Stopping Fraud: Eliminating Email Forgery

Part of our series on Security for Medium Businesses.


I’ll be straight with you: today’s article strays into tech. Today’s recommendations are easy to build and usually worth your time and money. If the acronyms start piling up and your eyes glaze over, just send this whole article over to your MSP and tell them to do it for you. For most businesses, it should take a smart IT person a couple of hours, and a great MSP should already have done it for you. Either way, it’s easy to check their work; see the instructions below.


The Problem


Just like checks and credit cards, email was designed in a more trusting time, a time before secrets. In the early internet, universities ran email systems and there was no need to verify that an email server was authorized to send you a message. If your email provider got an email claiming to be from president@usa.gov, steve.jobs@apple.com, or god_himself@heaven.com, they’d happily pass it on to you, regardless of whether the sender was associated with any of those domains or even if the domain existed. It was a simpler time.


But now it’s not, our motto notwithstanding. It costs about $2.50 per month and 30 minutes to stand up a new email server that can send out millions of fraud and spam attempts over email every hour. Trust is not what it used to be.


Smart people have built and bolted on systems that block a lot of the junk, but email is fundamentally a naïve and trusting design. Attempts to rebuild messaging with security have their own downsides and nothing has replaced email’s popularity.


How DKIM Helps

The best bolt-on is DKIM and, together with its trusty sidekick SPF and its assistant DMARC, it promises a future with way less spam and forgery if everybody did it. Luckily, you don’t have to wait for anyone else to get solid value out of it for yourself.


1960s Batman, Robin, and Alfred answering the phone in a secret datacenter, labelled appropriately
Figure 1: Our heroes, DKIM, SPF, and DMARC blocking an attempt to impersonate your Office Manager to a customer.

When you set them up, they protect your company from impersonation attempts via email forgery. This doesn’t prevent jerks from breaking into your email and pretending to be you. I cover ways to address that in the last post on Payments Interception —see the Account Compromise path for more.


This reduces the fraud against you, your customers, and your vendors from people impersonating someone at your company.


Extra Benefits


There’s a hidden benefit to setting up DKIM: your emails will be much less likely to go to spam. Modern email providers assign a huge trust bonus to DKIM. If it’s up, it means that they can easily verify that email from that domain is legitimate, which means they don’t have to worry as much about the possibility of tomfoolery posing as your domain. (Note: this only goes so far—if you’re an actual spammer, people will report you and DKIM won’t save you.)


The Solution


Overview

DKIM, SPF, and DMARC work together; you set up SPF and then layer DMARC and DKIM on top for extra kick. They work by providing a mathematical attestation in a public place (your DNS record), then cryptographically signing each email against that attestation. If the signature and the attestation match, then the email is legitimate.


Configuring DKIM, SPF, and DMARC starts with your email provider: they supply ninety percent of the plumbing and tech. If they don’t offer support, consider finding a new email provider—their decision probably indicates a broader disregard for your security.

DKIM instructions are available for the most popular email systems. I’ve included a few here:


· Google Workspace

· Microsoft 365

· DKIM

· Siteground

· A2 (and cpanel)

· Dreamhost


A note on DMARC: Unless your MSP convinces you otherwise, use p=reject and leave off the “rua=mailto:email@domain.com” part.


Check Your Work


You can easily check whether SPF and DKIM are set up correctly. From your organizational email address, write a boring email to the address on this page. A couple minutes later, hit “view results.” If you’ve waited long enough and the service has gotten your email, you’ll see results like the following screenshots.


Almost everything it shows is only useful for people doing deep technical voodoo. All you care about are the results, which I’ve highlighted in yellow boxes. You want all results to be “pass” and ideally a negative spamassassin score. If you get anything else, go back to the instructions or give your MSP some grief.


Note: This website scores indicators of spam differently from other major mail providers, so don’t put too much stock in the numbers. Lower is better, but getting all “pass” is the most important.


To test DMARC, you can use one of many equivalent online tools. You should get a lot of green. Here are the two most important settings:



If these are green and people can get still get your emails, it’s working.


Lessons


DKIM, DMARC, and SPF are easy to set up and can meaningfully prevent impersonation at your company, which reduces your fraud risk. If you’re feeling technical, you can do it yourself; otherwise go light up your MSP.

Subscribe for more:

  • RSS
  • LinkedIn
  • Twitter
  • YouTube