Email Forensic

Stop Email Phishing Attacks with Security Protocols [DKIM, SPF & DMARC]

  • author image

    Written By Abhinav Sethi linkdin

  • calender

    Updated on August 16, 2021

  • clock

    Min Reading 9 Min

Summary: In this article, we have explained how email security protocols DKIM, SPF, and DMARC help in preventing email phishing and other email attacks. We have also shed light on email forensics and explained how it can help in handling a phishing attack. Below, we have shared a free enterprise-grade free enterprise-grade email forensics tool that can be used to combat email phishing in an organization.


Decision-makers in the IT industry are well aware of email phishing attacks that have become rampant. These include Business Email Compromise in which companies are tricked into paying fake invoices and whaling phishing in which the attackers target high-profile executives like CFOs and COOs to steal sensitive information. In fact, even technology giants like Google and Facebook aren't safe as they were duped out of over $100 million during 2013-15 in a massive fake invoice scam (BBC). 

To ward off email phishing attacks, basic security measures like firewalls and Internet security software are not enough. For better protection, you need a deeper understanding of your company's email communication. For that, you need advanced tools like professional email forensics software. These programs can help you parse and study every email that your company sends and receives so that you can identify potential email phishing attacks and limit damage even in situations when an attack has already taken place. However, before you do that, you can consider implementing email security protocols such as DMARC, SPF, and DKIM that have started to become more and more important. 

What are DKIM, SPF, and DMARC?

DKIM, SPF, and DMARC are security techniques that allow you to authenticate your emails. They also inform mail services, ISPs, and other email receivers that certain third-party entities are actually authorized to send emails on your behalf. When used together, these protocols can serve as powerful anti-spam and anti-phishing measures.

What is DKIM?

Domain Keys Identified Mail (DKIM) is an email authentication technique that allows you to verify if an email is actually sent and authorized by the sender. This is done with a DKIM signature which is an encrypted digital signature that's added to an email message. Once the receiver confirms that an email is signed with a genuine DKIM signature, it means that the contents of the email aren't tampered with. 

Schematic Layout of DKIM

Mail Transfer Agent (MTA) creates a hash value for a DKIM signature, which is kept in the listed domain. The email receiver can use the public key registered in the DNS to authenticate the signature. If the signatures obtained from the decryption of Hash Value in the header and the email are identical, the MTA can know for sure that the email isn't tampered with along the passage.

You can set up DKIM with just three steps:

  • Generate the domain key for your domain. There are many key generators that you can use for that, one of which is PuTTYgen. You can read the tutorial on that here.
  • Add the Public Key to your domain's DNS records.
  • Turn on DKIM signing to start adding DKIM signature to all emails that you send in the future. For instance, use DKIM milter which is an open-source service that's easy to deploy. 

What is SPF?

Sender Policy Framework (SPF) is another email authentication technique that can be used to check domain spoofing and prevent spammers from sending messages on behalf of your domain. It comprises three components: an authentication function, specialized headers that are placed in emails, and a policy framework.

Schematic Layout of SPF

An SPF record is a record that's added to your domain's DNS zone. It contains the IP addresses that you want to authorize for sending emails on your behalf. This can really come in handy if you use a hosted email solution like Google, Apple or Office365, or an ESP like Higher Logic.

In SPF technique, the receiver of your email can use "envelope from" address of the message to confirm that the sending IP address is authorized for delivery. If the sending email server is absent in the SPF record, the email is flagged and rejected by the email receiver.

Sample SPF DNS TXT Record

The following is an example of SPF record:

v= spf1SPF version used. 1 is the only version available now as version 2 was discontinued
Ip4IP address/range
Ip6IP address/range
Include:For external domains. Trusted external domains can be added here that may include Salesforce, Mailchimp, etc.
No other featuresOffers video editing, GIF creation, subtitles, overlay, etc.
~allOnly the domain's mail servers and those in the "a" and "include" sections are authorized to send emails for the domain

Your SPF record should look something like this:

v=spf1 ip4: ip6:2a05:d018:e3:8c00:bb71:dea8:8b83:851e -all

What is DMARC?

Domain-based Message Authentication, Reporting and Conformance (DMARC) is a protocol that binds DKIM and SPF together. It lays down a clear policy for both and creates an address that can be used to send reports of email messages that are collected by the receivers against a certain domain. It also provides a mechanism through which we can determine if an email is rejected after the implementation of SPF protocol.

Schematic Layout of DMARC

To deploy DMARC, you have to create a DNS record for the domain you want to use in the FROM: address. You can put multiple values in the record, but you have to at least include the following two:

  • (v) directs the receiving server to implement DMARC
  • (p) tells the server what to do in case authentication fails

The 3 Pillars of Email Security Must Work in Tandem

To maintain security on all email frontiers, the three pillars of protocol-based security, i.e. SPF, DKIM, and DMARC must work together. This is because each of them serves a different purpose.SPF defines which mail servers are authorized to send emails on your behalf, DKIM adds digital signatures to your messages for authentication, and DMARC defines how SPF and DKIM work together and also offers a reporting feature.If your email system uses all three protocols, then you can rest assured that your messages are tamperproof and the risk of phishing attacks and other threats are minimized.

Mind the Challenges

SPF, DKIM, and DMARC are powerful email security protocols. However, setting them up for every domain you own can pose a challenge of its own, especially if your company controls many domains and subdomains. If you are using Gmail, then you are in luck, as the company has put down easy-to-follow instructions on domain key generation and DKIM online. You can also find information on setting up different DNS records with cPanel, in case you are using that. Once done, you can also use online tools like DKIMvalidator to verify the end-to-end functionality of your SPF and DKIM configuration.

Despite all the resources and tools that are available today, configuring the framework requires solid craftsmanship and knowledge. This is largely because the commands used by these protocols aren't widely used. Their syntax is also not exactly simple.

If you want to deploy the 3 powerful email security protocols, then the recommended sequence should be SPF, DKIM, and finally DMARC. This is because SPF is the easiest to handle. The hardest of the three, i.e. DMARC must be implemented with monitoring-only mode first.

How Does Email Forensics Help?

IT managers can take measures like security training, robust email-use policies, mock drills, etc. to mitigate email phishing attacks. They can also implement the highly recommended protocols discussed above. However, the truth is that there is no foolproof way to keep email threats at bay. If and when disaster strikes, then companies usually turn to Security Operations Center (SOC) teams for resolution.

SOC teams can take a long time to verify and address a phishing attack as there is a series of steps involved, as follows:

  • The employees forward suspected emails to the SOC team in full and original form. They need to be trained for this to prevent the addition of new risks.
  • The SOC team analyzes the attachments by uploading them to third-party examination websites. Delivery of results can take a long time.
  • The team analyzes the header of each email. It verifies sender's name, address, links, etc. in the email. Additional steps include SPF check, DKIM, check, DMARC check, etc.
  •  If phishing is suspected, the employees are directed to scan all the mailboxes for suspected emails. Without specialized tools, this step can take a long time and there is a high chance of error too.

Clearly, the conventional approach towards handling a phishing attack is time-consuming and undesirable. An advanced email forensic tool such as Stellar Email Forensic, on the other hand, can improve things for the better. For starters, it can make email examination simple and fast by laying out all the details in multiple views like header, hex, attachment, etc. The investigators can also search for suspected emails easily with advanced search functions like Boolean search and regular expression search. Since there is support for multiple file formats like PST, EDB, OST, etc., it can save both time and effort.

DMARC, SPF, and DKIM adoption rates across the globe are improving rapidly as these protocols can greatly enhance email security. However, proper implementation continues to be a challenge. So, it's up to you how you maintain email security until you succeed in that.

76% of people found this article helpful