Spoofing: Bad emails in a good name
Your customers rely on your good name and the good name of your brand. Without hesitation, they open your messages, click on download buttons or log in to linked websites with their login details. But what happens if someone else misuses your good name to send spam, phishing emails, viruses, and Trojans? Would you notice? And what can you do about it?
An email in my name — is it that easy?
Yes, it's that easy. The Simple Mail Transfer Protocol (SMTP), which is used when sending emails, does not initially provide for checking the sender address. In principle, when sending an email, any sender address can be used — be it your own address, someone else's address or an address that doesn't exist at all.
How can I find out if fake emails are being sent in my name?
It is often relatively difficult for senders to quickly find out about fake emails in their name. With a bit of luck, there might be a recipient who complains to you about a malicious email. With bad luck, you may only notice the misuse of your sender domain when this domain is already on numerous blacklists and you are struggling with massive deliverability problems.
Is there a way to identify my organization as a legitimate sender?
There are various ways to signal that you are highly likely to be the legitimate sender of an email. One option is to use the Sender Policy Framework (SPF). Here, the owner of a domain stores a so-called SPF record, which determines exactly which servers with which IP addresses can send emails in the name of their domain — and which not. A second way is to use a DKIM signature. In this process, the owner of a domain stores a public key and provides each of his emails with a digital signature in the header. The recipient can compare the signature in the email with the public key and determine whether the two match or not.
Why isn't that enough?
Imagine an email provider receiving an email on your behalf. It checks SPF and DKIM and determines that the email is most likely not from you. Now it's up to the email provider to decide how to handle this email — put it in the recipient's inbox, send it to the spam folder, or not deliver the email at all? Whatever the provider chooses, you can't influence their decision — and you won't learn anything about the existence of the fake email that carries your domain in the sender.
What is DMARC and what can DMARC do?
DMARC is a technical specification developed by a group of companies and organizations — including AOL, Gmail, Hotmail, Yahoo, Facebook, and ReturnPath. Thanks to DMARC, more and more email senders and email recipients will decide together what to do with potentially fake messages — testing is based on SPF and DKIM. This not only protects the recipients of your emails, but also your good name. In the DMARC entry, you can make a recommendation about what should happen with messages that fail the DMARC check: Should the receiving mail server deliver the email anyway, put it in the spam folder, or simply reject the email? As a sender, you can also have various types of reports sent to you by participating organizations — simply by email. These reports are a valuable monitoring tool: They enable you to check exactly whether fake emails are being sent on your behalf — and also to determine whether there are problems with authenticating the emails you send. This allows you to maintain an overview and control of your sender domain at all times.
And that works?
DMARC is a relatively new process that is still in its infancy. Not all email providers have already implemented DMARC. And even with providers that already use DMARC, there are sometimes minor technical difficulties. Senders should therefore work carefully when it comes to their own DMARC policy. A detailed test phase is highly recommended — otherwise there is a risk that in the event of a technical glitch, the majority of your own authentic communication will simply not be delivered.
The preparation of the DMARC record, the detailed test phase and the regular, expert evaluation of the reports — all this requires knowledge, experience and time. Overall, however, we are of the opinion that the effort pays off. Thanks to DMARC, senders can better protect their good names and recipients from damage caused by fraudulent emails — and at the same time optimize the deliverability of their email campaigns.
