How to prevent email spoofing and protect your customers
Protect your domain against spoofing, because Microsoft and Google don't do it automatically
An unsuspecting customer or employee receives a phishing email that seems to come from your company. He or she clicks on with confidence, passes on sensitive information and perhaps even shares bank details.
The hacker is to blame, but you as a company also bear responsibility. On the one hand, it is a company's task to make its employees aware of the dangers of phishing. On the other hand, you can help to limit the danger of spoofing as a phishing method to be used against your customers: mimicking email addresses, or spoofing, becomes impossible if you take the right precautions.
Spoofing as an attack technique used to be a very big problem. Attackers could disguise their malicious emails as coming from a trusted organisation without too much effort. Today, this is a little more complex, although the risk has all but disappeared. Organisations of every size have the tools to make spoofing impossible, but these tools are all too often forgotten. How do hackers abuse the mail protocol, and what responsibility do you bear to protect your domain?
Envelope and sender
An e-mail sent via SMTP (Simple Mail Transfer Protocol - the standard protocol behind email) does not contain any authentication mechanism by default. A classic mail is contained in a so-called envelope with two parameters: ‘MAIL FROM’ and ‘RCPT TO’. The MAIL FROM parameter specifies for the receiving mail server where the message comes from and especially where that server should bounce error messages to. The human recipient does not get to see this information.
Inside the envelope is the actual email. This again contains parameters, such as the ‘From’ and ‘Reply-to’ fields. The information contained therein is visible in the mail client at the top of the message to an unsuspecting recipient.
Without any form of security, a criminal can let his creativity loose on the MAIL FROM and From fields – they can put in what they want. Both the mail client and the recipient will get to see a message that seems to come from a reliable party, but actually originates from a clearly malicious address such as firstname.lastname@example.org. Today, there are various security techniques to prevent such abuse.
First layer of control: SPF
The first layer of security is called SPF, short for Sender Policy Framework. SPF authentication injects a healthy suspicion into the receiving mail server with respect to the MAIL FROM field on the envelope. The server looks at the content (e.g. email@example.com) and then wonders whether the sender's IP address is authorised to send from the specified domain (@bank.com). The mail server then relies on the DNS information that belongs to the domain. Of course, this only works if this information is available in the DNS records. If the hacker sends via an IP address that belongs to firstname.lastname@example.org but claims in the MAIL FROM field that the sender is email@example.com, the mail server will recognise this.
Modern mail server solutions such as Microsoft Exchange or Microsoft 365 automatically use SPF authentication for incoming mails but it is up to the domain owner to provide the list of legitimate IP addresses so that authentication is possible.
If you have your own domain, this will not happen automatically even if you use Microsoft 365 or Google Workspace. If you create an SPF record within your domain that contains the authentic IP addresses for outgoing email, cybercriminals will no longer be able to spoof your organisation via the MAIL FROM field. The registrar of your domain can help you adjust your DNS records.
Half protected is half unsafe
The attentive reader will notice that SPF only solves a small part of the problem. With SPF, an attacker can still fill in his own domain in the MAIL FROM field so that the SPF check does not set off any alarm bells. The MAIL FROM then contains firstname.lastname@example.org, and the SPF-check sees no problem because the 'secure' field was filled in correctly.
The hacker can use his own mail address or a previously cracked mailbox, without raising suspicion with the final recipient. After all, the recipient will not see the information on the envelope. Our cybercriminal still has free rein to modify the visible From field with a reliable address such as email@example.com. That is enough to deceive a potential victim.
Better protection with DMARC
Fortunately, there is also a solution for this: DMARC, short for Domain-based Message Authentication, Reporting and Conformance, continues where SPF stops. A mail server verifies the From sender via a DMARC record with the DNS information.
Again, this verification happens automatically at the recipient’s end, provided that the correct DNS data is available. Too many organisations forget to provide a DMARC record, which gives hackers free rein to falsely present a mail address from their domain as the sender. Fine for those who want to send a realistic phishing mail, less fine for those who are fooled because they thought they were dealing with your organisation.
Do not forget about DKIM
DMARC has a brother in DKIM: DomainKeys Identified Mail. DKIM uses encryption and a digital signature with a private and public key to verify whether a mail is legitimate. Again, the whole verification process happens in the background and again it is up to companies to protect their domain name against spoofing with the protocol. This is done by adding a CNAME record with DKIM values to the DNS data of your domain. Both Microsoft and Google make it easy to generate the key for a domain through their security portal.
Attackers are not picky. They try to use spoofed mails from known and trusted organisations for their phishing campaigns. If the organisation in question has its SPF, DKIM and DMARC records in order, the recipient's mail server will recognise them as malicious and they will not arrive. However, if a criminal finds an organisation that has not done its homework, the attack can begin.
Your logo as a reward
If you want to go a step further in protecting your domain against abuse, ‘Brand Indicators for Message Identification’ or BIMI has recently been introduced. BIMI builds on DMARC and ensures that authentic e-mails are provided with the sender's logo. Organisations that have their SPF and DMARC records up-to-date and embrace BIMI will see a small logo appear next to their messages. That logo cannot be stolen by a spoofer and thus creates more trust in messages coming from your company.
Every company with some brand awareness has a responsibility here. For recipients, the security of e-mails today is optimally configured to counteract spoofing, but the protection only works if companies themselves do their bit. SPF, DKIM and DMARC help to protect recipients, while BIMI also offers a visible advantage to legitimate senders thanks to the addition of the logo. The introduction of BIMI is an excellent time to take a look at the situation in your organisation.
At the end of the day, spoofing will unfortunately continue to exist as long as not all companies take the right measures. Making your own contribution is important, but it won't make spoofing disappear from the face of the earth. So don't forget to make your employees aware of the technique, alongside other forms of phishing. They may mistakenly think that their mail client will keep them completely safe, but as you read above, all too often that is not the entire truth.