Virtually all activities on the Internet, including malicious ones, run through the Domain Name System (DNS). The increasing threat of recurring attacks via email emphasizes the importance of a robust DNS infrastructure and the use of specific DNS records.
In his talk with dotmagazine, Thomas Küchenthal, CTO of LEMARIT, explains the risks brand owners run with missing DNS records and why they are so important for preventing spam, spoofing, and other security risks.
dotmagazine: Thomas, can you briefly describe the function of the Domain Name System (DNS) and what impact it has on the sending of emails?
Thomas Küchenthal: In a nutshell, the DNS translates human-friendly domain names into IP addresses and thus basically indicates to web browsers which servers to contact to view a website at a domain. Similar to this, DNS also indicates to email clients which servers are authorized to send and receive email at a domain.
One thing to keep in mind is that the DNS comes from the dark ages of the Internet. There is no built-in security, as DNS uses a plain text protocol without any security measures.
dot: What does this mean for the security of digital services such as email?
Küchenthal: To increase the security of domains with respect to certain digital services, we need to consider the DNS as a secure source. The assumption is that the operator of a zone is either the resource owner or, alternatively, a trusted source.
Based on this premise, several DNS records can be published into the DNS, each serving a specific purpose. In the field of email security, we mainly distinguish between SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting, and Conformance).
dot: Speaking of trusted sources: How can domain owners fight spam and increase the authenticity of their emails?
Küchenthal: While spam basically cannot really be fought, the key is to reduce the probability that one’s own domain is misused for spam or phishing. Everyone must be aware that mechanisms such as SPF or DKIM are also used by spammers. However, these entries help with the reputation of the brand or domain name.
Domains that do not have SPF, DKIM, and DMARC set up correctly risk having their emails quarantined as spam or not reaching the recipient. They also run the risk of being imitated by spammers or cybercriminals for malicious purposes.
dot: You mentioned three potential DNS records to authenticate emails. Why do we need different record types?
Küchenthal: For this, it is worth taking a look at the technical structure of an email. The key components of an email are the actual message, including Message Header and Message Body, and the SMTP Envelope. It is especially important to distinguish between the “Mail From” in the envelope and the visible sender address in the Message Header in one’s email client, both potential targets.
The different record types are therefore used to secure different levels of an email. Each solves a somewhat different piece of the email puzzle to prevent phishing and spam.
dot: Can you provide some insight into what would be the first step to solve the puzzle?
Küchenthal: One component of a comprehensive email security strategy is an SPF record. It is used for sender reputation with the desire to protect the sender address (Mail From). The domain owner publishes an SPF record in its DNS zone and defines a list of authorized mail servers that are allowed to send emails on behalf of their domain.
If external services are used, for example for sending newsletters, their IP addresses must also be listed in the SPF record. If the sending server’s IP address matches one of the authorized entries, the email is considered legitimate, and it is more likely to be delivered to the recipient’s inbox.
However, it should be noted that the number of DNS lookups that are necessary to resolve included names is limited to 10. Due to the entry of external services such as Google or Outlook, the control over the number of lookups is with these third parties. In many cases, the lack of deliverability of emails is related to the very banal exceeding of DNS lookups.
Unfortunately, an SPF record only protects the sender address (Mail From) in the SMTP Envelope, while the visible sender in the email client can still be misused.
dot: Thus, at first glance, only partial success seems likely. How can domain owners close this gap?
Küchenthal: Correct, SPF alone does not provide end-to-end email security. The mentioned gap is closed by a DKIM record. DKIM authentication provides a method for validating a domain’s identity that is associated with a message through cryptographic authentication.
A DKIM record contains the public key that corresponds to the private key used for signing emails. This signature is unique to that specific email message and includes information about the email’s content. This protects the email against manipulation and ensures its authenticity.
Finally, DMARC virtually acts as the umbrella of these two technologies. This policy framework specifies how receiving email servers should handle messages that claim to be from that domain but fail SPF and DKIM checks.
DMARC also includes a reporting mechanism that allows domain owners to receive feedback reports from receiving email servers. These reports provide detailed information about email authentication results, including data on SPF and DKIM.
This can provide domain owners with helpful information about whether and who may be misusing the domain.
dot: Often, only the main domain of an organization is used for email. What about domains that are not used for this purpose?
Küchenthal: True, global brands usually have a large domain portfolio that spans multiple countries. Many of these domains may either have been registered for purely defensive reasons or are used for digital services other than emailing.
However, these can be particularly attractive to cybercriminals for spoofing and the like, because they may be less in focus. These domains should also be protected against possible attacks with the use of default entries. These combine SPF, DKIM, and DMARC and prevent the general sending and receiving of emails.
dot: How does LEMARIT help to keep the guard up and what impact does it have for businesses?
Küchenthal: Our mission is to provide, build, and execute digital security measures and reduce the risk of criminal attacks to your domain activities. This includes not only a comprehensive email security strategy, of course, but also several other measures that add an extra layer of security to your domains such as tailor-made DNS services, digital certificates, and other high-quality solutions.
With LEMARIT’s one-stop shopping approach, our clients actively mitigate not only domain abuse, but also product piracy and trademark infringements. In the long term, businesses can successfully prevent loss of data, financial assets, or reputation.
Thomas Küchenthal is co-founder and CTO of LEMARIT GmbH, a specialist for domain management and digital brand protection. As an IT business engineer, Thomas brings technical expertise from more than 20 years of experience. As an acknowledged DNS specialist, he is a member of the Technical Advisory Council of DENIC eG and an advocate of a secure infrastructure with technically high-quality solutions.
Day in, day out, he and his team ensure optimal protection as well as control of digital brands of multinational enterprises. In doing so, customers also benefit from a platform specially developed under his leadership: the LEMARIT.app.
Please note: The opinions expressed in Industry Insights published by dotmagazine are the author’s or interview partner’s own and do not necessarily reflect the view of the publisher, eco – Association of the Internet Industry.