding a DMARC record, we ensure that the receiving server will reject emails that fail SPF and DKIM checks. This means that the email will never end up in the recipient's inbox.

Dries Augustyns
Dries AugustynsFounder & Technical Lead at Plunk