Email Authentication

Domain and Email Security - Using DKIM/DMAC/SPF for Email Authentication is a necessity today in order to protect a domain used for email assure deliverability.

Business Email Compromise (BEC) phishing scams, which include wire fraud transfers, IRS W-2 scams and other forms of highly targeted impostors, is on the rise at astounding rates. Estimated costs of BEC phishing scams are at $3.1B and rising according to recent FBI data.

With these scams, savvy cyber-criminals are taking the time to harvest personal information to target carefully selected employees with a spear phishing email designed to get access to confidential business information or transfer money into an unknown account.

Email is still the main conduit for these threats we all face daily. Simply because it's difficult to tell if an email is real or fake, thousands of computers and networks are infected every day, even with anti-virus software installed. Click IT pays special attention to the safety of our customer's I-T, with constant monitoring and combat tools, where we work daily to thwart attacks, and stop cyber-criminals in their tracks, before they strike. One of the weapons in our arsenal incorporates the newest in email safety technology, called domain or email authentication, or DKIM/DMAC.

Email Authentication is a necessity today in order to help protect a domain used for delivering email, as well as to assure that any email recipients and senders are protected from forged (spoofed) and phishing email that might be targeting your domain. Email Authentication also helps gain control over where the domain is being used, and from what servers email is being sent from.

The short video below presents an overview of DMARC -- the technology of Domain-based Message Authentication, Reporting, and Conformance.

DMARC brings new features of safety to the world of email, and is aimed squarely at solving a problem that has plagued email from the very beginning:

There isn’t a reliable way to tell if an email is real or just a really good fake.

This problem gets email into all sorts of trouble: spam, phishing, the spread of viruses and malware. Email is used to perpetuate a lot of fraud simply because it's difficult to tell if a piece of email is real. On the flip side, legitimate senders have to navigate some pretty complicated anti-spam filters -- filters that are designed to block unwanted email -- just to get their emails delivered. Doing this is a big enough problem that an entire “email deliverability” industry exists to help organizations keep their email flowing into inboxes.

Internet mail hasn't changed much over the years simply because the basic question of “is it real?” hasn’t been easy to answer.

To solve this very real problem, DMARC's new features make email easy to identify. It does so by creating a link between a domain and a piece of email. All of DMARC's features are aimed at making this link possible for all email domains on the Internet, regardless of whether or not the domain belongs to a fortune 500 company or an individual citizen.

The underlying technologies that associate a domain with a piece of email have been around for a long time, and people have tried their best in many different contexts to make the technologies useful. SPF -- which is a way of publishing a list of servers that are authorized to send email on behalf of a domain -- has been around since 2003. DKIM -- which is a method of adding a tamper-proof domain seal to a piece of email -- has roots going back to 2005.

Instead of relying on a single technology, DMARC brings consistency to how these existing technologies are configured so that when a piece of email is received, a simple check can be performed to see if the email really does come from the domain it says it comes from.

The goal is to make email easy to identify, but this isn't very useful unless all of a domain’s email can be identified. If it’s easy to identify only some of a domain’s email, then people still have to go to great lengths to figure out if the remaining parts are real or if they just look real but are in fact phishing emails that end up causing a lot of grief.

To make it so that all of a domain’s email can be made easily identifiable, DMARC gives domain owners visibility into how their Domains are being used on the Internet. This visibility comes in the form of feedback reports that are generated by organizations that process incoming mail. The reports are sent to domain owners when they ask for them. By analyzing these reports, domain owners can identify all of their sources of email, which makes it possible to deploy the underlying technologies across all legitimate email streams. Without these reports, a domain owner would have to somehow audit their organization to figure out who all is sending email -- a task that is time-consuming and almost guaranteed to be incomplete. With these reports, a domain owner can get the work done quickly and accurately.

To tie this all together, when a Domain owner is confident that they've made all of their legitimate email easy to identify, they can tell the world to block the fake stuff. Today, DMARC is used to block a lot of fake emails, which is a very good thing.

However, even though blocking fake email is great, the visibility that DMARC provides to Domain owners is useful in itself. People use DMARC to see if their domains are being abused on the Internet. Organizations use DMARC to understand how they and their partners are sending email using their domains, and also if everyone is sending email correctly. Doing this turns DMARC into a compliance tool that organizations use to make sure they're doing everything they can to reduce the risk of fraud to themselves and their customers and also to make sure that any liability in terms of adhering to best practices to protect users and assets is reduced.

Arguably the best thing that DMARC is doing for email is to change email from a "let's keep the bad stuff out" model to a "let's build on our ability to identify real email". Receivers of email are radically simplifying how they process email, even to the point of requiring DMARC compliant email if you're trying to deliver a lot of emails.. and this is a pretty big deal to any organization that relies on email for its day to day business.

News, resources, additional reading can be found at