Over 90% of network-related attacks involve email in some fashion. This means that every step to harden email services should be utilized by your organization. The rise of communication tools such as Slack, Microsoft Teams, Discord has allowed teams to converse less formally but email is still utilized on the formal side of any organization. Email is critically used to communicate with stakeholders, staff, users, and external users. Thus, these systems need to be set up correctly and securely.
Organizations when they are starting out often do not have security on their mind not because they do not value but rather the resources are not available or are frankly too expensive. A recent survey from VailMail, a leading email security firm based out of California has stated that only 17% of internet domains have a DMARC policy. Wow! This means that 83% of domains do not have an enforcement policy enabled to prevent fake or malicious messages. I have a heart for small businesses that are operating with little consulting or experience with security. I would hate to see the little mom-and-pop shop on the corner being attacked by a simple incorrect email setup or even worse a malicious actor start sending bad emails to their customers. This post will hopefully help those, who need a little extra reminder or help with setting email security. Several free solutions and techniques can be used to secure the sending and receiving of messages.
Why secure email matters for any organization?
Secure email is crucial to any organization because it elimates risk, prevents future lawsuits, lost customers, and frankly makes life easier with not having to deal with future incidents. The CIA triad is a major player in this conversation. For those who do not know what the CIA triad it is confidentiality, integrity, and availability. Read more about it here!
CIA Triad. Credit: F5
Email should be secured because it is the public facing contact between the business and the public. Thus, the integrity is desired to ensure that the messages are legit and truthful. Email messages can contain sensitive information and should require higher security steps.
What is SPF, DMARC, & DKIM?
SPF, DMARC, & DKIM should be your best friend if ready to nail down email security. These are the basic principles to secure email infrastructure and ensure message integrity! More importantly, they are free!
- What is SPF?
- SPF of Sender Policy Framework is an authentication method used to prevent malicious actors to send emails on your domain’s behalf and validate the legitimacy of the message. SPF records are a TXT-based record that holds the FQDNs or IPs that are allowed to send on the behalf of the domain. These are published on the top-level FQDN ‘yourdomain.com’. For more info on SPF records, read here!
- What is DMARC?
- DMARC or Domain-based Message Authentication Reporting and Conformance is an authentication method used to authenticate and prevent malicious actors from acting and validate the legitimacy of the message. DMARC records are also TXT records and are unlike SPF as they are subdomains, ‘_dmarc.yourdomain.com’. For more info on DMARC records, read here!
With and Without DMARC enabled on ‘yourdomain.com’. Credit: dmarcian.com
- What is DKIM?
- DKIM is DomainKeys Identified Mail and is another authentication method used to validate the legitimacy of the message sent. The DKIM record is a TXT record that houses the public key that is used to check the authenticity of the message when received. To learn more about DKIM, read here!
DKIM Process. Credit: dmarcian.com
With the combination of SPF, DMARC, and DKIM any domain can become protected. These tools allow for the sender and receiver to know that message was sent from the domain with permission. The next task is how to implement these security measures.
Implementation of SPF
First, organizations need to check to see if any existing records are in place. This can be done by using a DNS lookup tool such as DNSChecker.org or any similar tool. Begin by typing in ‘yourdomain.com’ into the search field and select TXT. For this example, we are going to use ‘substack.com’ the host of this blog! Substack has authorized Google, Mailgun, and Zendesk to send mail on their behalf.
Screenshot from dnschecker.org for ‘substack.com’
Each email provider will have their record in their documentation. It may be necessary to update the record based on the services that are now utilized. However, if a new service is added, the SPF record will need to be updated in order to ensure proper mail flow and that messages are not rejected. SPF is a great start to begin protecting email messages, next we will discuss DMARC. Listed below are the default SPF records for Google Workspaces, and Microsoft Office 365.
- Google Workspaces SPF Record (Only sending email from Google Workspaces) : Type:TXT , Host:@, Value:v=spf1 include:_spf.google.com ~all
v=spf1 include:_spf.google.com ~all
- Microsoft Office 365 SPF Record (Only sending email from O365): Type:TXT , Host:@, Value:v=spf1 include:spf.protection.outlook.com -all
v=spf1 include:spf.protection.outlook.com -all
Once the SPF record has been created or typed out, it needs to be published to the internet. This is done with the NS or name server provider. For most smaller companies this is managaged through the domain host. This can be GoDaddy, Wix, Bluehost, CloudFlare, etc.
The record will need to be validated to ensure that it is correctly working. I have listed a few SPF record checking services.
Implementation of DKIM
DKIM is important to sign emails and validate the authenticity of the message. Each vendor will have different instructions for the associated service. Below, I have listed the links for Google Workspace and Office 365.
Implementation of DMARC
Again, organizations need to check to see if any existing records are in place. This can be done by using a DNS lookup tool such as DNSChecker.org or any similar tool. Begin by typing in ‘_dmarc.yourdomain.com’ into the search field and select TXT to see DMARC records. For this example, we are going to use ‘substack.com’ the host of this blog! Substack has published a DMARC record and has it set to reject unauthorized emails 100% of the time, send reports, deny authorized subdomains, and relaxed SPF policy.
Screenshot from dnschecker.org for ‘_dmarc.substack.com’
DMARC records are the crucial place where logs, authentication, and more! There are three policies with DMARC, p=none, p=quarantine, and p=reject. None sets the receiving mail system to monitor the email traffic and send reports but no actions are taken, quarantine will send the unauthorized emails to the spam folder, and reject ensures that the unauthorized email does not get delivered at all.
The ideal configuration for DMARC is ‘p=reject’. However, the implementation can take some time to have the full reject policy. For organizations that are just starting the DMARC enrollment, the policy that should be used is the ‘p=none’. This allows for monitoring of emails and outputs a list of senders, it is recommend to have ‘p=none’ for two-three weeks to gather data. Once, this list has been created and added to the SPF record it is safe to move to ‘p=quarantine’. This is a good alternative if the desired outcome for emails that are unauthorized to be delivered but routed to the spam or junk folder. The most secure option is to set the policy to ‘p=reject’, this method rejects unauthorized emails before the reach the inbox. For a deep dive into DMARC, read about it here!
- Default None Policy
v=DMARC1; p=none rua=mailto:dmarcreportemail@yourdomain.com; ruf=mailto:dmarcreportemail@yourdomain.com; fo=1; pct=100
DMARC Tags
DMARC has various tags than can be used to tell a mail server more commands for it to do. The ‘p’ tag is the defining variable for the policy used (none, quarantine, reject). The ‘pct’ is the percentage that DMARC is applied to the mail moving through the domain. Email reports have a few. ‘rua’ and ‘ruf’ is used to define email reporting addresses, they both should be configured (some of the free services only accept RUA reports) The ‘aspf’ record is the alignment mode for SPF, the options are relaxed ‘r’ or strict ‘s’. The ‘adkim’ is optional and defines the alignment mode for DKIM, the options are relaxed ‘r’ or strict ‘s’. The ‘sp’ is the subdomain policy that helps protect subdomains; the options are (none, quarantine, reject). For more information on DMARC tags, read here.
DMARC Reporting
DMARC reporting is helpful because it sends critical information about the outgoing email infrastructure. With these reports or logs monitored it can be helpful to show unauthorized senders and what trends are happening within your environment. DMARC reports can be sent to a standard mailbox or be sent to a service that analyzes the data and has good insights.
DMARC Reporting Vendors
As I mentioned, here is a list of vendors that accepts DMARC reports, analyze them, and provide insight into what is happening within the environment.
DMARC Publishing & Validation
Once, the record has been created and published to the internet. This is done with the NS or name server provider. For most smaller companies this is managaged through the domain host. This can be GoDaddy, Wix, Bluehost, CloudFlare, etc.
After, the record is published it needs to be validated to ensure it is working correctly. I’ve listed a few free tools below to validate the record. Once, it says it valid, you are good to go!
My perfect DMARC Record
This is my perfect, most secure DMARC record! Unauthorized emails for the top-level domain and subdomains will be rejected. The email reports will be sent to the email addresses. The DKIM & SPF alignment is strict and the percentage of reporting is 100%.
v=DMARC1; p=reject; sp=reject; rua=mailto:emailservicehere@yourdomain.com; ruf=mailto:emailservicehere@yourdomain.com; adkim=s; aspf=s; fo=1; pct=100
About Garrett Ohrenberg
Garrett Ohrenberg is a seasoned IT Security Professional with over 5 years of experience in network security, identity and access management (IAM), endpoint protection, and cloud operations. Known for his technical expertise and creative problem-solving, Garrett specializes in designing secure, scalable systems that enhance organizational efficiency and resilience.
With a strong foundation in cybersecurity and information technology, Garrett is also skilled in system integrations, virtualization, and OSINT, making him a versatile asset in tackling complex infrastructure challenges. His passion for securing assets and improving systems is matched only by his commitment to lifelong learning and staying ahead of the curve in emerging technologies.
Outside of IT, Garrett is a talented photographer and videographer with expertise in sports, branding, music, editorial, and architectural content creation. Based in Nashville and Kansas City, he thrives on capturing meaningful stories for people and brands, blending his technical and creative talents to deliver exceptional results.
When he’s not securing systems or behind the lens, Garrett enjoys traveling, lifting, and fostering community connections. He’s driven by a passion for growth, innovation, and leaving a positive impact in both his professional and personal endeavors.