Web Gateways,
Redefined.

Designed for Distributed. Built for the Cloud.
Delivered as a Service.

Blog

Implementing Better Email Authentication Systems

To provide better spam and phishing protection, a number of ways to improve on email message authentication have been available for years, and are being steadily implemented. However, it is a difficult path to make these methods work.

Part of the problem is because there are multiple standards and sadly, you need to understand how these different standards interact and complement each other. Ultimately, you are going to need to deploy all of them. They are:

  • Domain-based Message Authentication, Reporting and Conformance (DMARC)
  • Sender Policy Framework (SPF)
  • DomainKeys Identified Mail (DKIM)

Let’s talk about the differences among the three standards.

SPF is an entry into your DNS servers that show the servers that are allowed to send emails in your domain. This means you have to know who your domain admins are and make sure that list of folks is kept updated.

DKIM is used to ensure the content of your emails is trusted. So, when your email servers send a message, it isn’t tampered with. You use private/public key signing tools to do this. You add another DNS entry with your public DKIM signed key to verify this process.

DMARC ties SPF and DKIM together into a consistent set of policies, and also sets up an email address that can collect reports. One critical issue is that all domains that your company owns must be protected with a DMARC policy. If your company operates a lot of domains or subdomains, this can get tedious very quickly. And you have to make sure that every subdomain is protected with the right DNS entries too.

Now you can see why you need all three: each one solves a different piece of the spam/phishing prevention puzzle. And it is a puzzle. For those that want a more detailed explanation of how the three protocols work as email is being created and consumed, check that link. And here is another explanation of the strengths and weaknesses of each protocol to give you more perspective.

Adoption varies widely on all three protocols. Google reports on its usage for 2016 Gmail users:

  • 87 percent of all received emails were signed according to DKIM
  • 95 percent of received emails came from servers using SPF
  • 85 percent of received emails were protected by both standards (SPF & DKIM)

That initially sounds pretty positive, but that is just who is using Gmail and GSuite. According to this survey of actual public DNS records, DMARC is still not well implemented by two thirds of the Fortune 500. What is worse, less than five percent of businesses quarantine or reject any messages, which was part of the whole point of using these advanced email protocols. The good news is that DMARC usage is slowly but steadily on the rise.

So, if you want to get on this email protection train, here are some practical steps to take. First is this post that suggests the right order to implement the three protocols and how to make sure that you have done it correctly before moving on to the next step. That is useful for those of you that want to do this on your own.

If you are using Google for your email, they have some instructions about DKIM here and about how to generate your domain key here. If you are using cPanel to manage your domain, here are some suggestions on how to configure the various DNS records. Once you think you are done, you can use this tool to validate that the appropriate DKIM keys are happening in your email headers.

Finally, if you need professional help, there are email authentication vendors who specialize in implementing these protocols, such as Valimail. They can walk you through the process and ensure that your mail servers are set up properly.

I ended up working with the Valimail folks, and I found out that I was doing a few dumb things with how my emails and domains were set up, even though I supposedly know what I am doing (generally) and have worked with email authentication for decades. This just goes to show you that this is an area where you never stop learning, and need to be careful so you don’t end up blowing up your entire email infrastructure in the process of trying to protect it better.

 

David Strom is one of the leading experts on network and Internet technologies and has written and spoken extensively on topics such as VOIP, convergence, email, cloud computing, network management, Internet applications, wireless and Web services for more than 25 years. He has had several editorial management positions for both print and online properties and currently writes for Dice, Techtarget's SearchSecurity.com, ITworld.com and Network World. Find him on Twitter @dstrom and on his website strominator.com.