Spam and Email
What’s to talk about?
Some of the large email providers like Yahoo and Google recently made news by announcing a policy with new email authentication requirements for commercial email. The policies throw around technical terms like DKIM, SPF, and DMARC. You may be wondering what these things are. Wonder no more.
Throughout this discussion, I’ll sometimes be using the analogy of physical mail to simplify. As with any simplification, it means it won’t be completely accurate, but it should at least be easy to follow. Consider your mail server as a post office. Each email account is a PO Box. There’s a slot in the front door that accepts mail from anyone, but only to that post office’s boxes. Other post offices can send goblins with mail they’ve processed that is destined for that post office, and if you’re trying to send mail to another post office, yours will send a goblin with that mail to the right post office. This is how the Internet email system worked from the beginning until the late Aughts.
SPF
One of the big problems discovered early on was that since the server accepts email from anyone, unwanted advertisements (“spam”) became common, quickly. Believe it or not, the first recorded unsolicited advertising email was in 1978. By the time we got to the end of the first decade in 2000, rogue goblins were delivering boxes and boxes of ads to every post office they could find with messages sent to every possible iteration of email addresses. SPF was the first attempt to slow this down. SPF (Sender Policy Framework) works by letting organizations designate what servers can originate email with their return address. To use the analogy, only authorized goblins from your post office can deliver mail with your return address on it.
There are a number of issues with how this works in practice, and it shouldn’t come as a surprise that this didn’t solve spam forever. There are several ways to bypass even a properly configured SPF, and most organizations don’t have anything configured (which defaults to allowing anyone to claim to be that organization). For example, if you use google as your mail provider, anyone else on gmail would be able to pretend to be you. This led directly to…
DKIM
DKIM stands for DomainKeys Identified Mail. There’s a bit to unpack here, but before we start I need to very, very briefly discuss cryptography, and specifically public and private keys. To keep it as simple as possible, private keys can be used to generate public keys. Anyone with the private key can generate public keys, and then use the private key to encrypt a message that can be decoded by anyone with the public key. While this is useful in keeping messages secret, the important part for this discussion is that only someone with the private key can encrypt something, and using the public key to successfully decrypt the message confirms both that it came from someone with the key, and that nothing has been changed since it was signed.
With that completely clear, DKIM works by publishing a public key in a known place, and then signing each email being sent with a secure private key. When the email arrives at its destination, the encryption is checked against the known public key to confirm it was encrypted by someone with the private key (and presumably therefore authentic) as well as that nothing was changed in the message itself.
This generally works well when properly configured and used, especially when used in conjunction with limiting allowed servers via SPF, but can be complicated to keep correct and if you have any third parties sending emails on your behalf (mailing lists, websites, and the like) it can be complicated or impossible to make it appear to be coming from your organization.
DMARC
This brings us to the big one, Domain-based Message Authentication, Reporting and Conformance, or DMARC. If you’re still following along, this is very simple to describe. DMARC sets overall rules for what to do with email claiming to be from your organization based on the results of SPF and DKIM.
As easy as it is to describe, it's very complex to get right, and if you get it wrong you risk having reputable mail servers blocking all of your authentic email. It requires that your SPF and DKIM are locked down and working exactly as expected. As part of the process, daily emails can be sent from every mail server that has received email from your organization with a report on what rules are applied throughout the day. Reviewing these highly technical emails allows an organization to fine-tune the settings, hopefully in a test environment before going live. By leveraging both SPF and DKIM together, and analyzing the results of both in combination, DMARC allows very high levels of confidence that an email is authentic.
Summary, and so what?
When done correctly from top to bottom (DMARC necessarily requires SPF and DKIM), these three systems can assure you and your customers that when an email claims to be from you, it actually is. Several of the larger email providers have, as of Feb. 2024, required large email senders to have all three systems in place or they will reject email. The good news is if you’re reading this blog to learn what SPF is, you’re probably not a big enough player to have to worry about it… today.
On the other hand, with a little bit of knowledge and experience, it’s not difficult at all to have all three systems working, and working well. In addition to future-proofing for when email providers start requiring it of everyone, having these safeguards in place goes a long way to reducing the reputational risk of spoofed emails.
Do you need help with your small business’s IT? Please fill out our contact form and let us know! Homestead IT Support can provide:
• Networking consultation
• Planning and scoping of your business IT needs
• Hardware aquisition, installation, and maintenance
• Printers, scanners, faxes, and imaging needs
• Troubleshooting
• Getting technology to work you
Thank you for reading this blog. If you have any technology questions you’d like to see addressed, please help me write next month’s blog by asking them! Feel free to reach out to me at it@homesteadbookkeeping.com.