Businesses large and small are recommended to implement email authentication on their domains. This authentication enables businesses to tell receivers of email who and what is able to send using their domain name. Setting up email authentication can be daunting especially with the alphabet soup of acronyms for setup. However at it's core, it is not complicated and most everyone can understand it. Without email authentication, scammers can use your domain name to send emails that look like they’re from your business. To foil their efforts, make sure your email provider uses these authentication tools.

Email Authentication consists of 3 required configurations, Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), Domain Message Authentication Reporting and Conformance (DMARC), plus an option configuration, Brand Indicators for Message Identification (BIMI).

It can take some know-how to get SPF, DKIM, and DMARC up and running so they work as intended and don’t block legitimate emails. If you’re not sure you have the expertise, have your email hosting provider set them up. If they balk – or if they don’t include those fundamental protection tools in their service agreement – consider taking your business elsewhere.

SPF (Sender Policy Framework)

SPF lets you choose specific IP addresses that are authorized to send emails using your domain. When a receiving server gets an email from name[at]yourbusiness.com, it will check to see if the sending server is on that approved list. If it is, the receiving server lets the message through. If it isn’t, the email can be flagged as suspicious.

SPF Resources from MimeCast|DMARC Analyzer

• Everything you need to know about SPF
• How to Create an SPF TXT Record
• How to Validate your SPF record
  

DKIM (Domain Keys Identified Mail)

DKIM puts a digital signature on your outgoing mail. Receiving servers can use it to verify that a message from your domain was actually sent from your company’s server and didn’t make any questionable detours in transit.

DKIM Resources from MimeCast|DMARC Analyzer

• Everything you need to know about DKIM
• DKIM signature
• How to validate a DKIM record

DMARC (Domain-based Message Authentication Reporting & Conformance)

DMARC is the essential third tool for email authentication. SPF and DKIM verify the address the server uses behind the scenes. DMARC verifies that it matches the “from” address the recipient will see. DMARC plays another key role. It lets you tell servers what to do if they get an email that looks like it came from your domain, but based on SFP and DKIM, they have reason to be suspicious. You can have other servers reject the email, flag it as spam, or take no action. You also can set up DMARC to notify you when this happens.

DMARC Resources from MimeCast|DMARC Analyzer

• Everything you need to know about DMARC
• How to create a DMARC record?
• DMARC record generator
• DMARC Record Check
• DMARC record setup guides

BIMI (Brand Indicators for Message Identification)

Brand Indicators for Message Identification or BIMI (pronounced: Bih-mee) is an emerging email specification that enables the use of brand-controlled logos within supporting email clients. BIMI leverages the work an organization has put into deploying DMARC protection, by bringing brand logos to the customer’s inbox. For the brand’s logo to be displayed, the email must pass DMARC authentication checks, ensuring that the organization’s domain has not been impersonated.

BIMI Resources from BIMI Group

• Implementation Guide
• BIMI Generator
• Supporting Documents

What to do if your email is spoofed

If your email authentication tools are operating on all cylinders, you’ll get a notice if someone spoofs your email. Here’s how to respond:

Report the scam.  Contact local law enforcement, the FBI’s Internet Crime Complaint Center at IC3.gov, and the FTC at FTC.gov/Complaint. Forward phishing emails to spam@uce.gov, an address used by the FTC, and to reportphishing@apwg.org, an address used by the Anti-Phishing Working Group, which includes ISPs, security vendors, financial institutions, and law enforcement agencies.

Notify your customers.  Contact them ASAP by mail, email, or social media. (If you email them, don’t include hyperlinks. You wouldn’t want your notification message to look like another phishing attempt.) Remind customers not to share personal information through email or text. If their data was stolen, direct them to IdentityTheft.gov.

Alert your staff.  Use the experience to update your security practices and train your staff about cyber threats. Distribute the FTC’s fact sheet on email authentication. Show this video from the FTC at your next staff meeting for tips on how to respond if your email is spoofed. And here’s another video from the FTC that takes a deeper dive into the technology behind email authentication.