Recently, I was on the wrong side of a phishing attack. Someone, apparently from Belgium, was using my email address to send phishing emails to people across the globe.
NOTE: A phishing email is an email that looks to be from a reputable source, but contains links that either install malware or attempt to steal your user name and password for a particular website.
At first, all I thought I could do was apologize. Which I did, but that didn’t really help anyone or fix the problem. Worse, the original spamming didn’t stop, it got worse.
Then, earlier this week, I called a friend who handles digital security for Fortune 100 companies and asked for help.
He told me that either my email had been hacked or someone had tricked my website into allowing them to impersonate me. More importantly, he gave me several specific things to do to minimize or eliminate this problem.
PHASE 1 – My Email Was Hacked
If my email account was hacked, the fix was easy: Change my password. I did this within seconds of getting his advice.
The problem is that if someone gains access to your email, THEY will change the password and lock you out. Because I was able to change the password, it probably meant that my email credentials were still secure.
Still, I changed my password anyway.
PHASE 2 – Dial Up Security on my Website
What was more likely was that this hacker had tricked my website into allowing him to impersonate me. What I learned was that there are techniques we can use to prevent this behavior. These are:
While this will involve team work between you and your web team, these three security features can pretty much lock out hackers from hijacking your email.
Here’s the Readers’ Digest version.
SPF. Developed in 2000, the “Sender Policy Framework (SPF) is an email-authentication technique which is used to prevent spammers from sending messages on behalf of your domain. With SPF an organisztion can publish authorized mail servers. Together with the DMARC related information, this gives the receiver (or receiving systems) information on how trustworthy the origin of an email is. SPF is, just like DMARC, a email authentication technique that uses DNS (Domain Name Service). This gives you, as an email sender, the ability to specify which email servers are permitted to send email on behalf of your domain.” (DMARC Analyzer website)
What SPF does is put a flag on my website saying that emails using my domain (“LarryJordan.com”) can only come from my specific website. Someone can’t use their website to send emails pretending to be me. Even though I use a 3rd-party email service, this helps lock out unauthorized emails.
Applying this requires modifying hidden file on your web server, which is why my web master needed to get involved. The web link above explains what you need to know to create and validate an SPF record.
DMARC. This is the next step in email security. “DMARC (Domain-based Message Authentication, Reporting and Conformance) is an email authentication protocol. It is designed to give email domain owners the ability to protect their domain from unauthorized use, commonly known as email spoofing. The purpose and primary outcome of implementing DMARC is to protect a domain from being used in business email compromise attacks, phishing emails, email scams and other cyber threat activities.
“Once the DMARC DNS entry is published, any receiving email server can authenticate the incoming email based on the instructions published by the domain owner within the DNS entry. If the email passes the authentication it will be delivered and can be trusted. If the email fails the check, depending on the instructions held within the DMARC record the email could be delivered, quarantined or rejected.” (Wikipedia)
Implementing DMARC requires creating a public/private key, which is stored in the TXT file on a web server. EVERY time an email is sent, the email server checks back with this TXT file to make sure that you are authorized to send this email from this domain. While this sounds like a lot of work and time, I’ve seen zero delay in sending emails.
DKIM. “DomainKeys Identified Mail (DKIM) is the most complicated email authentication protocol out there.
“What it is: DomainKeys Identified Mail (DKIM) is a protocol that allows an organization to take responsibility for transmitting a message in a way that can be verified by mailbox providers. This verification is made possible through cryptographic authentication.
“Why it matters: Email providers who validate DKIM signatures can use information about the signer as part of a program to limit spam, spoofing, and phishing, although DKIM does not tell receivers to take any specific actions. Depending on the implementation, DKIM can also ensure that the message has not been modified or tampered with in transit.
“The problem with DKIM is that because it’s more difficult to implement, fewer senders have adopted it. This spotty adoption means that the absence of a DKIM signature does not necessarily indicate the email is fraudulent. Therefore, DKIM alone is not a universally reliable way of authenticating the identity of a sender. In addition, the DKIM domain is not visible to the non-technical end user, and does nothing to prevent the spoofing of the visible “header from” domain.” (ReturnPath website)
One of the benefits to using DKIM is that any spam, attempting to impersonate me, gets sent to a specific spam folder on my system. This allows me to see who is impersonating me and, more importantly, prevent that spam from being delivered in the first place!
While it would be presumptuous to say that I’ll never have another problem with my email, so far, there’s been no recurrence of the spamming and no impact on my ability to send or receive emails.
Setting this all up required configuring my website and my email provider and the help of a web programer that understands this stuff. But, truthfully, it wasn’t hard and didn’t take a long time. Getting DMARC and DKIM working took an hour to program, then overnight to propagate to key DNS servers on the Internet.
There’s no cost for implementing any of these three security protocols and the peace of mind they provide is significant. Installing the SPF took about 30 minutes.
The web links in this article will explain what you need to do; or how to describe what needs to be done to your webmaster. From my own experience, I strongly recommend protecting your email and your reputation by implementing these protocols.
Because, frankly, sending apologies to angry people who’ve never heard of you really doesn’t do anything to solve the problem.
UPDATE – 9/8/2020
Dmytro Zaichenko, from MailTrap, contacted me about their “detailed guide on How to Implement DMARC Records explaining how DMARC records can be set up, their role in email security, and more. Also, we have a guide SPF Records Explained exploring these records thoroughly.”
I’m sharing these links in case you are interested in learning more.
NEW & Updated!
Edit smarter with Larry’s latest training, all available in our store.