protection that works

Stopping Fraud: Eliminating Email Forgery

Part of our series on Security for Medium Businesses.


I’ll be straight with you: today’s article strays into tech. Today’s recommendations are easy to build and usually worth your time and money. If the acronyms start piling up and your eyes glaze over, just send this whole article over to your MSP and tell them to do it for you. For most businesses, it should take a smart IT person a couple of hours, and a great MSP should already have done it for you. Either way, it’s easy to check their work; see the instructions below.


The Problem


Just like checks and credit cards, email was designed in a more trusting time, a time before secrets. In the early internet, universities ran email systems and there was no need to verify that an email server was authorized to send you a message. If your email provider got an email claiming to be from [email protected], [email protected], or [email protected], they’d happily pass it on to you, regardless of whether the sender was associated with any of those domains or even if the domain existed. It was a simpler time.


But now it’s not, our motto notwithstanding. It costs about $2.50 per month and 30 minutes to stand up a new email server that can send out millions of fraud and spam attempts over email every hour. Trust is not what it used to be.


Smart people have built and bolted on systems that block a lot of the junk, but email is fundamentally a naïve and trusting design. We have since built alternatives with strong security, but none have not come close to replacing email’s popularity. Despite the warts, email will be with us for a long time.


The Solution

The best bolt-on is DKIM and, together with its trusty sidekick SPF and its assistant DMARC, it promises a future with way less spam and forgery if everybody did it. Luckily, you don’t have to wait for anyone else to get solid value out of it for yourself.


1960s Batman, Robin, and Alfred answering the phone in a secret datacenter, labelled appropriately
Figure 1: Our heroes, DKIM, SPF, and DMARC blocking an attempt to impersonate your Office Manager to a customer.

Together, they protect your company from impersonation attempts via email forgery. This doesn’t prevent jerks from breaking into your email and pretending to be you. I cover ways to address that in the last post on Payments Interception —see the Account Compromise path for more.


This reduces the fraud against you, your customers, and your vendors from people impersonating someone at your company.


Extra Benefits


There’s a hidden benefit to setting up DKIM: your emails will be much less likely to go to spam. Modern email providers assign a huge trust bonus to DKIM. If it’s up, it means that they can easily verify that email from that domain is legitimate, which means they don’t have to worry as much about the possibility of tomfoolery posing as your domain.


Note: this only goes so far. If you actually spam people, they will report it, your messages will start landing in junk folders, and DKIM won’t save you.


The Solution


Overview

DKIM, SPF, and DMARC work together; you set up SPF and then layer DMARC and DKIM on top for extra kick. They work by providing a mathematical attestation in a public place (your DNS record), then cryptographically signing each email against that attestation. If the signature and the attestation match, then the email is legitimate.


Configuring DKIM, SPF, and DMARC starts with your email provider: they supply ninety percent of the plumbing and tech. If they don’t offer support, consider finding a new email provider—their decision probably indicates a broader disregard for your security.


The same applies to MSPs. If your MSP manages your emails system and hasn't yet set up DKIM for you, that may indicate that they don't prioritize or understand security.


Instructions are available for the most popular email systems. I’ve included a few here:


· Google Workspace

· Microsoft 365

· DKIM

· Siteground

· A2 (and cpanel)

· Dreamhost


A note on DMARC: Use p=reject and leave off the “rua=mailto:[email protected]” part. Some MSPs may also request tweaks to these settings to support their ability to protect you.


Check Your Work


You can easily check whether SPF, DMARC, and DKIM are set up correctly. There are many sites that can help; I’ve included instructions for the easiest ones. You only need to check DKIM and DMARC because DKIM will also check SPF.


Checking DKIM


First, visit https://dkimvalidator.com/.


From your company email, write a boring email to the address on this page. A couple minutes later, hit “view results.” If you have waited long enough and the service has gotten your email, you’ll see results like the following screenshots. Almost everything it shows is only useful for people doing deep technical voodoo. All you care about are the results, which I’ve highlighted in yellow boxes. You want all results to be “pass” and a negative SpamAssassin score. If you get anything else, go back to the instructions or give your MSP some grief.


Note: This website scores indicators of spam differently from other major mail providers, so don’t put too much stock in the numbers. Negative is all you really want.


Checking DMARC

There are many online tools that all work about the same; this one works well. You tell it your domain (the part after @ in your email address), and it checks things for you. Here are the two most important settings:



If these are green and people can get still get your emails, it’s working.


Next Steps


DKIM, DMARC, and SPF are easy to set up and can meaningfully prevent impersonation at your company, which reduces your fraud risk. If you’re feeling technical, you can do it yourself; otherwise go light up your MSP.

Subscribe for more:

  • RSS
  • LinkedIn
  • Twitter
  • YouTube