• Email Security (SPF, DKIM, DMARC)
  • SPAM Filters (flags or blocks incoming emails based on reputation)
  • Email Labels (alert users that an incoming email is from an outside source)
  • Email Address/Domain/URL Blocking (based on reputation or explicit denylist)
  • Attachment Blocking (based on the extension of the attachment)
  • Attachment Sandboxing (detonating email attachments in a sandbox environment to detect malicious activity)
  • Security Awareness Training (internal phishing campaigns)

SPF

Sender Policy Framework (SPF) is used to authenticate the sender of an email. With an SPF record in place, Internet Service Providers can verify that a mail server is authorized to send email for a specific domain. An SPF record is a DNS TXT record containing a list of the IP addresses that are allowed to send email on behalf of your domain.

How does a basic SPF record look like?

v=spf1 ip4:127.0.0.1 include:_spf.google.com -all

  • v=spf1 -> This is the start of the SPF record
  • ip4:127.0.0.1 -> This specifies which IP (in this case version IP4 & not IP6) can send mail
  • include:_spf.google.com -> This specifies which domain can send mail
  • -all -> non-authorized emails will be rejected

Let’s look at Twitter’s SPF record using dmarcian’s SPF Surveyor tool.

DKIM

DKIM stands for DomainKeys Identified Mail and is used for the authentication of an email that’s being sent. Like SPF, DKIM is an open standard for email authentication that is used for DMARC alignment. A DKIM record exists in the DNS, but it is a bit more complicated than SPF. DKIM’s advantage is that it can survive forwarding, which makes it superior to SPF and a foundation for securing your email.

DKIM Record looks like: v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxTQIC7vZAHHZ7WVv/5x/qH1RAgMQI+y6Xtsn73rWOgeBQjHKbmIEIlgrebyWWFCXjmzIP0NYJrGehenmPWK5bF/TRDstbM8uVQCUWpoRAHzuhIxPSYW6k/w2+HdCECF2gnGmmw1cT6nHjfCyKGsM0On0HDvxP8I5YQIIlzNigP32n1hVnQP+UuInj0wLIdOBIWkHdnFewzGK2+qjF2wmEjx+vqHDnxdUTay5DfTGaqgA9AKjgXNjLEbKlEWvy0tj7UzQRHd24a5+2x/R4Pc7PF/y6OxAwYBZnEPO0sJwio4uqL9CYZcvaHGCLOIMwQmNTPMKGC9nt3PSjujfHUBX3wIDAQA

  • v=DKIM1-> This is the version of the DKIM record. This is optional. 
  • k=rsa -> This is the key type. The default value is RSA. RSA is an encryption algorithm (cryptosystem).
  • p= -> This is the public key that will be matched to the private key, which was created during the DKIM setup process.

DMARC

DMARC, (Domain-based  Message Authentication Reporting, & Conformance) an open source standard, uses a concept called alignment to tie the result of two other open source standards, SPF (a published list of servers that are authorized to send email on behalf of a domain) and DKIM (a tamper-evident domain seal associated with a piece of email), to the content of an email. If not already deployed, putting a DMARC record into place for your domain will give you feedback that will allow you to troubleshoot your SPF and DKIM configurations if needed.

DMARC Record: v=DMARC1; p=quarantine; rua=mailto:postmaster@website.com

  • v=DMARC1 -> Must be in all caps, and it’s not optional
  • p=quarantine -> If a check fails, then an email will be sent to the spam folder (DMARC Policy)
  • rua=mailto:postmaster@website.com -> Aggregate reports will be sent to this email address

DMARC checker: https://dmarcian.com/domain-checker/

S/MIME

S/MIME (Secure/Multipurpose internet Mail Extensions) is a widely accepted protocol for sending digitally signed and encrypted messages. 2 main ingredients for S/MIME are: 1. Digital Signatures and 2. Encryption