You’ve probably received hundreds of spam emails. Most of them go to your junk folder but a handful slip through to your inbox. You find an email that has a colleague’s address, but clearly, it isn’t a message from your colleague. How does this happen?
Your colleague was the victim of a spoofing attack where a cybercriminal fabricated an email header and content to trick you into thinking the email came from a friend. The hope was that you would click on the link in the email, and either hand over credentials the cybercriminal could use to break into your accounts, or deploy malware that would infect your computer. This is called “phishing,” a crime that accounted for 241,342 complaints reported to the Internet CrimeComplaint Center (IC3) in 2020.
The last thing anyone wants to hear from a colleague or client is, “Why are you sending me spam?” Spoofing happens frequently, and cybercriminals are so sophisticated that it's nearly impossible to avoid it completely. Fortunately, there are some measures you can take to make it harder to spoof your email address in a way that will fool people.
Hushmail and DMARC
Publishing a Domain-based Message Authentication, Reporting, and Conformance (DMARC) record tells receiving email servers how to handle emails coming from your domain if they don’t appear to be from you. It works the other way around too. If you have a Hushmail account, we automatically check DMARC for all the mail you receive, and send any emails that don’t authenticate to your junk folder.
If you use one of our shared domains, such as @hushmail.com or @therapysecure.com, your account already comes with a published DMARC record so receiving servers can verify that your emails are actually from you and not someone spoofing your account.
If you’re using your own domain, keep reading to find out how you can publish a DMARC record to protect your account from the damage caused by spoofing.
It’s important to understand that DMARC doesn’t prevent spoofing, but lessens the damage considerably by allowing people to identify spoofing attempts.
When you publish a DMARC record, you’re telling email servers how to handle emails sent from your account. The inbound server will check for the following:
- The DKIM signature validates. Domain Key Identified Mail (DKIM) provides an encryption key and digital signature that verifies that an email message was not faked.
- The message comes from an IP address that is allowed by the sending domain’s SPF records. SPF (Sender Policy Framework) records allow senders to define which IP addresses are allowed to send mail for that particular domain.
- The headers in the message show proper domain alignment. This means that the domains specified in the SPF and DKIM records match the visible “from” header of an email.
Depending on how everything checks out, the inbound server will respond according to the preferred treatment specified in the DMARC record: accept, reject, or quarantine the email message in a junk folder.
How to set up DMARC if you’re using your own domain
If you’re using your own domain with your Hushmail account, it’s a good idea to publish a DMARC record so receiving email servers can verify that your emails are authentic and flag those that aren’t.
The DMARC record relies on SPF and DKIM records that you’ve set for your domain.
You can read about how to set these records in our blog post Clients not getting your emails? It's time to create an SPF record and help article Setting DKIM and DMARC for your domain.
Setting up DKIM and DMARC can be tricky. Feel free to send an encrypted email to firstname.lastname@example.org with a request for help.
What to do with your daily DMARC report
Once you publish a DMARC record, you’ll receive daily aggregate reports in your inbox that contain statistical data about every email you send. If you don’t know what you’re looking for, you might delete your DMARC report thinking it’s spam. Here’s an example of what an aggregate report looks like:
The information in a DMARC report can help you determine who’s sending email on your behalf, if a sender is allowed to send email on your behalf, and if the messages are authenticated correctly. The information includes the dates messages were sent, the IP addresses of the senders, and the results of the DKIM and SPF authentication checks – among other things.
To the untrained eye, it can be difficult to read the reports. Using a DMARC report analyzer tool is the best way to fully understand the status of your emails.
Need a secure email account that’s protected with DMARC?
When you sign up for a Hushmail for Healthcare account, we’ll automatically check your incoming email DMARC records and send spoofed emails to your junk folder. If you’re using a shared domain, then your account already has a DMARC record that receiving email servers can check to ensure that your emails are authentic.
However, if you’re using your own domain, be sure to publish a DMARC record to prevent the damage that can be caused by a successful spoofing attempt.
Publishing a Domain-based Message Authentication, Reporting, and Conformance (DMARC) record tells receiving email servers how to handle emails coming from your domain if they don’t appear to be from you. If you use one of our shared domains, such as @hushmail.com or @therapysecure.com, your account already comes with a published DMARC record so receiving servers can verify that your emails are actually from you and not someone spoofing your account. If you’re using your own domain, it’s a good idea to publish a DMARC record to protect your account from the damage caused by spoofing.