" spf Archives - Page 2 of 5 - LuxSci

Posts Tagged ‘spf’

Improve Email Deliverability by Setting Up SPF Records

Thursday, May 25th, 2023

Recently, Gmail changed its email acceptance policies to reject emails from sending domains without SPF or DKIM records. If they can’t be sure a message originated from an authorized server, it may end up in the spam folder. Setting up SPF records is one way to improve email deliverability, prevent spoofing, and keep your emails out of the spam folder.

email spf records

What are SPF Records?

SPF stands for Sender Policy Framework. SPF allows administrators to specify exactly which servers are allowed to send emails on behalf of a domain by adding a record to the domain name settings (DNS). When an email is sent to another service provider, like Gmail, they compare the sender’s IP address to the SPF record. The email will only be delivered to the inbox if the record lists the correct server address. If the server is not listed, the email service provider assumes the message is forged and may send it to spam.

SPF records are primarily used to stop forged emails. Setting up SPF records for your sending IP addresses will prevent spammers from using your domain as their “From” sending address. For example, say your company domain is “trial.com,” and your SPF record correctly identifies your sending server’s IP address. Any messages you send will be verified as coming from your organization and will be delivered. When spammers try to use trial.com as their sending domain, the mail service provider will compare their IP address to your SPF record. When they do not match, the message will be flagged as suspicious.

However, SPF records do not prevent spammers from using other tactics to infiltrate your inbox. They could set up a similar domain like “trail.com” and set up SPF records for that domain to avoid scrutiny. SPF should be used in conjunction with other security measures like DKIM and DMARC to increase deliverability and protect your sending domains.

How to Set Up SPF Records

You must work with the domain owner or administrator to set up an SPF record. First, you need to collect all of the IP addresses that your organization uses to send email. Then, you will need access to your domain settings to add the SPF record. Whoever manages your domain name and web hosting can help you add the record. If you have further questions about how to improve your email deliverability, please don’t hesitate to reach out to the LuxSci support team.

New Feature: Custom Bounce Domains

Tuesday, July 26th, 2022

LuxSci has introduced a new feature to improve reporting for bounced transactional and marketing messages. The new “Custom Bounce Domains” feature allows administrators to set a custom domain for bounce processing that will not break DMARC.

custom bounce domains

What is DMARC?

DMARC stands for Domain-based Message Authentication, Reporting, and Conformance. It protects users from forged emails and instructs the email provider on what to do with messages that fail SPF or DKIM. Implementing DMARC is highly recommended to help stop suspicious messages from reaching inboxes.

Why Custom Bounce Domains are Needed

However, implementing SPF and DMARC records can sometimes cause issues for transactional and marketing messages. To understand why let’s look at how DMARC verifies SPF records.

The Return-Path specifies the email address where bounced email messages should be sent if there are unable to be delivered. It is usually the same domain as the sender’s email address. However, when sending marketing or transactional emails, the Return-Path email address is often different from the sender for various tracking and reporting reasons.

If the Return-Path address does not match the domain or subdomain used in the SPF record, it can cause DMARC to fail, and the bounced messages won’t be routed according to the pre-defined rules.

How to Implement Custom Bounce Domains

Now, our customers can create custom bounce domains to prevent DMARC from failing. To set it up, log in to your account and visit the Account Settings -> Email Custom Bounce Domains. Make sure that the “Bounce Processing” settings are enabled before altering the Custom Bounce Domain setting.

Before adding the new bounce domain to your account, you must create a new CNAME (like bounces.yourdomain.com) in the domain’s DNS settings that points to the new destination. At LuxSci, the default is “returnto.luxsci.com.” Once set up, return to the settings and add the new subdomain to specify the Return-Path. After this is enabled, emails will align with SPF for DMARC since the sender’s domain and Return-Path domain match.

Questions? Please contact our support team for more information on enabling these settings.

How to Avoid Business Email Compromise Attacks

Tuesday, July 5th, 2022

Business email compromise (BEC) attacks are on the rise and are poised to eclipse ransomware as the biggest threat to cybersecurity. Since 2016, $43 billion has been stolen through BEC. Even more concerning, there has been a 65% increase in BEC from 2019 to 2021. This article explores what business email compromise scams are and what steps organizations can take to avoid them.

business email compromise

What are Business Email Compromise Attacks?

In business email compromise scams, attackers infiltrate or impersonate a legitimate corporate email account. They then send phony invoices or initiate contract payments that trick unsuspecting businesses into wiring money to criminals.

These scams rely on humans making the wrong choices. Some examples of business email compromise scams include:

  • A criminal impersonates a vendor and sends a fake invoice to the accounting department.
  • Someone who appears to be the company CEO asks an assistant to make a wire transfer to an unknown account.

Some of the tactics used include:

  • Domain name spoofing: Domain name spoofing involves changing the sender’s “From” address to match the recipient’s domain in the message envelope. Criminals can also use a legitimate domain as the “From” address and a spoofed “Reply-To” domain in the message header.
  • Display name spoofing: The attacker registers a free email account to impersonate a vendor or employee. The attacker would configure the display name to match the employee’s name and then send phishing messages from this account. This technique is effective because recipients often only look at the display name, not the email address. In fact, many email clients will only show the display name when viewing the message, making it easier to hide the sender’s real identity.
  • Lookalike domain spoofing: The attacker may register fake domain names that contain characters that look similar to those in the actual domain name. For example, replacing the lowercase “l” in luxsci.com with an uppercase “I.” The criminal will send phishing emails from this domain to trick the recipient into thinking the message is legitimate.
  • Email Account Compromise: Another common tactic is taking over legitimate email accounts that have been compromised through malware or social engineering to steal data or funds.

How to Prevent Business Email Compromise Attacks

One of the reasons that business email compromise attacks are increasing is because they are often successful. Email filters and content scanning can do little to stop sophisticated social engineering attacks. Nevertheless, there are steps that organizations can take to stop BEC scams.

SPF, DKIM, and DMARC

Implementing technical controls can help prevent BEC scams from succeeding. As discussed above, many attacks use display or domain name spoofing to impersonate company accounts or individuals.

Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting & Conformance (DMARC) are anti-spoofing email authentication techniques that use DNS records to validate the sender of an email. Ensure the organization’s domain has valid SPF, DKIM, and DMARC records. Make sure the email provider analyzes all inbound email traffic using these tools.

Viewing the headers of a suspicious message is also an excellent way to detect fraudulent domains. See Gmail, Outlook, Apple Mail, and More: How to View Headers in Email to learn how to see these in the most popular email clients. This can help reveal the actual sender of someone using a spoofed domain or display name.

In addition, implementing email filtering and scanning tools can help flag suspicious links and protect against phishing attacks.

Employee Training

Helping employees recognize business email compromise scams is essential to avoiding them. All employees, not just those with access to sensitive data or financial information, should understand the tactics used by cybercriminals in BEC scams.

Employees should be aware that attackers can use the information they share online via social media against them. Birthdates, pets’ names, nicknames, and information about time off can be used to impersonate others and trick individuals.

Ensure employees are implementing strong passwords and using multifactor authentication to prevent account compromise and stop them from changing account credentials.

Policy and Procedures

Creating clear policies and procedures can help alleviate confusion and prevent individuals from taking action without thinking. For example, organizations should have clearly defined procedures for how and when vendors will send invoices and be paid. That way, when an unexpected email comes in from a “vendor,” employees will know what to do. It’s also essential to keep up-to-date contact information for vendors and employees. Many BEC schemes ask recipients to call a phone number with account credentials or payment information. If the number differs from the contact information on file, it’s wise to pause and call the contact through established channels to confirm the message’s accuracy before proceeding.

By creating clearly defined and enforced policies and procedures, it will be very obvious when deviations occur. Empowering employees with the tools they need to identify business email compromise scams will help protect your company and keep financial information secure.

High Volume Bulk Email: Key Ingredients for Good Deliverability

Tuesday, August 3rd, 2021

How do you ensure your bulk emails have good deliverability?

Deliverability is key to anyone sending bulk emails like newsletters, announcements, or triggered notifications. As a provider of secure bulk email services, we constantly advise customers on how they can avoid having legitimate messages marked as spam and ensure that they are not blacklisted. In this article, we consolidate our advice for everyone’s benefit. Some tactics for good bulk email deliverability include: ensuring you have a good mailing list, maintaining your mailing list, email message content, and reputation management techniques like SPF, DKIM, and IP anonymization.

bulk email deliverability

Read the rest of this post »

Zero Trust Email

Tuesday, July 20th, 2021

Our third article on Zero Trust Architecture covers zero trust email and the systems it requires. In May, the Biden Administration announced a new approach to cybersecurity that included a push toward Zero Trust Architecture. We have already covered Zero Trust Architecture as a whole, and also talked about how dedicated servers are important parts of the zero trust model. Now, it’s time to talk about zero trust email.

zero trust email

Zero Trust Email and Encryption

As we discussed in our previous articles, Zero Trust Architecture begins with the presumption that an organization’s network may not be secure. Because attackers may already be inside the network, NIST stipulates that:

“…communication should be done in the most secure manner available… This entails actions such as authenticating all connections and encrypting all traffic.”

This means that emails always need encryption. While many organizations recognize external threats and encrypt their sensitive external communications, it’s still common for workplaces to use unencrypted communication methods within the company network. This is generally done under the outdated assumption that the internal network is secure.

Zero Trust Architecture understands that any attacker within the network could easily read these communications. This is why zero trust email needs to be encrypted, even when it’s within an organization’s private network. One step in this direction is to force TLS for email encryption for all entities.

The zero trust model also requires encryption at rest, so emails also need to be protected in storage, not just in transmission.

Authentication and Zero Trust Email

NIST’s publication on Zero Trust Architecture also stipulates that:

“Access to individual enterprise resources is granted on a per-session basis. Trust in the requester is evaluated before the access is granted. Access should also be granted with the least privileges needed to complete the task.”

When it comes to zero trust email, this means that sensitive messages require authentication and authorization to be read. TLS encryption alone is not sufficient, because it doesn’t have the full capability for this type of verification. While it does allow authentication and authorization on the recipient’s email account, it cannot do so on the raw message data.

LuxSci supports:

  • Sender Policy Framework (SPF) – This is a system for email authentication that can detect forged sender addresses. Due to its limitations, it is best to complement it with other email authentication measures.
  • DomainKeys Identified Mail (DKIM) – This authentication method can detect email spam and phishing by looking for forged sender addresses.
  • Domain-based Message Authentication Reporting and Conformance (DMARC) – This email authentication protocol complements SPF, allowing it to detect email spoofing. It helps to protect organizations from phishing, business email compromise attacks, and other threats that are initiated via email.

Each of these email authentication measures are useful for verifying sender identities. LuxSci also offers premium email filtering, and together these techniques limit the trust that is applied to inbound messages.

Together, these techniques identify legitimate email messages while filtering out those that are unwanted or malicious. While it isn’t directly stated in the NIST guidelines, SPF, DKIM and DMARC can all be integral parts of the zero trust framework.

Access Control and Zero Trust Email

In addition to measures for encrypting messages and verifying inbound emails, zero trust email requires granular access controls to keep out intruders. LuxSci’s Secure Email Services include a wide range of access controls that limit unauthorized access while still making the necessary resources available. These include:

  • Two-factor authentication
  • Application-specific passwords
  • Time-based logins
  • IP-based access controls
  • APIs that can be restricted to the minimum needed functionality

These configuration options help reduce the likelihood that a malicious actor can access your systems. They also limit the sensitive email data that an attacker may have access to if they do manage to compromise an organization’s network.

LuxSci’s Zero Trust Email

As a specialist provider in secure and compliant services, LuxSci’s offerings are well-positioned as zero trust email solutions. Our Secure Email aligns with Zero Trust Architecture for every industry vertical, not just HIPAA. Contact our team to find out how LuxSci can help secure your organization with a zero trust approach.