Understanding DNS for Email
What is DNS?
The internet and most networks are TCP networks. TCP uses Internet Protocol (IP) addresses. IP addresses today are version 4 or 6, made of dotted-decimal or hexadecimal numbers. It is difficult to remember IP addresses; this led to the development of the Universal Resource Locator, or URL. URL makes up the domain name. These are the words that we know as acoolplacetobe.com style. The internet operates on the IP address. Computers in the background look up the IP address based on the domain name entered. This action is part of the domain naming service or DNS.
The owner tightly controls the DNS. Over the years, the DNS became a resource for many services. For email, it serves as a way to identify authorized email servers, instructions on handling email from unauthorized servers, and public methods to distribute public authentication keys. Before diving into the projection elements, it is essential to understand the main aspects of a DNS record that affect systems sending and receiving email.
How do email servers use DNS?
One of the basic rules of email sending and receiving is knowing the URL for the server exchanging email messages. An MX record within the DNS is standard for identifying that server. MX records apply to on-premise and cloud-based services like Microsoft 365 and Google Workspaces. There are other ways to use DNS for email that approve any system sending email for the organization, how to address emails from an unauthorized source, and authentication. Let’s look at these aspects in more detail.
SPF
The sender policy framework (SPF) is the first entry to protect our organization. It identifies the message exchange or email server. It also allows organizations to identify systems that may send on their behalf. CRM and marketing systems are good examples of systems sending email on behalf of an organization, such as MailChimp or Constant Contact. There are many other systems they can use to send emails. Modern multi-purpose scanners and printers all have email capabilities. If your organization uses such a function, it must identify an authorized email sender in the SPF. The SPF entry also determines how often email servers validate email by percentage.
DMARC
This next element for the DMS record provides instructions on what to do with emails from an unauthorized source and the reporting of email processing. The domain-based message authentication reporting and conformance or DMARC Entry in the DNS provides that information to message exchange (email) servers. This particular entry into the DNS is an add-on after making an SPF entry. The policy portion at the DMARC is about what to do with an email from an unauthorized source. The policy can be to “quarantine” emails for review by the receiving email administrator or to reject the email altogether. There is a third option to select “none,” which does not protect your organization. This policy requires an aggregate email address to be a valid DNS entry. Other parts of the DMARC are instructions on where to send daily and forensics emails. It can also provide instructions on when an email meets the forensics requirement.
DKIM
An SPF entry in the DNS only provides a fundamental capability that identifies authorized message exchange servers for an organization. The SPF is equivalent to a username when logging on to a computer but does not authenticate the server’s identification. DKIM now comes into play. DKIM or Domain Keys Identified Messages have public and private keys to authenticate the email server. An email will contain a public key, and the receiving email server will send the key to the originating email server to match the private key to authenticate. For DKIM to work, the originating email server must be able to support the protocol. The DNS record only points to the server providing the DKIM services. For example, if an email is from a Microsoft 365 server, DKIM services must be on the server. If your organization uses a service such as MailChimp to send marketing emails, it must also have DKIM capability and the authentication key setup. The DNS records for your organization would provide pointers to both email servers that send out email.
How does DNS protect your organization?
Spoofing
The SPF record intends to prevent unauthorized servers from spoofing your organization. This record helps prevent someone from sending an email pretending to be you or someone in the organization. Spoofing is often part of spear phishing attacks. With the increased scrutiny of email delivery spam and ransomware attacks, the use of SPF has been growing. While it is not part of the security protection, having an SPF record helps ensure the delivery of your legitimate corporate and marketing campaigns sent by email. The wind is reducing the risk of faulty emails going to organizations on your behalf and increasing the overall delivery of legitimate emails.
Instructions and Policy
The instructions and Policies set by the DMARC give your organization options on how to handle unauthorized emails and the ability to gain insight into who sent an email on your organization’s behalf and how it dealt with the email. Message exchange service receiving email may ignore the instructions from the DMARC record and deliver the email to the end user. Setting up instructions is the only way for your organization to monitor legitimate and illegitimate traffic. The policy to reject an email prevents any unintentional delivery; however, it also prevents delivery of the email in cases of a false positive. Quarantine, on the other hand, allows delivery of an email for a false positive but also provides a means to deliver unauthorized email after review by any email administrator. There is no wrong or right way to do policies, so there is a choice. The reject policy is probably more appropriate if your organization has a low-risk tolerance for unauthorized emails. The important part is to have one of the two policies in place to guide receiving email servers and appropriate actions for the emails not from your organization but pretending to be yours.
Authentication
Authentication is an easy element to understand. Suppose there was no way to authenticate you and identify you as a user for your bank; then, anyone could access your account without validating your identification. The authentication process is a background process done by the message exchange servers. It is critical for the validation process. Emails that do not adequately authenticate will follow previously discussed policies and instructions.
What are those other settings?
BIMI
Recently, a new standard has emerged. It’s called Brand Indicators from Message Identification or BIMI. This standard allows organizations to show their brand logo within many email systems, such as Outlook, if all the criteria are in place. Someone who receives an email with the logo present means that the email has completed SPF, DMRC, and DKIM checks in addition to the BIMI setup, and the organization has an approved certification from the BIMI certification service. For those organizations that can’t afford this certification, it provides a means for people reading email to understand the email is authentic and authorized.
The Gmail and Yahoo Impact
There are many articles about the new screening by Google and Yahoo to reduce spam. Both organizations implemented a set of rules for organizations sending bulk emails. Generally, bulk email is more than 5000 emails. The rules look at the SPF and the DMARC, determine a spam score for the email, and determine the domain’s reputation. It also will do a reverse lookup of the URL in the email to the DNS record for that email server. Emails that fail reverse lookup will not receive delivery. Suppose your organization sends a large set of emails on a routine basis. In that case, the recommendation is to review all the rules set out by the two companies to provide maximum delivery. The email drafter is responsible for lowering the spam score in addition to the technical requirements identified here.
This step by Google and Yahoo is the first step to greater email security. I recommend that all organizations ensure that their SPF, DMRC, and DKIM records on the DNS are correct. Our organization can help all companies identify challenges with these DNS records. We can provide support and update the records for a smooth transition of emails from your company.
Does your company need help with validating and updating the DNS records? Our team is ready to help. Order our DNS Verification service at our online store or book a meeting to discuss the needs in more detail.
