37) Has your organisation implemented SPF, DMARC, and DKIM for all of its email services?
Answer yes if your organisation has implemented effective SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting and Conformance) records within its DNS services. Please state in the notes the type of DMARC policy set.
What is it?
SPF, DKIM, and DMARC are 3 complimentary protocols/standards that help enhance email security as follows:
SPF (Sender Policy Framework) works in conjunction with your Domain Name System (DNS) servers to help restrict who can send emails from your domain and allows you to prevent email domain spoofing. It enables your mail server to determine when a message came from the domain that it claims to be from. SPF has three major elements: a policy framework as its name implies, an authentication method, and specialised headers for use in the actual email that convey this information.
DKIM (DomainKeys Identified Mail) ensures that the content of your emails remains trusted and hasn’t been tampered with or compromised. It works by adding a digital signature to the headers of an email message using asymmetric encryption principles. That signature can be validated against a public cryptographic key in the organization’s DNS records. This also provides non-repudiation.
DMARC (Domain-based Message Authentication, Reporting and Conformance) ties the first two protocols together with a consistent set of policies dictating what your mail servers will and will not accept. A DMARC record on your DNS server includes the necessary information for SPF and DKIM to work effectively.
Why should I have it?
There are a few good reasons that you would want to implement DMARC, DKIM, and SPF besides the immediate security benefits mentioned above (such as those stemming from your email being controlled and authenticated to guarantee its origin).
One is your domain’s reputation. Publishing a DMARC record protects your domain by preventing unauthenticated parties from sending mail from it. This means your domain will be more trusted and less likely to be filtered by third parties or blocked by spam filters.
DMARC also increases your visibility into your domain’s email, giving additional information on what is being sent out from your domain. This can be particularly useful as many organisations no longer use a single centralised on-premise email server, which has made getting this information more difficult.
Using these standards also helps promote their adoption which is slowly resulting in a more trustworthy email eco-system throughout the Internet.
How to implement the control
Before implementing DMARC, you should create a policy dictating exactly what controls you would need. This should be a collaborative effort that reflects your business needs and IT capabilities.
The actual implementation will vary depending on your email infrastructure. If you use on-premise or dedicated email and DNS servers you will need to follow the configuration guidance applicable to their particular DNS and Email services, which are typically part of the operating system. If you use cloud-based email and DNS services, such as Microsoft 365, you will typically find all the relevant configuration options in the management console. You can also use third party services such as OnDMARC to help.
There are numerous consultancies or individual consultants that will be able to assist in crafting a policy and implementing these technical controls to meet your business and technical requirements. Please message us if you would like a recommendation.
If you would like to contribute to this article or provide feedback, please email knowledge@riskledger.com. Contributors will be recognised on our contributors page.
