Cyber Basics: Email Anti-spoofing

This is the second in a series of posts that will aim to provide some initial guidance on the fundamentals of cyber security. During our time assisting many organisations with improving their security, the one thing that is common across all companies, regardless of size or type, is the lack of focus on Cyber Basics.

These posts will not be in any particular order, but will aim to cover what we feel are key basic elements of any cyber security strategy or improvement programme. The great thing is this guidance is applicable to any size of company or budget, no matter how small, but can equally apply to the large enterprise.

By focusing on these basics you can significantly improve your cyber maturity and help prevent over 80% of the common cyber threats active today.

Email Anti-spoofing

For quite some time now email has been the single biggest vector used in cyber-attacks, with over 95% of attacks delivered using email.

Most email attacks rely on deceiving the user, or impersonating a trusted source, in an effort to convince the target to click a malicious link, or download a malicious attachment. Once clicked or downloaded, you could be directed to a bad site that steals credentials, or malware could be installed on your device.

From here user accounts are often compromised for use in ongoing attacks, against other victims and companies.

Email anti-spoofing is an often unknown or misunderstood security control, that aims to reduce the chance of receiving emails impersonating (spoofing) a legitimate individual or company.

These techniques aims to protect your company and its brand from reputational damage and financial loss, by preventing the bad guys from impersonating your email accounts and using them maliciously.

Where this differs from the normal cyber security advice, is that instead of directly protecting your own users, anti-spoofing actually protects the people, partners and companies you do business with, by making it extremely difficult for criminals to send emails that look like they come from you.

How does it work?

To prevent spoofing of an organisations email and domains we need to use three core technology components:

• SPF – Sender Policy Framework
• DKIM – Domain Keys Identified Mail
• DMARC – Domain-based Message Authentication, Reporting and Conformance

SPF – Sender Policy Framework

Sender Policy Framework or SPF for short, is the first step on the anti-spoofing ladder. SPF has been around for some time, starting out in the early 2000’s before being published as a proposed standard in 2014.

Its role is to list the domains and IP addresses that are allowed to send email on behalf of your company domain.

SPF is quick and simple to implement using a basic DNS Text record (TXT). Once the record is published, receiving email services can check the SPF record, to ensure that sending email services are valid and authorised to send mail.

If the check passes the email is sent to the users mailbox, if it fails the receiving email service can choose to junk or reject the email.

An example SPF TXT record, that uses Microsoft Exchange online, Mailchimp bulk email services, and an on premise mail server IP address may like this:

v=spf1 include:spf.protection.outlook.com include:servers.mcsv.net ip4:192.0.2.1 -all

To break this down:

• include: tag used to add domains & hostnames that send your email
• ipv4: tag used to add IP version 4 addresses
• Ipv6: tag used to add IP version 6 addresses
• -all: Hard Fail – tells the receiver that servers not listed in the SPF should be rejected
• ~all: Soft Fail – tells the receiver that servers not listed in the SPF can be accepted but should be marked as suspicious.

The difficult part here is ensuring you have all your relevant mail services included. Be sure not to add to many though, as SPF has a limit of 10 lookups. Each include and IPvX entry is classed as a lookup. If you exceed 10, you impact performance and will likely receive a failure on the SPF check. Be efficient with SPF record.

DKIM – Domain Keys Identified Mail

Next up is Domain Keys Identified Mail (DKIM), which adds another layer of security, by digitally signing the outbound messages from your mail service.

You start by creating a cryptographic key pair (public and private keys) for your domain, this is typically completed on your mail service or email security product.

The private key is used to sign the message by adding a digital signature to the message header.

The public key is added to your domains DNS using TXT records. When your mail service sends a signed message, receivers of your email consult the published DNS records to verify the message against the public key.

If it matches it proves that the message originated from your domain and is valid. If it fails the receiving mail service can choose whether it junks or rejects the messages.

Unlike SPF, DKIM can also protect email that has been forwarded, as the signed message header is preserved as the email is forwarded from one company to another.

An example DKIM DNS TXT record can be constructed as follows:

v=DKIM1; k=rsa; p=<base64 encoded public key>;

DKIM is supported by most modern mail services and although this may sound difficult, it is relatively simple to setup. Services such as Microsoft 365 Exchange Online create the crypto keys and DNS TXT records for you. All you need to do is enable DKIM for each domain and add your associated DNS CNAME records which point to the TXT records.

DMARC – Domain-based Message Authentication, Reporting and Conformance

The third and final layer of anti-spoofing security is called Domain-based Message Authentication, Reporting and Conformance (DMARC).

DMARC is the bow that wraps all of this together, setting and applying policy for the email domain, and generating reports based on success or failure of the verification checks.

Once the receiver has confirmed the identity and validity of the email message using SPF and DKIM, DMARC is used to inform the receiving mail service what to do in the event that the email fails any of checks.

The DMARC policy can be set to enforce three actions:

• None - tells the receiver to take no action. We recommend using this setting when first implementing and testing your anti-spoofing setup.
• Quarantine – tells the receiver to take action by sending to a quarantine, junk or spam folder, instead of delivering to their inbox.
• Reject – tells the receiver to block the message and prevent it from being delivered.

The final piece of the DMARC jigsaw is reporting. The rua value can be used in the record to set an address where you would like to send aggregated email reports. The ruf value can also be used for detailed forensic reporting.

An example DMARC DNS TXT record can be constructed as follows:

v=DMARC1; p=none; rua=mailto:companyxyz@dmarc-report.com; ruf=mailto:companyxyz@dmarc-report.com;

Once enabled these reports should then be reviewed regularly to ensure that there are no errors in your anti-spoofing setup. Any errors in the configuration may result in valid email failing to be delivered.

Reporting Services

There are a number of reporting services online that can help with the collection and analysis of DMARC reports.

Report URI is a great example of a service, that provides a free tier for the collection of up to 10,000 reports per month. This is good starting point with a range of tools available including DMARC, CSP and Certificate Transparency logging to name a few. Chargeable subscriptions are also available.

If you want more information or would like to sign up, visit here: https://report-uri.com/

NCSC Mail Check Service

For UK public sector organisations the National Cyber Security Centre (NCSC) provide the Mail Check Service, which can help you setup strong email anti-spoofing and security configurations.

You can sign-up here: https://www.mailcheck.service.ncsc.gov.uk/

Other Resources

For more resources, Dmarc.org lists a number of tools that are available to assist with the implementation and analysis of these email anti-spoofing components. The list can be found here.

Conclusion

This second post in the cyber basics series has looked into the topic of Email Anti-spoofing. It has described how to protect your organisation, partners and customers from phishing threats that aim to impersonate the company and its staff.

Don’t be overwhelmed by the details, the above SPF, DKIM and DMARC settings really are quick and easy to setup. After some initial planning and if you have all the information to hand, your technical staff should be able to deploy this in as little as 30-60 mins.

To summarise, follow these steps:

• Gather IP and domain information for the devices and services that are allowed to send email on your domains behalf (mail servers, websites, and bulk email campaign services).
• Implement SPF for your domain using DNS TXT records, using the info gathered.
• Implement DKIM for your domain, using crypto keys to sign your email and DNS TXT records to publish your public key.
• Implement a DMARC policy, starting in policy mode none. Set DMARC to send your logs to a reporting service such as Report-URI.com.
• Don’t rush into setting a protection policy. Review the logs for a few weeks to ensure there are no issues, before moving to quarantine or reject.
• If you have more than one email domain always ensure you protect all your email domains (including subdomains) not just the primary.

Email providers such as Microsoft, have detailed documentation to help with deploying these features within their services. Please do go and seek these out for more information.

Hopefully this has given you valuable insight and highlighted both the importance and benefits of enabling email anti-spoofing for your organisation.

Look out for our future posts and hopefully they can help you become more secure.