Let us talk about e-mail and, in particular, ordinary e-mail and its reliability. Today we are talking about the reliability of a service that allows billions of messages to be exchanged around the world every day, and in particular about three security techniques based on SPF, DKIM and DMARC.
Acknowledgements
A chat with friend and colleague Arianna Crepaldi gave rise to the desire to publish an article written some time ago on the correct configuration of e-mail systems. Together with her and her colleague Gianluca Bilato, we had observed the frequent misconfiguration of e-mail services. It is therefore only right to clarify a few key concepts, without which one cannot understand the risks one is running. I thank Arianna for prompting me to write this short article.
Introduction
E-mail is one of the most widely used communication tools in both personal and professional environments. However, its popularity has also made it a major target for cyber attacks, including spoofing, phishing and other digital frauds. To counter such threats, authentication protocols and mechanisms such as SPF, DKIM and DMARC have been developed. In this document, the purposes and functioning of these systems are explained in a simple manner, as well as the risks arising from their failure or misconfiguration. Before we begin, it is good to clarify a key concept: what is spoofing in e-mail.
What is Spoofing in E-mails
E-mail spoofing is a fraudulent technique by which an attacker sends e-mails making it appear that they come from a legitimate address, when in fact they were sent from an unauthorised source. This allows attackers to deceive recipients, facilitating the spread of malware, the theft of sensitive data or the launch of phishing campaigns. Preventing spoofing is therefore crucial for IT security. One means of countering this fraudulent technique is to use systems such as SPF, DKIM and DMARC.
What is the Sender Policy Framework (SPF) System
SPF, which stands for Sender Policy Framework, is an e-mail authentication protocol that allows the owner of a domain to specify which servers are authorised to send e-mails on behalf of that domain. The purpose is to prevent unauthorised senders from sending messages that appear to come from a legitimate domain.
The way it works is quite simple: the domain owner publishes, via a TXT record in the DNS, a list of authorised servers. When a server receives an e-mail, it checks the sender domain’s SPF record to see if the IP of the sending server is included among those authorised. It is important to point out, however, that SPF does not protect the content of the e-mail nor does it prevent the modification of the ‘From:’ address displayed by the user, but it is a first fundamental filter against spoofing.
What the DomainKey Idetified Mail (DKIM) system is
DKIM, or DomainKeys Identified Mail, is an authentication system that uses public key cryptography to digitally sign e-mail messages. It essentially guarantees that the content of the e-mail has not been altered during transit and that it actually comes from the declared domain. Its operation is based on a digital signature that is affixed to the message by the sender’s server, using a private key. The recipient, using a public key published in the DNS of the sender’s domain, can verify the authenticity of the signature and the integrity of the message. In addition to counteracting spoofing, DKIM protects against message manipulation and helps enhance the domain’s reputation.
What is the Domain-based Message Authentication, Reporting & Conformance (DMARC) system
DMARC, or Domain-based Message Authentication, Reporting & Conformance, is a protocol that integrates and enhances SPF and DKIM, offering a unified approach to e-mail authentication. It provides domain owners with a way to tell recipient servers how to handle messages that fail SPF and/or DKIM checks.
The operation of DMARC is slightly more complex: through a DNS record, the sender domain specifies the policy (in the ‘p’ image) to be applied (e.g. quarantine, rejection or no action) and requests reports on unauthorised sending attempts. DMARC requires the address in the ‘From:’ field to match the domain authenticated by SPF and/or DKIM (alignment). This enables DMARC to effectively block fraudulent e-mails, improving security and allowing domains to receive feedback on suspicious activity.
What happens if these systems are not configured correctly
Without proper configuration of SPF, DKIM and DMARC, the e-mail domain is extremely vulnerable to several types of attacks, including:
- Direct spoofing: an attacker can send e-mails by falsifying the sender’s address, making the recipient believe they come from a trusted source.
- Advanced Phishing: E-mails may contain malicious links or fraudulent requests, exploiting the trust the recipient places in the sender’s domain.
- Spreading malware: apparently legitimate e-mails can carry dangerous attachments, facilitating infections and data theft.
Without SPF, the receiving servers cannot distinguish between authorised and unauthorised senders. Without DKIM, it is possible to change the content of e-mails without the recipient noticing. Without DMARC, there is no clear policy on how to handle suspicious messages, and domain owners do not receive reports of abuse. In other words, the non-implementation of these protocols is tantamount to leaving the door open to attackers.
Conclusions
The correct configuration of SPF, DKIM and DMARC is an essential best practice for any organisation that wants to protect its digital reputation and the security of its communications. The adoption of these tools drastically reduces the risk of attacks and reinforces the trust of recipients in received e-mails.
