It’s no surprise to most of you that the number of global phishing exploits is growing and breaking records. The Anti-Phishing Working Group (APWG), an international nonprofit, recently released its Q1 2022 Phishing Activity Trends Report where they “observed 1,025,968 total phishing attacks. This was the worst quarter for phishing that APWG has ever observed, and the first time that the quarterly total has exceeded one million.”

With these unnerving numbers, we figure it’s a good time to remind our readers of NIST Special Publication 800-177—Trustworthy Email. NIST publications generally operate in the realm of principles and don’t always include specific controls; Trustworthy Email is an exception.

The abstract reads, “Technologies recommended in support of core Simple Mail Transfer Protocol (SMTP) and the Domain Name System (DNS) include mechanisms for authenticating a sending domain: Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM) and Domain-based Message Authentication, Reporting and Conformance (DMARC).”

The audience for Trustworthy Email is comprehensive and includes email administrators, information security specialists and network managers from enterprise-level organizations to federal IT systems and small-to-medium sized organizations. That’s pretty much anyone who has an internet domain.

The NIST guide “provides recommendations for deploying protocols and technologies that improve the trustworthiness of email. These recommendations reduce the risk of spoofed email being used as an attack vector and reduce the risk of email contents being disclosed to unauthorized parties.”

Many of the controls covered in the guide employ technologies beyond basic email frameworks to include the Domain Name System (DNS), Public Key Infrastructure and other foundational internet conventions.

Sending Domain Authentication

The guide reads, “The purpose of authenticating the sending domain is to guard against senders (both random and malicious actors) from spoofing another’s domain and initiating messages with bogus content, and against malicious actors from modifying message content in transit. SPF is the standardized way for a sending domain to identify and assert the authorized mail senders for a given domain. DKIM is the mechanism for asserting sending servers and eliminating the vulnerability of man-in-the-middle content modification by using digital signatures generated from the sending mail server.

DMARC was conceived to allow email senders to specify policy on how their mail should be handled, the types of security reports that receivers can send back, and the frequency those reports should be sent. Standardized handling of SPF and DKIM removes guesswork about whether a given message is authentic, benefitting receivers by allowing more certainty in quarantining and rejecting unauthorized mail. In particular, receivers compare the ‘From’ address in the message to the SPF and DKIM results, if present, and the DMARC policy in the DNS. The results are used to determine how the mail should be handled. The receiver sends reports to the domain owner about mail claiming to originate from their domain. These reports should illuminate the extent to which unauthorized users are using the domain, and the proportion of mail received that is ‘good.’”

Section 4, titled “Authenticating a Sending Domain and Individual Mail Messages,” covers SPF, DKIM, DMARC, and S/MIME digital signatures in great detail, from definition and history to configuration steps. We won’t get into the particulars here, but you can take a look in the Trustworthy Email publication.

DMARC’s original use case is that of verifying identity to fight email fraud. DMARC provides visibility of how a domain is used and prevents unauthorized senders from sending email on behalf of an organization; as a result, domain trust is built. With this trust comes email reliability—DMARC is the foundation for authoritative email delivery and often the first step taken to resolve delivery issues.

We’re Here to Help
With a team of email security experts and a mission of making email and the internet more trustworthy through domain security, we’re here to help assess an organization’s domain catalog and implement and manage DMARC for the long haul. You can get in touch with us or register for a free trial where our onboarding and support team will help you along the way.

Want to continue the conversation? Head over to the dmarcian Forum