Introduction

Phishing is a type of cyber-attack where the attacker tries to deceive individuals or organizations into revealing sensitive information, such as usernames, passwords, credit card details, or other personal data. Phishing attacks are typically carried out via fraudulent emails, messages, or websites that impersonate legitimate sources, making the victims believe they are interacting with a trusted entity.

How a typical phishing attack works:

  • Bait: The attacker crafts a message or email designed to appear as if it’s coming from a well-known and trustworthy source, such as a bank, social media platform, government agency, or a reputable company. The message may claim that there’s an urgent issue, a security concern, or an enticing offer to entice the recipient to take action.

  • Deceptive Content: Phishing messages often use urgent or alarming language to create a sense of urgency, fear, or excitement, encouraging the victim to act hastily without critically evaluating the request.

  • Fake Links: The email or message contains links that direct the recipient to a fake website that looks nearly identical to the genuine site. These websites are designed to steal login credentials or other personal information when users enter their data, unknowingly handing it over to the attacker.

  • Data Collection: If the victim falls for the trap and enters their sensitive information on the fake website, the attacker gains access to the information and can potentially use it for malicious purposes, such as unauthorized access to accounts or identity theft.

  • Social Engineering: Phishing attacks often employ social engineering tactics to manipulate the victim emotionally or psychologically, increasing the chances of a successful attack.

To avoid falling victim to phishing attacks, it’s essential to remain vigilant and educate the user to follow best practices as the following:

  • Be cautious of unsolicited emails, especially those with urgent requests for personal information.
  • Double-check the sender’s email address and verify its legitimacy, paying attention to small discrepancies in domain names.
  • Avoid clicking on links in emails or messages unless you are certain of their authenticity. Instead, manually enter the URL into your web browser.
  • Use multi-factor authentication (MFA) wherever possible to add an extra layer of security to your accounts.
  • Keep your software and security tools up to date to protect against known phishing threats.
  • Educate yourself and your user about phishing techniques and the importance of staying alert to potential attacks. By being cautious and informed, you can reduce the risk of falling victim to phishing attacks and protect your personal and sensitive information from being compromised.

As email Sysadmin, we will need to protect against growing spam and phishing attacks on the server with combining multiple email authentication protocol called: Sender Policy Framework (SPF) , DomainKeys Identified Mail (DKIM), DMARC (Domain-based Message Authentication, Reporting, and Conformance).

So, lets talk about this here.

DKIM

What is DKIM

DKIM stands for DomainKeys Identified Mail, and it is an email authentication method used to verify the legitimacy of email messages. It helps prevent email spoofing and phishing by allowing the receiver to check if an email’s content and domain identity have not been tampered with during transit.

How DKIM works:

  • Digital Signature:
    When an email is sent from a domain that has DKIM enabled, the sending server adds a digital signature to the email header. This signature is generated using a private cryptographic key that is unique to the sending domain.

  • Public Key Retrieval: The receiving email server can retrieve the public key associated with the sending domain from the domain’s DNS (Domain Name System) records. These records contain the necessary information to verify the signature.

  • Signature Verification:
    Upon receiving the email, the receiving server uses the public key to verify the authenticity of the digital signature. It recalculates the signature based on the email’s content and compares it to the one in the email header.

  • Results:
    If the recalculated signature matches the one in the email header, it means the email has not been altered during transit, and the domain can be verified as the sender. If the signatures do not match or the DKIM check fails, the email’s legitimacy may be questioned, and it might be flagged as potentially fraudulent.

DKIM is one of the several methods used for email authentication. When combined with other authentication methods like SPF (Sender Policy Framework) and DMARC (Domain-based Message Authentication, Reporting, and Conformance), it enhances email security and helps prevent email abuse. By implementing DKIM and other email authentication measures, domain owners can protect their brand reputation, reduce the likelihood of emails being marked as spam, and provide recipients with greater confidence in the emails they receive.

SPF

What is SPF (Sender Policy Framework)

SPF stands for Sender Policy Framework, and it is an email authentication method used to prevent email spoofing and unauthorized use of a domain’s identity. SPF allows domain owners to define a policy that specifies which mail servers are authorized to send emails on behalf of their domain. This helps receiving email servers verify the authenticity of incoming emails and reduce the likelihood of spam and phishing attempts.

Here’s how SPF works:

  • SPF Record Creation: The domain owner publishes an SPF record in their DNS (Domain Name System) settings. The SPF record contains information about the mail servers authorized to send emails on behalf of the domain.

  • Email Sending: When an email is sent from a domain with an SPF record, the receiving email server checks the SPF record of the sending domain during the email delivery process.

  • SPF Record Check: The receiving server extracts the sender’s domain from the email header and looks up the SPF record of that domain in the DNS.

  • SPF Policy Check: The SPF record lists the mail servers (IP addresses) that are allowed to send emails on behalf of the domain. The receiving server compares the IP address of the server that sent the email with the authorized servers listed in the SPF record.

  • SPF Result: Based on the comparison, the receiving server determines whether the email is from an authorized source or not. If the email originates from an authorized server (a match is found in the SPF record), the email is considered legitimate. Otherwise, if there is no match or the email comes from an unauthorized server, it may be marked as suspicious or treated as spam.

SPF is effective in combating email spoofing and forging since it allows email receivers to validate the authenticity of the sender’s domain. However, SPF alone does not handle issues like email forwarding or multiple legitimate email sources for a domain. To address these challenges and enhance email authentication, organizations often implement SPF in combination with DKIM (DomainKeys Identified Mail) and DMARC (Domain-based Message Authentication, Reporting, and Conformance). This combination is known as DMARC alignment and provides a more robust email authentication mechanism.

DMARC

What is DMARC

DMARC stands for Domain-based Message Authentication, Reporting, and Conformance. It is an email authentication and reporting protocol designed to combat email phishing and spoofing. DMARC builds upon two other authentication methods, SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail), to provide a more comprehensive approach to email security.

The main objectives of DMARC are:

  • Authentication: DMARC allows email domain owners to publish policies specifying which authentication methods (SPF or DKIM) they use for their emails. This helps email receivers verify the legitimacy of incoming emails by checking if the email’s source aligns with the domain’s published policies.

  • Reporting: DMARC provides a mechanism for email receivers to send reports back to domain owners about the disposition of emails that failed DMARC checks. These reports include information about whether an email was delivered, quarantined, or rejected due to DMARC authentication failures. These reports help domain owners monitor and analyze potential abuse of their domains.

How DMARC works in conjunction with SPF and DKIM:

  • SPF: SPF checks if the IP address of the sending server is authorized to send emails on behalf of a domain. It helps prevent email spoofing by specifying which servers are allowed to send emails for a domain.

  • DKIM: DKIM adds a digital signature to the email header, verifying that the email’s content and domain identity have not been altered during transit. This ensures the authenticity and integrity of the email.

  • DMARC: DMARC policy records are published in a domain’s DNS settings. These records specify what action an email receiver should take if an incoming email fails both SPF and DKIM checks. The DMARC policy can be set to “none” (monitoring mode), “quarantine” (send suspicious emails to the recipient’s spam folder), or “reject” (block emails that fail DMARC checks).

When an email is received, the email server checks the SPF and DKIM alignment against the DMARC policy of the sending domain. If both SPF and DKIM fail, the receiving server follows the action specified in the DMARC policy. This alignment between SPF, DKIM, and DMARC is called DMARC alignment and enhances email security by providing a more robust authentication mechanism.

DMARC is widely adopted by organizations to protect their domains, reduce phishing attempts, and ensure that legitimate emails from their domains are delivered securely. It also helps improve the overall email ecosystem by providing valuable feedback to domain owners about the use of their domains in phishing campaigns.