ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

How to prevent sender and domain spoofing using SPF, DKIM, DMARC, and Email Impersonation Control

book

Article ID: 172597

calendar_today

Updated On:

Products

Email Security.cloud

Issue/Introduction

You would like to learn how to protect your users against inbound spoofed emails (aka BEC scam) and how to prevent unauthorized parties from using your own domain via authentication mechanisms such as Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), Domain-based Message Authentication, Reporting and Conformance (DMARC), and Email Impersonation Control (EIC).

Resolution

Contents

Overview

Symantec Email Security.cloud offers different authentication mechanisms in order to prevent spoofed emails.

Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), Domain-based Message Authentication, Reporting and Conformance (DMARC), and Email Impersonation Control (EIC) are authentication mechanisms that you can use to prevent malicious actors from spoofing your domain or to prevent against inbound spoofed messages. SPF, DKIM and DMARC are Domain Name Server (DNS) level protocols that are universally accepted under RFC (RFC 7208, RFC 5585, RFC 7489). EIC is a service offered by Email Security.cloud.

 

Sender Policy Framework (SPF)

The Sender Policy Framework (SPF) record is a TXT entry in the DNS records which contains a list of IP's that are allowed to send emails using the sending domain.

 

DomainKeys Identified Mail (DKIM)

DomainKeys Identified Mail (DKIM) is an encrypted hash or signature of the outbound emails. The sending server generates the hash using the sending domain's private key which is stored on the sending server. When the recipient server receives the message, it validates the message using the sending domain's public key which is stored in the DNS. If the validation is successful, it means the contents of the email have not been tampered with or altered in any way.

 

Domain-based Message Authentication, Reporting and Conformance (DMARC)

Domain-based Message Authentication, Reporting and Conformance (DMARC) allows the sender to specify a policy on what the recipient should do if an email fails SPF or DKIM checks. It ensures Mail From and Body From both originate from the same domain (known as SPF alignment), preventing unauthorized spoofed emails. DMARC also provides high-level reporting on how your domain is being used, including the sources using it and the sources failing SPF and DKIM checks.

 

Email Impersonation Control (EIC)

Email Impersonation Control (EIC) guards against inbound spoofed emails that pretend to be from a person inside your organization. It can be a combination of two checks, Domain Impersonation Control, and User Impersonation Control.

  • Domain Impersonation Control guards against inbound spoofed messages pretending to originate from your domain.
  • User Impersonation Control guards against inbound spoofed messages that use the First Name and Last Name of people inside your organization.

 

Preventing Others From Spoofing Your Domain

SPF Record

  • To ensure only specific sources are allowed to send emails as your domain, you must add the appropriate SPF TXT entry in the domain's DNS settings.

Documentation:
Implement SPF records for Email Security.cloud
http://www.openspf.org/
 

DKIM Signing

  • We recommend using the Email Security.cloud platform to sign your outbound emails with a DKIM signature:
    Navigate to ClientNet -> Services -> Outbound DKIM Signing Settings and enable DKIM for your domain.

Documentation:
Configuring DKIM signing for outbound Email Security.Cloud
http://www.dkim.org/
 

DMARC Record

  • If you wish to implement a DMARC policy for your domain, you must add the appropriate DMARC TXT entry in the domain's DNS settings.

Documentation:
Enabling spoofed sender detection with DMARC
https://dmarc.org/

 

Preventing Inbound Spoofed Emails

SPF Record

  • To validate inbound emails against sending domain's SPF records, you must enable SPF scanning in Anti-Spam settings in the Email Security.cloud portal.
  • Navigate to ClientNet -> Services -> Anti-Spam and enable the box "Use SPF" and select the desired Action to take (Recommendation: Block and Delete).
  • Note: Actions will only be taken against an SPF record posting a Hard Fail (-all). Soft Fail (~all) will be ignored unless a DMARC record instructs otherwise.

Documentation:
Implement SPF records for Email Security.cloud
Overview of AntiSpam detection settings and actions
http://www.openspf.org/
 

DMARC Record

  • To validate inbound emails against the DMARC policy for the sending domain, you can enable DMARC scanning in Anti-Spam settings in the Email Security.cloud portal.
    Navigate to ClientNet -> Services -> Anti-Spam and enable the box "Use DMARC" and select the desired Action (Recommendation: Use sender's DMARC policy).

Documentation:
Enabling spoofed sender detection with DMARC
Overview of AntiSpam detection settings and actions
https://dmarc.org/
 

Email Impersonation Control (EIC)

  • To prevent inbound emails from Domain Impersonation and User Impersonation, you can configure EIC in the Email Security.cloud portal by doing the following:
    Navigate to ClientNet -> Services -> Email Impersonation Control Settings and read the Documentation on how to enable EIC.
     
  • Documentation:
    Email Impersonation Control (EIC) Deployment

 

Testing Tools

  • The following tools are unaffiliated with Email Security.cloud/Symantec but can provide assistance in both configuring and testing your DNS records:

https://mxtoolbox.com/NetworkTools.aspx
https://dmarcian.com/dmarc-tools/
https://dkimcore.org/tools/