- This topic has 0 replies, 1 voice, and was last updated 11 months, 3 weeks ago by Aruorihwo.
- March 3, 2020 at 10:55 am #87061Participant@aruorihwo
Wouldn’t it be just awful if after going through the troubles to secure your server and website, everything comes to naught because someone opened an email they weren’t supposed to or clicked on an email link that opens a backdoor to your network?
Here are some measures you can put in place to ensure that your email configuration is not easily susceptible to attacks.
SPF stands for Sending Policy Framework. Basically what it does is, it checks to be sure that an email comes from who it says it is from. It does this by publishing DNS records which shows servers that are allowed to send emails from a particular domain.
For example, when an SPF enabled email receives an email from email@example.com, it looks up xyz.com, reads the SPF TXT record in DNS then if the server of the email matches one of the servers allowed in the SPF record then the mail goes through.
For SPF to be highly effective, both incoming and outgoing mails should be SPF enabled. Incoming mails should be SPF enabled so that, emails coming into the organization can be checked for SPF and outgoing mails should be SPF enabled so that your organization can’t be impersonated by someone who is using an email not listed in the SPF records, also enabling SPF for outgoing mails makes your email server more trustworthy.
Point to note: Enabling SPF prevents email spoofing.
DKIM stands for DomainKeys Identified Mail, it is quite similar to SPF. DKIM works by creating a public and a private key which are encrypted signatures in the header of each email you send, that shows that the sender of the message is really you. These signatures are usually very difficult to forge as they are encrypted, so every organization has to claim responsibility for every email sent with their DKIM signature.
Enabling DKIM makes your email much more trustworthy, increases the integrity of your email and reduces the chances of your email being blacklisted.
Point to note: Enabling DKIM makes your email trustworthy.
DMARC stands for Domain-based Message Authentication, Reporting, and Conformance. DMARC is a higher level of security and it requires you to already have SPF and DKIM enabled in other to use it. It provides reports to give organizations visibility on their email policy.
If SPF and DKIM authentication fails, DMARC specifies what to do with a message. Combining all three creates a trustworthy environment.
Not using DMARC would result in having different SPF and DKIM policies depending on where the message originates from, DMARC includes an instruction within the email to standardize this.
Point to note: Using DMARC enables you to utilize SPF and DKIM to the fullest.
Set up a Spam Filter
Around half of all emails sent are considered spam. Although the number is reducing as botnet defense has improved. Having a good spam filter cannot be overemphasized. You can either use a dedicated spam appliance provider or a cloud-based filter.
Whichever one you decide to go with, ensure you do the following:
- Enable a DNS blackhole list
- Block email senders who do not pass the reverse DNS lookups
- Add filters to check for dangerous attachments
- Enable content analysis
- Enable rate control
Failing to set up a proper spam filter will lead to people’s inboxes being impossible to use and most of the emails processed by your organization being garbage.
Point to note: Setting up a spam filter blocks spam before the user sees it.
Set a Throttling Policy
If a user’s email details are compromised due to a phishing scam, setting up a throttling policy would help ensure the scammers won’t be able to send the number of emails that would ruin your reputation and get your email blacklisted.
In other to set up a throttling policy, you have to have an idea of how many emails you send out per day and build your policy around that. When setting up the policy you would need to consider:
- Number of recipients per sender per day
- Number of emails per sender per hour
- Number of recipients per email
By setting up your policy considering the actions above, you can ensure that even if your account is compromised, it won’t cause any lasting damage to your reputation.
Point to note: Prevents Scamming and Blacklisting.
Implement Local Email Domain Restriction
To prevent phishing emails coming from other systems on the internet claiming to be your domain, you can restrict emails from your domain to only be sent from your email system. That way, any mails coming from the internet claiming to be you would be blocked.
However, when implementing this restriction, there are some factors you have to consider. There are most likely going to be legitimate emails coming from your domain but not from your system. They might be from:
- Using a remailer service; this is when mail goes from your user, to the third party internet remailer, then back to your organization.
- Cloud services set to send as domain users
- Web application forms that trigger emails sent from an internet web server with a domain email address
Depending on the mail service you use, you may be able to enable email to be sent from specific hosts while still blocking it from the rest of the internet. If this isn’t done, phishing emails can be sent to your users from email domains claiming to be yours and might lead to users revealing sensitive information such as passwords, etc.
Point to note: Restricting local email domain prevents sender domain forgery.
Most of all your email security depends on DNS records, so it goes without saying that ensuring the DNS records are secured is very crucial. DNS spoofing (a.k.a. DNS cache poisoning) is an attack in which an altered DNS record is used to redirect online traffic to a fraudulent website that resembles its intended destination.
For example, you look up xyz.com in your browser, your computer performs a DNS lookup for said website. It happens that xyz.com has been poisoned, so the IP address of the hacker is returned. Now a fake page from the hacker’s server is loaded on the browser. You enter important credentials that are then stored in the hacker’s database.
DNSSEC prevents this from happening by signing the DNS response using public-key cryptography. That way, nobody can pose as your DNS and intercept the information.
Point to note: DNSSEC prevents unauthorized DNS changes from being made.
The surest way to ensure privacy for email is to encrypt the email itself between the sender and receiver. This allows the sender and receiver to exchange the public keys for encryption while holding back the private keys for decryption. That means that only the person with the private key can get access to the email.
This measure requires configurations for both the sender and the user, unlike most of the other measures. Most email clients support certificate-based email encryption, although in other for this to work, both parties have to trust the certificates. It is advised to only encrypt messages when it absolutely warrants strict privacy as encryption reduces the ease of use.
Point to note: Email encryption guarantees the privacy of email data.
Effective Staff Training
No matter how much effort you put to secure your email server, it all comes down to the people using the system being adequately trained to ensure these measures are well implemented.
Regular training should be done to educate staff on some of the basic email security concepts, such as:
- How to identify and avoid phishing scams
- What social engineering is and how to know what information is okay to give out.
- How to avoid malicious links
- Ways to transfer files other than emails
This training should be done regularly and can even be a part of the employment process. Failure to educate staff on the importance of email security would eventually lead to the other measure being useless because all it takes is carelessness on the part of one staff to open a backdoor to the organization’s network.
Continual Configuration Testing
The last step is to put a process in place to regularly assess your system against your organization policy. Running regular configuration test would enable security holes to be discovered and fixed before they are exploited.
Point to note: For all the other measures to have an impact on security, they have to be regularly tested.
In conclusion, various other measures can be implemented to restrict unwanted access to your email server, but using these 10 measures would go a long way to ensuring that your server is adequately secured.
- You must be logged in to reply to this topic.