Waiting for rain13. March 2013
Mobile email design2. April 2013
Spoofing: bad mails sent in your good name
Your customers trust in your good name and the good name of your brand. Without a second thought, they open your messages, click download buttons, or log onto a linked website using an ID and password. All well and good. But what if somebody else has exploited your good name to send out spam mails, phishing mails, viruses or trojan horses? Would you notice? And what can you do to prevent it?
How easy is it to send a spoof email in my name?
In a word, very. The Simple Mail Transfer Protocol (SMTP) used for sending emails doesn’t verify the sender’s address. So in theory, whoever sends an email can use any sender address: their own, someone else’s, or even a nonexistent one.
How can I find out whether my name’s been spoofed?
Generally, there’s no easy way to discover quickly that spoof emails have been sent out in your name. With a bit of luck you’ll hear about it when a recipient may complain to you about a bad mail. But if you’re less fortunate, you won’t discover that your name’s been spoofed until the domain has been put on numerous blacklists and you begin to have severe delivery problems.
Is there any way of identifying my organization as a legitimate sender?
There are various ways by which you can indicate that in all probability, the email is from you. One way is to use the Sender Policy Framework (SPF). With this method, the owner of a domain creates an SPF entry that specifies exactly which servers with which IP addresses are permitted to send emails in the name of the domain – and which are definitely not. Another method is to use a DomainKeys Identified Mail (DKIM) signature. The domain owner creates a public key and includes a digital signature in the header of every email sent. The recipient can compare the signature in the mail with the public key to verify that they match and the mail is trustworthy.
Why doesn’t that do the job?
Imagine an email provider receives a mail in your name. Checking the SPF and the DKIM reveals that the email probably didn’t come from you. It’s then up to the provider to decide what to do with the mail – put it in the recipient’s in-box, place it in the spam folder, or block its delivery altogether? You have no way of influencing the provider’s decision – and you’re not told that a spoof email is going around with your domain in the sender address.
What is DMARC and what can it do?
DMARC is a technical specification that was developed by a group of organizations including AOL, Gmail, Hotmail, Yahoo, Facebook and Return Path. In future, with DMARC’s help, more and more email senders and recipients will be able to decide jointly what to do with mails that appear to be fake when checked via SPF and DKIM. The new method protects both the recipient of your emails and your good name. In your DMARC entry, you can recommend how emails that fail the DMARC test should be treated: whether the receiving mail server should deliver the mail anyway, place it in the spam folder, or refuse receipt. As a sender, you benefit from different types of reports supplied by the participating organizations via email. These reports are a useful monitoring tool. They show you whether spoof emails are being sent in your name, and whether any of your outgoing emails are experiencing authentication problems. As a result, you are always in the picture, and have firm control over your sender domain.
And does it work?
DMARC is a relatively new method and still in its infancy. It hasn’t yet been implemented by all email providers. And some of those who are using it report minor technical glitches. That means that senders should take a cautious approach to implementing a DMARC policy. A comprehensive trial phase is indispensable. Otherwise there’s a risk that a technical fault could prevent many of your authentic messages from reaching their destination.
Creating a DMARC record, managing the comprehensive trial phase and regularly analysing the reports takes specialist knowledge, experience and time. However, we believe the effort is worthy. With DMARC senders can not only protect their good name but also prevent spoof emails from reaching their customers – and at the same time optimize the deliverability of their email campaigns