Hornetsecurity offers secure protection against spyware and malware in email authentication through standardized sender reputation procedures.Emails are still regarded as the most commonly used medium for the transmission of electronic messages. They are inexpensive, with unlimited distribution and offer the possibility of sending and receiving texts and file attachments in real time. Yet precisely these characteristics make email communication so vulnerable. Cyber criminals are constantly expanding their range of threats and developing new strategies to overcome security mechanisms. The authorization of permitted domains using a corresponding SPF record in the DNS zone is therefore no longer sufficient to successfully protect incoming email traffic from phishing and spam. For this reason, Hornetsecurity’s email service has been expanded including further important sender reputation procedures in the fight against widespread attack patterns. In addition to SPF, procedures such as DKIM and DMARC are implemented against spam, spoofing, phishing and malware attacks as well as targeted CEO fraud attacks. Hornetsecurity has thus been applying the current recommendation for email security from the Federal Office for Information Security (BSI) and the Federal Association for IT Security (TeleTrusT) and thus offers a high security standard in email communication.
Secure from attacks with SPF, DKIM and DMARCThe SPF, DKIM and DMARC authentification procedures operate interconnected as a secure instrument to prevent from attacks on a company’s email communication. In the following, the used standards for sender and recipient reputation are presented and their functionalities are explained.
Sender-Policy-Framework (SPF) [RFC 7208]SPF is a method by which unauthorized sender addresses of domains can be recognized and the delivery of their mails can be prevented. Authorized servers that are allowed to send emails in the name of a domain are entered in the so-called SPF record of the DNS zone. When an email is dispatched, the receiving server takes the sender domain from the envelope sender of an email and uses a DNS query to check whether the domain is registered in the SPF record. If the domain is not registered, the server is not authorized to send emails in the name of the domain. Emails from unauthorized servers, for example, can be classified as spam. Due to insufficient cryptographic security mechanisms that could ensure the senders authenticity, SPF should not be used as spam or phishing prevention. Despite successful SPF authentication, the sender ID of the envelope sender can be changed in the Body-From field, making it easy to manipulate the sender address.
Domain-Keys-Identified-Mail (DKIM) [RFC 6376]For a more comprehensive email protection, SPF can be usefully supplemented with DKIM. The main intention is to prevent spoofers from accessing sensitive data. As a special feature for email authentification, DKIM adds a digital signature with cryptographic encryption (SHA-256) to the email header. This signature operates as a kind of fingerprint and must have the same hash value in the checksum as calculated before sending. Any change to the data, no matter how small, would change the hash value and indicate an intervention in the message during transport. To decrypt the signature, a key pair is needed which consists of a public key and a private key and is required for successful authorization of the sending server. The public key is entered as a TXT record in the DNS zone analog to the SPF entry. The secret key remains exclusively on the server that is authorized to send emails.
Domain-based Message-Authentification, Reporting and Conformance (DMARC) [RFC 7489]A constant verification of the authenticity of emails cannot be guaranteed by SPF and DKIM on its own. This gap is closed by the DMARC test procedure, which complements the SPF and DKIM methods in their combined appearance to form a safe test procedure for sender reputation. DMARC ensures that the envelope sender address matches the body form address. This verification is important because traditional email programs only display the body-from information of an email and the actual sender information remains hidden. DMARC also establishes certain guidelines for the SPF and DKIM procedures, which are stored in the TXT record of a DNS zone in form of requirements. These guidelines determine the instructions for the further handling of received emails. Thus for SPF the verification must be positive and the envelope sender address of the domain must match the address stored in the SPF record. For DKIM it is required that the signature is valid and that the domain matches the body-from address of the mail.
DMARC offers the option to send reports in the versions of “Aggregated Reports” and “Failure Reports” (The reports may only be transmitted in compliance with the Federal Data Protection Act in the context of the detection and limitation of spam and phishing as well as for the protection of telecommunications systems and in accordance with the principle of proportionality. An authentication and verification system must be used to avoid misuse. ) The reports can help the domain administrator to keep track of his own email traffic and to check the DNS entries for syntactical correctness. Furthermore, the results can be used to support other systems. For example, the ZIP file of an undisputedly identified sender can be delivered without further effort, while for unidentified senders it is quarantined or rejected. This way, Hornetsecurity supports its own product Content Filter for fast and secure delivery of attachments in emails.*The reports may only be transmitted in compliance with the Federal Data Protection Act in the context of the detection and limitation of spam and phishing as well as for the protection of telecommunications systems and in compliance with the principle of proportionality. An authentication and verification system must be used to avoid misuse.