Email Basics: Securing email with DNS

Do you ever wonder how that email address you type in actually gets delivered? Understanding the basics of email delivery will enhance your understanding of how phishing and spam attacks work. This is a bit technical, but worth understanding as an end-user. For all you technical folks out there this may also be a good refresher!

Domain Name System (DNS) – The glue that holds it all together

Computers only understand 1s and 0s and humans need to use words or at least something easy to read and remember. The Domain Name System (DNS) is what makes that happen for us. Basically a large address book that keeps track of what name goes where on the Internet. When you type in a website address that is translated behind the scenes via DNS to be that IP address your computer needs to connect to on the Internet. A gross simplification, but now you know why you need an IP address assigned to your computer!

When you are looking up a website you are using what is usually called an Alias record, or “A record” in DNS speak. There are a lot of record types in use by the DNS system and now we are going to talk specifically about the ones related to email delivery.

How do spammers know I’m using Microsoft 365?

The most important DNS record involved in sending email is the eMaileXchanger record, or MX record. This tells your computer what server (or servers!) are responsible for taking email for the domain you are sending to. Basically the “address” you are trying to mail your letter to. Think of the part before the “@” in the address as the PERSON in the house, and the part after as the address of the house.

You can easily lookup the MX record for any domain via tools on your local computer and various websites. This is EXACTLY how the spammers know you are using Microsoft 365 to host your email. Once they know that, it is quite easy to send spam and phishing emails asking for your Microsoft password, to login to a OneDrive site to get a file, or other Microsoft specific phishing emails.

How do I know my email is actually from who it says?

There are a number of DNS records that work together to validate that email messages are from who they say they are from. When sending a mailed letter you can simply write whatever return address you want on it. It is also that easy for spammers to do the same with email. So how do we keep this from happening?

There are three DNS records that work together to help validate email senders. You need all three properly configure for the best results, so make sure your technology provider has done this for you.

SPF Record

The first record we need to configure is the Sender Policy Framework, or SPF record. It defines what mail servers are allowed to SEND email for your domain. It is very important to keep this record updated with all the places your organization may send email from, specifically when using 3rd party platforms like MailChimp or Salesforce.

DKIM Record

The next record you need configured is the DKIM (DomainKeys Identified Email) record for your outgoing (sending) email servers. The function of this is to validate that the sending server is actually who it says it is. This is typically done by your email hosting provider and you simply have to point your DKIM record to theirs.

DMARC Record

The final record in the setup is the DMARC (Domain-based Message Authentication Reporting and Conformance) record. This is where the rubber meets the road so to speak. The settings in this record tells receiving email servers what they should look at when receiving email from your organization. There are three levels to this. The first is reporting only, and does not affect actual mail flow. The second is to instruct emails that do not seem legitiate to be sent to Junk or quarantine folders. The final option is to reject the emails outright.

Securing email has been a monumental task and is still not something that is 100% effective. Setting up and understanding the DNS tools available to your organization for securing email is a must! There are a number of online tools that can help you check to see if your email domain’s records have been setup in this post. A good technology partner can be invaluable in getting all of this setup properly, this is not necessarily something you want to try on your own….unless you are good with email stopping entirely!