Edward Touw

What have you done to protect your clients from phishing attacks?

Written by Edward Touw on

Google is winning the war on email spam and phishing emails, the company stated on its security blog. According to the search giant, the increased usage of DKIM and SPF has made it easier to tell malicious and legitimate senders apart. 91.4% of all non-spam emails received by Gmail were authenticated with either DKIM, SPF or both.

This does however mean that companies that don’t authenticate their emails yet, have an even higher risk than before of being spoofed. What have you done to help win the war on spam and to protect your clients from phishing attacks?

91,4% of all emails received by Gmail were signed with DKIM or SPF

70% of all emails sent are spam

A recent study conducted by IT Security Company Lab found that 70% of all emails sent worldwide are spam. To protect their users from these malicious messages, most email providers are now very strict on which emails they let through.

Only senders that are trusted are able to deliver high volumes of emails to various email providers without getting their message blocked at the gate. This is why it’s so important to ensure you have a good email reputation to be able to deliver bulk messages.

Without authenticating your emails though, someone else might steal your reputation to scam your clients (and ruin all the good will you so carefully built up). This practice is called phishing, and it could happen to you.

SPF, DKIM and SenderID

Phishing

Depending on the level of security of your mailbox provider, you might have received emails from a bank stating that your account will be closed if you don’t take action immediately. In this case phishers posed as a bank and probably tried to digitally rob you of all your life savings.

From: ACNE Bank 
To: your.name@company.com
Subject: Please update your security settings. Important!

Dear valued customer, 

Because of recent security attacks on our bank, we need you to update your 
validation settings for your bank account. 

Please do so within 3 days to prevent account termination. 

We promise that we are really the ACNE Bank, we are not trying to steal 
your money. Pinky swear!

CLICK HERE TO UPDATE YOUR SETTINGS IMMEDIATELY

Regards, 
ACNE Bank    

Chances are even likelier that you have never even seen an email like this come in though, because banks tend to set up their authentication data.

See, while the email in the example above states to be from ACNE Bank (even the from field has an @acne-bank.com address), for your email provider it’ll be very clear that it actually isn’t.

Within an instant, authentication data will show:

  • The IP address used to send the email does not belong to ACNE Bank
  • Nor does it have permission to send emails for ACNE Bank
  • The email actually isn’t sent by clients@acne-bank.com
  • The email isn’t digitally signed by the ACNE bank

Unfortunately however, authentication data doesn’t magically appear out of nowhere. So if you want to prevent your company of being spoofed by phishermen, you’ll have to take precautions yourself.

SPF, DKIM and SenderID

Setting up your authentication data

On its blog, Gmail mentions using DKIM and SPF. But these aren’t the only forms of authentication you can use to verify your identity. Below you’ll find an overview of the various forms of authentication data, and how to set them up.

DKIM

DKIM is a method for associating a domain name with an email. DKIM helps email providers to check if an email is really sent by you. In a nutshell, you could say DKIM is like a digital signature. Please note that Gmail requires a DKIM key that is at least 1024 bits long.

Learn to set up DKIM

SPF

Whenever an email is sent, it has two sender addresses:

  • The address in the from field (the reply address)
  • The envelope address (the address bounces need to be sent to)

In some cases, when using an ESP like Copernica for example, the envelope domain may differ from the domain in the from field. An SPF record holds information telling mailbox providers which envelope domain is allowed to send emails for a certain domain.

If you use the standard envelope domain provided by Copernica (which most users do) your SPF is already set up correctly. If you use a custom domain however, you’ll need to configure SPF.

Learn to set up SPF

Sender ID

Whenever an email provider receives an email, it’ll do a DNS lookup to see if the sending IP address is allowed to do so for the domain name in the from address. In your Sender ID, you can include information to help email providers understand which IP addresses are allowed to send emails from your domain.

Learn to set up Sender ID

DMARC

DMARC is a fairly new spam prevention method that basically lets the receiving party know that it has set up DKIM and SPF. (Apart from that you can also use DMARC to tell email providers what to do with emails that don’s pass the SPF or DKIM test.)

Learn to create a DMARC record (Documentation by Google)

Authentication data is more important now than ever

Since e-mail authentication became a thing in 2004, more and more companies are setting up their authentication data correctly. According to Google’s blog, 91.4% of non-spam emails sent to Gmail users come from authenticated senders.

And while this is a good thing, you have to realise that this leaves Nigerian princes and other spammers now have a smaller pool of potential company names they can highjack.

So if you’re net setting up your authentication data correctly, you have a higher chance of being a victim of spoofing than ever. If you haven’t done so already, set up your authentication data now.