Step 8: Prevent Spam and Identity Misuse

8 minutes, 6 links
From

editione1.0.0

Updated October 9, 2023
Now Available
Security for Everyone

We spent a lot of time thinking about work email and enabling your employees to be secure; now we need to think about the stuff around the edges of that. What about the people on the other end of the email message?

At the end of the day, email is just a digital way we communicate with customers, suppliers, and others. When a supplier comes by to drop off some goods and hands you an invoice, you instantly know and trust that they are who they are. They might be wearing the supplier uniform, driving a supplier branded vehicle, they might even be the same person from the supplier you have worked with for ages. You can trust who they are, what they are doing, and more importantly that the invoice they have handed you is real.

When applied in a digital sense, it is tricky, as you need to rely on cues you find in the email or elsewhere online. Most of the time this cue is the senders’ email address. Sadly, this can be easily spoofed, or faked. It is like a stranger coming into your business, with a handwritten and fake supplier name badge, asking to pick up that payment you missed last month.

You need to think about this as if you and your business was spoofed. What if someone could send an email from your domain? Not only would this be a bad look, but the possibilities could be endless. Someone could impersonate you to your customers, future customers, employees, suppliers, or anyone. Even something as innocuous as sending a very obvious scam email could cause people to raise concern that your work email domain is not safe. That can have a domino effect on your email’s reputation, ability to send emails without problem, and even the indirect impact of people not trusting your business.

The solution to this is a one-time configuration setup on your mail domain (so long as you don’t change mail providers or domains). The solution also includes a lot of acronyms, so bear with me.

  1. It starts with setting up Sender Policy Framework (SPF). This is a setting that tells mail servers who can send mail for your email domain. For example, if you use Google Workspace for your mail, only Google Workspace should be sending email for your domain. If someone tries to send an email from your domain from a different mail provider or server, it would be sent straight to the receiver’s spam folder or covered from top to bottom with warnings saying “this email sender might be spoofing their domain.”

    The configuration relies on a specific value being stored within a text field (also called TXT record) for your domain (also called Domain Name Service, or DNS, records). It might look something like this:

    v=spf1 include:_spf.google.com ~all

    It is like pinning a note to your work email that says, “Here is where we send our mail from.” It looks a bit technical, but don’t get overwhelmed. You will set it up once, then enjoy the benefits of security without having to worry much about it again. Your email provider can usually give you the line of text you need for this too, so take a search through the support pages for “SPF” and you should be sorted.

    As the reader of Part II, you are a small business. As you grow, though, or as you use more online email marketing, you might have to change the SPF setting. For example, if you use a mail marketing platform to email your customers, you might need to add that platform as having permission to email on behalf of your domain. It is just something good to keep in mind as you grow, or start getting into email-focused work.

  2. Next, you can set up what is called DomainKeys Identified Mail (DKIM). The theme here is to set up multiple security controls, so if one fails, you are still safe. Using SPF and DKIM together is like that. SPF is not foolproof; DKIM takes it one step further by digitally signing all outgoing emails. Proof of what your signature looks like (or your public key) is displayed in a similar domain (or DNS) record as SPF.

    Remember back in grade school, when you would come home with bad grades and you had to have your report card signed by your parents? And when you tried to hand in a forged signed report card to your teacher, they laughed and made you go to the principal’s office? (No, just me?) Well, it is the same thing. Except the teacher is a recipient’s mailbox, and the report card is an email message, the teacher’s laugh is a “DKIM failure response” because the signature is not legitimate, and the principal’s office is a spam or quarantine folder where all emails go to die.

    The good thing is that setting up DKIM for large email providers can be quite easy. Although larger businesses might create their own signature, as an early small business you can get by with simply using DKIM that your large email provider gives you. As with SPF, this is set up by adding a TXT record to your domain record so others know what a real signature looks like.

There is a third acronym out there called DMARC (or Domain-based Message Authentication, Reporting, and Conformance), an email authentication protocol that sets rules about how to handle emails that don’t align with your SPF and DKIM policies. Setting up DMARC can be quite technical, and will become more important as your business grows. For now, SPF and DKIM alone can prevent others from impersonating you or your work domain.

One last thing you can do for SPF and DKIM is to set rules on how your own mailboxes will handle mail that fails these checks, preventing spoof messages from being received by you or your employees. Most large mail providers are good at at least flagging failures with a bunch of warnings by default (big yellow and red ones too, so they are hard to miss). If this isn’t the default setting, sending those failures to spam is the best setting to have.

Don’t worry—any messages that don’t have these SPF/DKIM records set at all will still be received; you just won’t really be protected if someone spoofs those domains. But you can’t really do much about that. That is exactly why we have multiple other controls—like alerts when phishing is reported, or uncommon attachments and links turned off—to protect us instead.

resourcesMore on SPF and DKIM:

If you want to take the next step into DMARC, these two guides are a great place to start:

If you found this post worthwhile, please share!