Simple Mail Transfer Protocol (SMTP) is the de-facto standard for sending e-mail over the Internet. ‘The advantage of SMTP is that, as the name implies, it is simple. The disadvantage is that you can perfectly impersonate another sender,’ said security specialist Jan Guldentops, who gave a presentation at Cybersec Europe’s Tech Theatre a few weeks ago.
Where SMTP falls short is where Dmarc, DKIM and SPF come into the picture. These technologies play an important role in improving the reliability and trust of e-mail communications.
SPF (Sender Policy Framework) is an e-mail authentication technology that verifies that e-mails are sent from authorized servers associated with the sender’s domain. ‘Domain owners can add SPF records to their DNS settings to specify a list of authorized servers that are authorized to send e-mails on behalf of their domain,’ Jan Guldentops explains. ‘A kind of white listing for e-mail, in other words.’
DKIM and Dmarc
DKIM (= DomainKeys Identified Mail), in turn, is a mechanism by which the recipient of an e-mail can verify that the e-mail was sent and authorized by the owner of the sending domain. This is done by adding some sort of digital signature to the header of the email. ‘It is an extension of SPF, but at many organizations and their mail server it is not set up correctly. So this is where Microsoft will become stricter.’
Finally, Dmarc (= Domain-based Message Authentication, Reporting, and Conformance) is a protocol designed to apply authentication and reporting of emails sent from a particular domain. Dmarc allows a domain owner to indicate what action to take if a received e-mail does not meet authentication requirements. “It serves for reporting,” Guldentops said.
As Microsoft becomes stricter in use of protocols such as SPF, DKIM and Dmarc, this will affect many. ‘As a result, mails often end up in the spam filter sooner. Or sometimes even getting blocked earlier.’
But are we using this ?
Through the so-called Cyssme consortium with the support of Europe, statistics have been built up of how often these security mechanisms are used. ‘We built up a list of domain names per country and started testing them structurally to see whether they have an SPF and Dmarc record and whether this is set correctly.’
Belgian figures show that 62.67 percent of Belgian domain names have an SPF record. “This puts the country at the European average of 62.65 percent but scores worse on average than the Netherlands and Luxembourg where on average 70 percent of domains have an SPF record.”
And then that’s just theory. ‘If we take a closer look at how well this record is set we see that only 23 percent give strict instructions for their domain, where we are above the European average of 17 percent.
The Dmarc protocol appears to be in worse shape. ‘Here only 26.59 percent of Belgians have set up a Dmarc record. Only a quarter of companies are therefore aware that their domain is being abused for phishing or spam, for example,’ Guldentops says. ‘Here, too, Belgium is circling the European average and scores poorly compared to Luxembourg and the Netherlands, which average at 43 percent.’
Table: Acceptance rate by security standard (selected regions and countries)
region/country
Belgium (be)
Netherlands (nl)
Luxembourg (lu)
Benelux
Europe (total)
Dmarc (%)
26.59
47.65
27.62
43.28
25.93
SPF (%)
62.67
72.77
69.79
70.75
62.65
Strict SPF (%)
23.02
22.25
28.84
22.47
18.21