Unfortunately, we have all seen how spam emails, despite our best efforts, end up in our inbox all the time. Spam attacks can be difficult to protect against because email is inherently an open and unregulated platform. At the same time, the fact that it is open and unregulated also gives email great power. Essentially, anyone can get an email address, and that makes it easy to get in contact with others no matter the time or place. Email is such an important means of communication, especially in the shipping industry and other businesses.
The open nature of email is one of the main reasons that is being used as spam or in some cases malicious when criminals start using these tools to try to fraud business. We regularly see emails where bank account numbers have been changed to redirect a payment to an entirely different account, or other similar schemes that try to extract money from businesses in the shipping industry. Often, criminals will try to send spam emails from addresses impersonating legitimate businesses to make them look more plausible. Therefore, it is important to know what can be done to make it harder for criminals to do this in the first place.
Secure Email Domains
If your email domain is not set up with the bare minimum security measures, it will not be protected against a spam technique known as spoofing. Spoofing is an attack where the criminal misuses the open nature of email to send an email and claim that it originates from you.
If not challenged, this claim will be accepted by the receiving email server, and without ever touching your servers, the criminal will have sent an email that is indistinguishable from a legitimate email from you. Therefore, it is quite important for you to protect your email domains against this, so both you and your counterparties are not suffering any economic or reputation damages from this.
Spoofing Protection Technology
In recent years, there has been an added focus on a couple of technologies that allows you to protect against spoofing of emails sent from your domains. These offer different protections, so it is important to know the differences between these. To do that we need to dig into the two different fields on an email that describes where the email was sent from:
- The Sender field: This is the email address that sent the email. This denotes who sent the message. For example, if you are using a service on the internet that sends emails in your name, the attacker may set themselves on the sender field.
- The From field: This field denotes who the email is from, so this is the sender of the email. In the example above, this would be your address. This is the field that most email clients will show.
SPF
To protect from spoofing of the sender field, you should make sure to enable a Sender Policy Framework (SPF) protection on your domain. Setting up an SPF is usually a straightforward action as this needs to contain information about the servers that will act as senders of your email. These are the servers that are directly controlled by you or your email provider.
DKIM
Even after implementing an SPF, this would still allow a criminal to send an email where they set themselves as the Sender, but your email address as the From address. This is where DomainKeys Identified Mail (DKIM) and Domain-based Message Authentication, Reporting and Conformance (DMARC) are your friends.
DMARC
Domain-based message authentication, reporting, and conformance (DMARC) allow your servers to add a digital signature (DKIM) to your emails. Any email sent from you will always have such a signature (DMARC). With these protections in place, a criminal will not be able to create a valid DKIM signature in your name on the emails. They will be rejected by the receiving server if you have set up the correct DMARC policy.
At Nordic IT, we recommend that all of our customers configure SPF, DKIM, and DMARC. It will not only block criminals from misusing your domain but will also increase the likelihood that the emails you send out are not marked as spam by the recipient. Please get in touch with us if you need our help setting up any of these technologies.