Understanding SPF DKIM DMARC and Good Domain Hygiene

Understanding SPF DKIM DMARC and how to implement good Domain Hygiene is a complex and specialist IT subject. Getting it wrong guarantees your emails will go to other people’s spam folder or at worst, be rejected altogether.

With the rise of social media and e-commerce; hackers, spammers, phishers and spoofers  have a tremendous financial incentive to compromise email accounts to enable theft of passwords, bank account details, credit cards and much more.  Safe-guarding your own email system is down to you so seek professional help to implement best practice and do not assume that email providers such as Microsoft or Google will either do this for you or tell you that it even needs to be done in the first place!

LEGITIMACY OF EMAILS

Criminals have found email hacking and spoofing a proven way to exploit our trust of well-known brands. For example, simply inserting the logo of a well-known brand into an email gives it instant legitimacy with many of us!  Computer users can’t tell a real message from a fake one which is dangerous.  All email providers have to make very difficult (and frequently incorrect) choices about which messages to deliver and which ones might harm users (spam).  We all remain largely unaware of the continuous electronic crime occurring until it affects us personally or someone close by.  Simply opening the wrong email can potentially lead to disaster…. and all of us are only a click away!

WHO IS BEING TARGETED?

They are specifically targeting generic email addresses such as accounts@...  info@...  sales@... enquiries@...  The people controlling these email addresses need to be singled out for specialist awareness training.  Plus 2 tier authentication on these accounts should also be considered.

CONSEQUENCES

Email is the easiest way for criminals to trick us all and infiltrate our systems. Hacking into your email account or spoofing your email address enables criminals to legitimately contact people you deal with.  They send emails, pretending to be you.  As such their emails, (your emails) are treated at face value by everyone who receives them.  Circulated emails could contain viruses or dangerous links which can cause tremendous damage and ultimately get you blacklisted.  Commonly, hackers write to your bank and your customers, asking for money transfers into a new bank account (their account).  Their sent emails and subsequent replies are cleverly hidden from your inbox, so you don’t even know the fraud is occurring!  The first time you hear of a problem is from your bank.

ADDRESSING THE ISSUES

Brands are harmed and reputations lost if your email is hacked.  Why?  Well unknowingly (via the hacker) you start sending out spam and viruses to your client database.  It is not a good look and may carry legal implications as well as potentially getting you blacklisted.  However, there are plenty of ways we can all address these issues.  A good starting point is having a verified and secure email system which helps protect people and companies from painful and costly abuse. 

If you are NOT already using a top tier professional email provider, then we strongly recommend reading our document ‘Professional Email System” which explains this in more detail (available on request).  The vast majority of Computer-Clinic’s customers understand the importance of a professional email system and are currently using Google or Microsoft as their secure email provider.

INTERNATIONAL RESPONSE
The world is trying to put a stop to all this malicious activity.  To combat the growing threat, all email providers, internet service providers and general internet users have got together to agree on new security frameworks, authentication mechanisms and email policies.  These are called SPF, DKIM and DMARC respectively and represent the modern day standards in email security and delivery.  

For businesses, in order to ensure that you comply with these security measures, you need to make some changes to your domain’s zone records.  N.B. This has nothing to do with your computer, email address or email program/software.  It is purely at the ‘backend’ and relates to your domain.

SELF CHECKS & AWARENESS
Using  https://toolbox.googleapps.com/apps/checkmx/   (if you are a Google or Google apps for work user)   and https://www.unlocktheinbox.com/   (for everyone else), you can immediately analyse your domain and automatically find vulnerabilities in your email setup and configuration.  

These show the specific areas of your domain that don't comply with the modern day security requirements and affect the trustworthiness of all emails you send out.  

To be honest, 95% of us will fail the tests which means that overtime you will start to notice more frequent email issues.

E.g. People are not receiving your emails or your emails end up in spam folders instead of inboxes.  

As the email systems of the world steadily impose and tighten the SPF, DKIM and DMARC email policies (clamp down and block / filter out emails), then any email systems that don’t meet the criteria and standards will soon find that their emails are not getting through.  This means you will lose money if, for example, the quotations you send via email don’t even make it to your customer’s inbox… and this is already happening on a daily basis…NOW!

ACTION REQUIRED

The ‘fix’ is complex.  We will need to login to your domain host (the company who you pay money to for your domain name) and add some specific information there which your email provider will generate for you.  Your domain host might actually be your website company or your internet provider, so you/we would need to contact them and guide them in how to complete the changes.  

Engaging us (Computer-Clinic) to carry out all the work will be 1 hour which reflects the cost for us to fix the domain, document all settings and give necessary advice on the entire matter.  The required domain zone level changes will take place over a 24 hour period with physical billable time being capped at 1 hour to complete.  At the end of the process, your domain will fully comply with MX, TXT, SPF, DKIM and DMARC which means that going forward your email systems will be as secure as possible and your sent emails will be considered ‘trustworthy’.  The chances of your emails ending up in other people's spam folders or even being rejected is eliminated.

ADDITIONAL MEASURES
There are many more areas where you can improve the security of your emails and completely eliminate email problems.  For maximum security, compliance and general peace of mind there are several additional improvements listed below.  A good idea would be to tick off as many boxes as possible.  

From experience, item 7 is the key point to nipping problems in the bud before they eventuate:-

1. Use a verified and secure email provider which helps protect users and your brand from painful and costly abuse.  See our document ‘Professional Email System’ for more info.

2. Ensure your domain’s zone records are updated and comply correctly (detailed above).

3. Have two separate Super Administrator Accounts for your email system.

4. Ensure your Super Administrator accounts use 2 tier authentication.

5. Use a legal disclaimer within your email signature (see Computer-Clinic’s as an example).

6. Have professional anti-virus software on all computers, laptops, macs, phones and tablets.

7. Training and user awareness – You and your team need training as you are the first line of defence and your antivirus should be considered as your last line.  You need to know how to spot and avoid ‘unsafe’ emails and be aware of what to do if you accidentally get caught out by opening an email which contains a dubious attachment or an unknown risky link!

SUMMARY & NEXT STEPS
Computer-Clinic is a professional IT company offering up to date support, advice and training for any type of business and associated computer hardware.  We are fully qualified to assist in the area of email security.  We provide all the required documentation and will guarantee your systems have the maximum security possible along with your users’ ability to proactively prevent electronic crime.  

In this day and age, using any device that is connected to the internet will give rise to potential security pitfalls.  However, with the right training, security and systems in place, all aforementioned issues are avoidable.  After reading this document, please feel free to get in touch to have all your questions answered and vulnerabilities minimized.