Anti-spoofing controls – stopping the email impostors

By Euan Henderson

Cyber Security Apprentice

Three controls that should be configured are:

  • Sender Policy Framework (SPF)
  • DomainKeys Identified Mail (DKIM)
  • Domain based Message Authentication, Reporting & Conformance (DMARC) records

NCSC recommends the following:

That all domains have the SPF and DMARC records in place, regardless of whether the domain is or is not used for emails.

Whilst a DMARC policy of ‘none’ is useful when setting up your anti-spoofing controls, it should be changed to either a ‘quarantine’ or ‘reject’ as soon as you are confident DKIM and SPF are working correctly in order to hinder the spoof emails.

DKIM should be configured on the domains from which the emails are sent, due to it being a stronger authentication mechanism than SPF. It helps recipients validate legitimacy of emails that have passed through an email relay on its way.

A number of open source or commercial tools can be used to help understand DMARC report for organization domains.

NCSC recommends that DMARC is applied gradually, iterating the DMARC configuration over two or more steps

This BLOG is based on an original publication by NCSC.

For more information regarding how to configure DMARC and DKIM on emails use the link provided to the NCSC website for the guide they have assembled.