In this blog we are going to discuss about email spoofing, what is an email spoofing and how can the organization prevent this attack.
Email Spoofing is a common technique that fraudsters use for Social Engineering, phishing, or spreading malware. In this technique, the fraudster sends an email on behalf of others by using an email address. Spoofing the sender’s address makes an email legitimate and increases the likelihood of someone opening an email or its attachments.
As per the survey conducted by Forbes magazine, Fraudsters send around 1.3 Billion spoofing email every single day. this is because the sending email is based on the SMTP protocol that carries the message and is not concerned with the sender’s email address.
Here are some powerful tools/record that can help you fight against email spoofing.
Email spoofing protection
Add SPF (Sender Policy Framework) Record:
SPF is used for email verification and authentication, deals with email spoofing. SPF contains the list of allowed ip address’s/hostname that can send email using your domain. If Ip address/hostname doesn’t match, the email provider will block the message.
SPF Record Syntax: After defining SPF record, it might look somthing like this:
v=spf1 ip4:xx.xx.xx.xx ip6: include:thirdpartydomain.com ~all
- where v : define the version of SPF record.
- ip4 , ipv6 : define the IP addresses that are authorized to send email on your behalf
- include: Define the third-party organization that is used to send email on your behalf
- ~all: If an email comes from other domain, the email will be marked as a soft fail
Add DKIM (DomainKeys Identified Mail) record:
DKIM is based on encryption, which validates the email and ensures that message has not been modified. Its a signature-based tool to implement efficient email domain authorization. DKIM has access to the TXT record of the email domain, When we send a mail it is assigned a unique identification key that includes in email header and verified at the receiver’s server-side.
DKIM Record Syntax:
"v=DKIM1\; k=rsa\; p=jkdhfrjijjdsojfiwjddjivkjkfjvjskjskjdkdck nlsl"
- Where v : define DKIM protocol version
- p : Define your base64 encoded public key
- k : provide the list of algorithm that can used to decode DKIM signature (mostly use rsa algorithm)
Add DMARC (Domain-based Message Authentication, Reporting, and Conformance) record:
This is one of the advanced method for email authentication. DMARC allows the receiver to know whether the received email is verified against the SPF and DKIM record. It also provides a feature to take action against spoofed email going from their domain.
|If fail ✗||If Fail ✗||Then fail ✗|
|If fail ✗||If pass ✓||Then fail ✗|
|If Pass ✓||If pass ✓||Then pass ✓|
DMARC keeps domain secure by a step by step running process. When sender sends an email, the SPF is verified via DNS record if match then verified DKIM signature against DNS record and finally, IF both records not match, depends upon DMARC policy we can take action against mail. We can define DMARC policy as
v=DMARC1; p=none; rua=mailto:[email protected]
- Where v: define the version of DMARC record
- rua: define addresses to which aggregate feedback is to be sent
- p : define policy and its vaid value can be:
- IF p=’none’ : no action
- IF p=’reject’ : reject all emails that fail the DMARC check
- IF p= ‘quarantine’ : emails will end up in the junk(spam) folder of the receiver
A Spoofed mail is hard to detect for person because mail looks like a legitimate. To safeguard your domain and organization from email spoofing attack implement SPF, DKIM and DMARC records on your email server and for email security best practices follow this blog.