The number of companies falling victim to phishing is still increasing rapidly. Phishers, but also spammers and malware senders often forge the sender's e-mail address. This way, it seems as if they are sending an e-mail from the tax authorities or their own company. We explain why DKIM, DMARC and SPF are effective ways to combat phishing.

Phishing is 'fishing' for people's personal details. Victims receive a message which appears to come from a bona fide organisation. They then often provide information via a fake site that cyber criminals then misuse. Well-known forms of phishing are CEO fraud and corona phishing.

Phishing can take place via WhatsApp, social media and SMS, but e-mail phishing is by far the most common. With the classic and outdated SMTP protocol, it is easy to forge a sender's address ("spoofing" in technical jargon): a layman will not notice that the address is not genuine. The DKIM, DMARC and SPF e-mail standards are robust(er) weapons against phishing, as they make it difficult for cybercriminals to pretend to be a trustworthy organisation. Receiving mail servers must then check whether the sender is really who he says he is.

What is SPF?

SPF, which stands for Sender Policy Framework, is a protocol with which the receiving mailserver checks whether the actual sender is allowed to send the message from the named sender. To do this, the receiving mail server looks at the SPF record in the DNS. Is the sending mailserver not mentioned in the record? Then the mail usually ends up in the spam box.

On paper, this is a nice system, but in practice as a company you run into a few major drawbacks. For example, if a server sends mails via a mailing list that does not belong to the domain, the mails will not pass the SPF check. And a typo can cause all outgoing mails to be blocked. Or, on the contrary, it may give spammers a free pass.

What is DKIM?

DKIM, or DomainKeys Identified Mail, is an authentication method which allows e-mail messages to be authenticated. The recipient can use this authentication method to determine whether the e-mail actually comes from the sender's domain and whether the content of the message has been manipulated by a third party.

How does DKIM work? The sending e-mail server calculates a cryptographic verification number on the basis of a private key. The receiving party can look up the public key in the DNS and thereby validate the mail. Since malicious parties do not have the private key, they cannot send e-mails protected by DKIM. As a result, these kinds of false mails (in principle) end up in the spam box.

What is DMARC?

DMARC is the abbreviation of Domain-based Message Authentication, Reporting and Conformance. It is not a new technique, but a way of dealing with SPF and DKIM. With DMARC you, as a sending party, can lay down a policy in the DNS. What should happen to e-mails of which it cannot be established that they come from the stated sender domain? For example, you can specify that a mail must go to the spam box if SPF fails or the DKIM label is incorrect.

A handy functionality of DMARC are the reports. Does someone abuse your domain? If so, you will immediately receive a report about this, which will allow you to keep a finger on the pulse for your e-mail domain.

How SPF, DKIM and DMARC help against phishing

SPF, DKIM and DMARC prevent that malicious people can spoof your domain, so that they can assume your e-mail identity. This prevents others from becoming victims of phishing (or spam) in the name of your company.

Indirectly, it can prevent employees of your organisation from responding to phishing attempts. Malicious e-mails are more likely to end up in the spam box because of these three e-mail protocols. Organisations whose identities are being hijacked for phishing purposes should have started working with SPF, DKIM and DMARC themselves. Unfortunately, this is not a matter of course. A recent study by the Forum Standaardisatie showed that half of over 500 government domains studied were vulnerable to spoofing.

How can you prevent e-mail phishing as a company?

In our article Phishing: meaning, examples and tips for SMEs, we provide tips on preventing phishing. For example, make employees aware of the dangers and never just click on links. There are also a number of things you can do in terms of e-mail. You can install good spam filters, secure your mail servers and have external e-mails automatically labelled.

The Extra Secure Internet service in the KPN ONE SME total package offers extra protection against phishing, among other things. Small and medium-sized enterprises are thus assured of greater security.