Across nations and industries, one technology has been sharing countless secrets for well over two decades. Yes, despite the rise of social media, messaging apps and project management tools, email remains the de facto number one online communication channel — but it’s also a source of much concern when it comes to security.
When you factor in the age of the technology and the incentive for hackers to attempt fraud, it’s easy to see why it continues to bother businesses and individuals alike. It’s actually more of a concern now than ever before, because the advent of multi-factor authentication, cloud storage, digital ecosystems and social logins has left many of us relying on the safety of our email addresses simply to get through the day.
Sadly, it isn’t enough to simply have a complex password and keep it protected, because email can be attacked in other ways: spoofed, faked, and used to manipulate people of all kinds. This is where email security frameworks become vitally important — they make it vastly easier to have confidence in the legitimacy of your emails.
But why is fraud such a threat? What are these frameworks, and how do they help website owners proceed safely? Can you really rely on them to protect you? Let’s take a look.
Why email fraud is such a troubling issue
We’re increasingly moving towards cashless payment, online banking, and remote working that requires extensive and in-depth digital communications (often on sensitive topics). The more we trust to emails, the more enticing they become to hackers — even more so when the emails involve people who don’t know enough about technology to know when they’re being conned.
If someone who just knows how to use email but has no idea that email spoofing is even possible gets a fraudulent email, they won’t know to be doubtful. And the yield for fraudsters is even richer in prospect than they could ever have achieved through phone scams, because they can automate their fraud emails and avoid extended phone conversations that can expose holes in their cover stories.
For legitimate domains, email fraud is a big worry because it makes them look bad. Even if people eventually learn that you weren’t responsible, they’ll still associate your brand with the fraud to some extent. So if you want your domain to be trusted (and people to be safe from attempts to exploit them in your name), you’ll need to secure your emails. Here’s how:
Introducing the most common email security frameworks
The two most frequently-used email frameworks are SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail), and they function similarly but in slightly different ways: SPF requires a supported host name or IP address, while DKIM requires a correctly-encrypted header message. Let’s look at a more detailed explanation:
How SPF works
When you enable SPF on your website’s domain, you establish a list of host names and IP addresses that are considered legitimate sources of email from that domain, a list that gets added to the DNS record for the site (the record that links your URL to your IP address).
Every email system that seems to receive an email from an address on that domain will take the IP address used to send it and compare it to the list in the DNS record. If it’s a match, the email will be considered legitimate — if it isn’t a match, then the system will know that the email is fraudulent (or has gone horribly wrong somehow).
How DKIM works
When you enable DKIM, it takes the distinct approach of using encryption for verification. The domain will have a private key which is kept secret and used to encrypt a hidden message in the header of each email, as well as a public decryption key which is added to the DNS record.
Every email system that picks up an email purportedly from that domain will take the public key from the DNS record and try to decrypt the hidden message. If it succeeds, it will know that the email is from the right place. If it fails, it will know that the sender has been spoofed.
What DMARC involves
DMARC, which stands for “Domain-based Message Authentication, Reporting and Conformance”, is a system that encompasses SPF and DKIM while fleshing out some options, setting policies, and reporting as needed.
When you set up DMARC, you’ll essentially be specifying which of the aforementioned methods is used for emails from your domain (possibly both), as well as what should be done when emails that don’t meet your chosen standard are detected. You can also set up a notification to trigger so you’ll know about attempts to impersonate your email address (in the same way that you can get notifications for changes to a WordPress site).
How to take action to keep your email safe
If you want your emails to be trustworthy, and the recipients to feel secure in accessing them, you should be sure to do everything you can to guard against fraud. At the very least, take the following three steps:
- Carefully protect your email list. Even if you ensure that every email claiming to be from your domain will be checked, it’s still dangerous for fraudsters to get hold of your address list, because plenty of people (often from older generations) won’t actually check the sender very closely if the contents clearly resemble something they recognize. Protect your email list so people will have less of a reason to target your audience (you should be doing this after GDPR anyway).
- Configure a security framework. You can use SPF, DKIM, or DMARC — but whatever you do, be sure to follow best practices for whichever system you’re using and confirm that it’s working. If you use email automation software for your marketing, be sure to set it up as a trusted source so the emails it distributes aren’t rejected as illegitimate upon delivery.
- Warn your subscribers to be careful. Having done everything you can on your side of the equation, it’s still worth reaching out to your audience (especially if it isn’t very tech-savvy) to warn them about the prospect of fraud. Let them know which types of message you’ll send them — and which you’ll never send — and invite them to contact you directly if they’re ever unsure about a message you’ve supposedly sent them.
Do all of this, and you’ll be able to proceed with a much-improved degree of certainty that your emails will be safe and your audience will be sheltered from the huge threat of email fraud.