Google and Yahoo New Email Requirements – Part 2

Key Components of Email Protection: SPF, DKIM and DMARC

Written by: Scott Bernstein | Senior Consultant, CIO Landing

I know this looks technical, more geek acronyms. But these are the widespread terms used when discussing and configuring email settings. Without a basic understanding, your email could be misconfigured.

The Google and Yahoo requirements center around the DMARC setting. But DMARC settings rely on SPF and DKIM settings, so you cannot ignore any of them. All three settings are used by email providers and Internet Service Providers (ISP) to authenticate emails, to verify the sender is who the email says it is from.

The Basics of SFP, DKIM, and DMARC

SPF: Sender Policy Framework – This is an email validation process used to detect and block email spoofing. It allows the receiving email server to verify the domain name of the sender (the part after the @ sign in the email address) is coming from an IP address that is authorized to send such emails. This should be in place now, irrespective of the Google/Yahoo changes.  The purpose of SPF is to reduce the amount of email spoofing and phishing.

DKIM: DomainKeys Identified Mail – provides a method for validating a domain name through digital verification that it is associated with the email. The identity is independent of other email identities, such as the sender’s From: field to keep them separate.

The purpose of DKIM is to prove:

• The content of an email has not been tampered with
• The headers in the email (the FROM part) have not been changed or added to
• The sender of the email either owns the DKIM domain or is allowed to send

DMARC: Domain-Based Message Authentication Reporting and Conformance – this is an added authentication method that uses both SPF and DKIM to verify whether or not an email was sent by the owner of the “Friendly-From” domain that the user sees. DMARC is reliant on SPF and DKIM. DMARC checks for a DKIM pass and an SPF pass before authorizing an email, meaning there is a second level of verification that the email is authentic. DMARC tells the world how to handle unauthorized emails sent via your domain by generating reports as your email moves to its destination.  The purpose of DMARC is to verify inbound emails are in alignment with SPF and DKIM settings to enhance protection against spoofing.

SPF is a list of servers and services that are authorized to send email via your domain.

DKIM attempts to verify if email is legitimate.

DMARC suggests what to do with email that is not legitimate, using SPF and DKIM.

Why is DMARC Important?

This DMARC alignment is meant to further protect against phishing. THIS IS WHY GOOGLE AND YAHOO ARE IMPLEMENTING THESE CHANGES TO DMARC SETTINGS. Technically it is not needed as long as SPF and DKIM are in place. In a recent report, Internet services firm Cloudflare found that 89% of messages blocked as spam had correct SPF, DKIM, or DMARC information, underscoring that the technologies are part of the equation but not the entire solution, says Oren Falkowitz, field CSO at Cloudflare. CIO Landing and all security experts will tell you, the best way to protect yourself from cybercrimes is LAYERS of PROTECTION. DMARC adds another layer in the background to protect your emails.

Why hasn’t this been done before? It’s not like email spam, spoofing and phishing are new issues. There are several reasons:

• It is not easy or well understood how to setup DMARC
• It relies on two other settings, SPF and DKIM, which are also tricky to setup
• SPF and DKIM provided some protection but were not coordinated

So why the big To Do about this in the first place? Gmail and Yahoo have a huge email base who too often are getting compromised by spoofing and phishing emails. They are starting with bulk emailers as the bad guys typically go for mass attempts to see who they can fool into clicking on something.

Our third and final blog on this issue will tell you what you need to do. It will not be the technical “How To” as that is our job. It will describe what you need to do with your IT firm and email provider and spam filtering service. This is not something you want to undertake on your own.