Email Security

It’s been known for years that you should take steps to protect your email, but it’s hard to know where to start. Fortunately, recent developments mean there are three easy steps you can take that will help keep your inbox spam-free and keep you from receiving emails from other people that aren’t actually from them. This guide explains exactly what DKIM, DMARC, and SPF are and how they work in combination with each other to help prevent your email from being spoofed by spammers or hackers.

With DKIM, a cryptographic signature is added to messages in an effort to prevent spoofing. If you use Gmail, Yahoo! Mail, or Microsoft Outlook, you can generate DKIM keys for your domain through your webmail portal’s settings. If your organization uses Office 365 or Google Apps (G Suite), SPF and DMARC will be handled by default. Here are instructions on how to set up DKIM for popular email services. If you want to create your own DKIM key with any service provider, follow these steps: 

Download OpenDKIM onto a server that allows it access to send outbound mail using port 587. In our example, we use our own server running Apache. In addition, install exim4 or postfix. These two programs allow us to send mail from one account into another automatically if we have multiple accounts with different email providers such as AOL, Hotmail, etc. Send an empty message to your Gmail address. This will be used to verify our domain and create DKIM keys. You will receive an automated response asking you to confirm that you really want to set up DKIM for your domain. To enable verification simply click on Verify me now button provided in there. Once verified Google Cloud will generate a public/private key pair which is unique for each user of your domain. Use them when creating DKIM TXT records in DNS. After setting up the SPF record go ahead and add a TXT DNS entry containing your public key. Domain validation completes once you enter all required information. It can take several hours before changes are reflected online. 

## If our solution doesn’t meet your needs check out another guide showing how to set up Gmail SMTP relay. Using Gmail SMTP relay may not work for everyone but at least try testing it once if troubleshooting seems to fail. If everything else fails to set up a Gmail forwarding rule instead while doing so make sure that messages are forwarded as an attachment option is checked while leaving the format unchanged box unchecked.

DMARC is a free and open email security protocol that authenticates whether or not an email is actually coming from where it claims to be. To do so, DMARC relies on two things: SPF (see below) and DKIM (see above). An easy way to think about DMARC is as a secret handshake between your domain and any email service provider trying to deliver messages on your behalf. After DMARC has verified legitimacy, it reports back on any failures and what actions, if any, need to be taken. This protects you against fraudulent message delivery while giving you insight into whether or not there are problems with how mail is being handled. If you’re still confused, read How to Enable Domain-based Message Authentication, Reporting & Conformance (DMARC) for more info. The gist of it all? Ensure anyone sending emails on your behalf passes muster with both SPF and DKIM. Then set up DMARC to report any failures to you.

An SPF record is a type of DNS record that allows you to specify which servers are allowed to send an email on behalf of your domain. If an email doesn’t pass SPF checks, it can be considered spam or junk mail. Setting up an SPF record ensures that only authorized servers are allowed to send emails for your domain. It’s one way you can help prevent spoofing and phishing attacks by making sure your users know who they’re actually communicating with. You should have at least two SPF records so you don’t lock yourself out of your own email server. The first record should point to your primary/default server, while a second record should include other legitimate sending domains

DKIM, DMARC, and SPF are DNS records that help identify legitimate emails. They’re relatively simple to set up for personal email addresses but can be more challenging with corporate accounts. If you’re an administrator at a company or agency with multiple email accounts, it may be time to consider security options for your domain, too. You can work with Leapfrog Market’s team of experts to help you decide how best to secure your organisation’s emails. And even if you have no immediate plans to send outbound emails—maybe not ever—it never hurts to put these measures in place on your servers just in case.

Contact us to get started!