PRESS RELEASE: Gen2 Broking to join KYND’s Broker Programme to help businesses take control of cyber risk
Come fly with me, let's fly, let's fly a mail
- Deny the plane landing permissions so it never touches down at LAX?
- Let the plane land, but assign it to a special holding hangar, or make a warning announcement to the terminal that it could be fake?
- Let the plane land & taxi as normal, but just let Oceanic know that a plane arrived from Auckland claiming to be one of theirs?
- Reject emails that fail the SPF test
- Quarantine those emails: route them to an admin to inspect, or put them in your spam/junk folder, or display a warning to you that they came from somewhere suspicious
- Let all the emails through, sending a notification to the sending domain that they failed SPF tests
Why might Oceanic want spoofed planes to arrive as normal?
As a side note - setting this DMARC policy does run the risk that some real Oceanic Airline planes might be rejected from landing. For instance, if some Oceanic planes operate out of Perth, or divert via Melbourne, and this isn’t covered in the SPF statement, then a stringent DMARC policy would mean lots of Oceanic planes being denied landing, or being quarantined. As a result, Oceanic may deliberately set their DMARC policy so that airports don’t take any action when their planes fail the SPF validation. But of course, the more robust solution for Oceanic Airlines would be to update their SPF statement to say “Planes that arrive from Sydney Airport (SYD), Perth Airport (PER), or Melbourne Airport (MEL) are real Oceanic planes. Planes that arrive from any other origin are definitely not real Oceanic planes.” This would allow those diverted and alternate flights to land correctly, while minimising the risk of Oceanic Airlines flights being spoofed.
Similarly, some organisations may choose to implement laxer DMARC policies (especially if they’re using external mailing services which send emails from different servers) so that they don’t run the risk of legitimate emails being rejected. While this does maximise deliverability, it does leave these organisations open to being spoofed. The more robust solution is to properly add these servers/domains as legitimate senders in the SPF statement, and implement stronger DMARC policies - to maintain deliverability of emails while minimising the risk of being spoofed.That’s all well and good, but how do I know the cargo hasn’t been changed? From the Oceanic statements, Fiona can know if any given plane is really an Oceanic plane, and what to do if it appears it isn’t. But it won’t help her check if the plane’s cargo and passengers have been changed between Sydney and Los Angeles. Similarly, SPF (and a DMARC policy to take action if SPF checks fail) will confirm that an email is really from the address it says it’s from. But it won’t help us check that the message hasn’t been changed by an attacker at some point between the sender and the recipient. Often hackers intercept an email after it’s sent, and change the message before it’s delivered to the recipient – e.g. changing the bank details you just sent to your client! Seems we’re back to square one… unless there’s a way to seal the delivery? For the Oceanic plane landing at LAX, the ground staff at SYD could maybe use some special tape on the cargo and cabin doors. If anyone tries to change even the tiniest thing about the flight, the tape will tear, and show clearly that the plane’s contents have been tampered with since it left Sydney. And if Oceanic make their tape so unique that no one else in the world could replicate it, any tear would be irreparable & obvious to the recipient. So any would-be smuggler couldn’t get into or out of the plane without tearing the tape, and making their interference obvious to Fiona when the plane lands. Similarly, there’s a way to wrap emails, called DKIM3. When someone sends an email, their provider can place it in a digital cargo box, so that if the email contents are changed (even in the slightest), the recipient can immediately see that it’s been interfered with. With DKIM, we know that the message hasn’t changed since the sender sent it. Recipients will still need to decide what to do when they see an email with an altered message, just like Fiona will need to decide what to do with a plane with altered cargo. Again, this is where our DMARC policy comes in - based on the sender’s policy, the recipient can reject, quarantine, or just report these emails. Towards safer skies In our analogy, proving a plane’s integrity when landing at LAX requires Oceanic Airlines to use SPF to show that it’s really an Oceanic plane, and DKIM to show that its cargo & passengers haven’t changed since takeoff. A DMARC policy from Oceanic would inform Fiona at LAX of the actions they should take based on the outcome of these tests. Then Fiona can check for those proofs and follow the DMARC policy when the plane or its cargo fail the verifications. Similarly, mail security will only improve when senders set up verifications for the email they are sending into the world, and inform receivers how to treat those emails if they don’t pass verification. But if you had SPF & DKIM implemented properly, with an effective DMARC policy, your client would be able to verify if that email really was from firstname.lastname@example.org, and if anyone had changed the message. Email security the KYND way At KYND, we make these and loads of other cyber risks simple to understand, quick to monitor and easy to prevent. With a simple product that speaks your language, just enter your website name, and we do the rest. To speak to a KYND person, and see a demo of what KYND can do for your business, get in touch. As a freebie, we’ve created the KYND email analyser add-on for Gmail. You can use it to check the SPF, DKIM & DMARC status of emails you receive, and the SPF & DMARC settings of your own domain. Just add it on to your Gmail sidebar, and we’ll let you know what anti-spoofing settings are in place, and what they mean. We hope this is helpful! Tune in next time, where we’ll be giving the KYND treatment to more cyber risk essentials. Until then, safe emailing!
- Sender Policy Framework
- Domain-based Message Authentication, Reporting and Conformance
- DomainKeys Identified Mail
PRESS RELEASE: KYND named as a Global CyberTech100 company for second year running