Prevent Email Spoofing with SPF, DKIM and DMARC

Author Fred Luo

Email spoofing is one of the common techniques used by phishing attacks. By using different techniques, attackers trick users to think the email is from legitimate parties. To combat email spoofing, a few mechanisms have been invented – Namely DMARC, DKIM & SPF. However, many times the terms are confusing. In this blog, we will cover email spoofing details and explain SPF, DKIM, and DMARC. Here is an outline:

1. How does the email system work?

2. Email spoofing

3. Prevent/detect email spoofing

4. The caveats of SPF/DKIM/DMARC

Let us start with an understanding of how the email system works.

1. Email system behind the scenes When you send out an email, the email system takes a few more steps than you would see on your email client. Here is an example of a set of actions when you send an email.

• HELO: The host is sending the command to identify itself.

• Mail FROM: the mail command initiates the transfer of mail and identifies itself.

• RCPT TO: This identifies the recipients. On receipt a time.

• DATA: everything under data is considered message text until the end. Including header, body, and attachment.

• From: This is the “header from” address and what appears in the header session of most mail client

• Reply-to: another item in the header indicates where it replies to

• Subject: the subject of the email.

• The rest are body, attachments, etc.

2. Email Spoofing As permitted by SMTP, you can actually

• specify whatever you want in Mail FROM or From address

• either the Mail or From address can be null

• specify a name with no address in From address (e.g. Bob Smith <>)

• format a From address like this – From: Bob Smith <bob.smith@example.com> <hacker@hacker.com> for a message from hacker@hacker.com. Some clients will show it as Bob Smith <bob.smith@example.com>

This sounds crazy, right? But these are intentional designs by SMTP but sadly abused by attackers for malicious purposes, namely email spoofing. In general, there are three types of email spoofing.

• Envelope Mail From spoofing: The MAIL FROM address is declared in a way that is meant to look legitimate.

• Header From spoofing: they declare the header from the address to make it look legitimate as it is what is shown on most clients anyways.

• Display Name spoofing: Control the display name to make it look legit. For example, Bob Smith <hacker@hacker.com>. Here, Bob Smith is legit. Both Mail From and From are under the hacker’s control. Most of the time, when you reply to such emails, the email address is truncated, and clients only show the name. If you did not detect it the first time, it will be hard to catch later.

Typically, when attackers spoof the real email address, the attacker may use one of the following options

• use the actual email address such as “bob.smith@example.com” to pass the filter

• use a misspelling address: “bob.smith@examp1e.com”. Notice 1

• use a completely different domain “bob.smith@gmail.com”

• use whatever weird email address “bob23@randomdomain.com”

3. Prevent/Detect email spoofing There are a few mechanisms in place for the security team to prevent email spoofing.

3.1 Sender Policy Framework (SPF)

SPF is a DNS record a domain owner publishes that contains a list of servers from which they send emails. When the receiver receives the domain, it checks the list of legitimate sources and if the server it comes from is not on the list, it knows it is not legitimate. An SPF record looks something like this: v=spf1 include:_netblocks.google.com include:_netblocks2.google.com include:_netblocks3.google.com ~all SPF is useful to protect against MailFrom spoofing which is good for your company and your domain brand as well. However, it only concerns the MailFrom address, and does not protect the header from or display name spoofing

3.2 DomainKeys Identified Mail (DKIM)

DKIM is a key-pair signing mechanism for the header of mail messages. When you send mail you attach a signature to the message using a private key which is compared to a public key published in DNS for your domain. DKIM adds authenticity to a message and guards against tampering with the header by downstream mail servers.

DKIM is a signature, adding a layer of authenticity. However, if an email does not have a DKIM, it does not mean it is malicious.

3.3 Domain Message Authentication Reporting & Conformance (DMARC) DMARC’s conformance check(“alignment”) checks that the header from is “aligned” with other authenticated domains on the message either via DKIM or SPF. If either DKIM or SPF alignment passes DMARC evaluates as a “PASS.”

SPF Alignment: The domain in the header from and envelope MAIL from must be the same (or sub-domains of the same parent domain if “relaxed”) and must pass SPF.

DKIM Alignment: DMARC requires a valid signature where the domain specified in the d= tag aligns with the sender’s domain from the header from the field.

However

• DMARC alignment is only enforced when your policy (p=) is set to “reject” or “quarantine”.

• Lots of receiving mail servers still do not evaluate DMARC, evaluate only for reporting, or evaluate but don’t report

4. The caveats of SPF/DKIM/DMARC You can see SPF is useful for envelopes Mail from spoofing, DMARC + SPF + DKIM can help the header from spoofing. However, they do not address display name spoofing or other email spoofing issues such as using a compromised email account. More advanced email behavior rules are needed to prevent/detect another email spoofing. Moreover, it is up to senders to configure their SPF. The sender may configure or not which is not under your control. Therefore, we cannot rely on SPF/DKIM/DMARC to detect phishing. They are important metrics but are not enough.

About the Author: Fred Luo is CTO of DTonomy, an AI-based security company. He has more than 20+ industry experience. He is passionate about mitigating security risks with automation and AI.