For many companies, their web domains have become key parts of their business’ brand and identity. However, some companies have not taken the necessary steps to ensure that their emails cannot be impersonated by others. This may not be thought of as being a possible risk, but criminals around the world are doing this every single day.
For Example
To better understand how this can happen, and how easy it may be to do, here is a story example of a simple technology: A letter being sent through the U.S. Postal Service.
ACME Corp. sends out all invoices to their clients each month via mail. They have the ACME Return address in the corner of the envelope and the client’s invoice on the inside.
Now, a hacker named Coyote decides he wants to use ACME’s good name and scam the clients. He produces a fake invoice that looks like ACME’s—except the “remit to” address is a P.O. Box Coyote setup.
A client named Roadrunner receives the fake invoice and sees the return address it came from as ACME, just as it has always been. Roadrunner opens the envelope, sees the invoice and pays it without thinking. ACME has no idea that someone else is sending out these letters on their behalf, and ACME’s clients will lose trust in them if they cannot solve it.
ACME wants to prevent this from happening, so the company contacts its post office and asks to put a record on their company account that says the postal service shall not deliver any mail from ACME unless it originates from that one local post office. This is a simple solution that will greatly reduce the chances of ACME being impersonated.
Tools You Can Use
Sender Policy Framework (SPF) is a similar tool that you can add to your public domain records that specifies which email servers are approved to send out email on your company’s behalf. There is no cost to implement SPF; it is simply additional records that are entered onto the DNS Public records of your domain. This address record is then verified by most E-mail Gateways to ensure the sender is who they say they are.
There are a number of tools out there that can easily validate if a domain’s records are setup correctly. My favorite is MXToolbox (https://mxtoolbox.com/spf.aspx). This allows people to check their own domains for valid SPF Records.
If you check your own domain and the results show a failure, please share this article with your IT professionals to start a conversation about better securing your domain and protecting your company’s identity.
For more details, see this introduction to SPF.
