Analysis of 1.3M Emails Unveils Hidden Threats Missed by Other Email Security Solutions
Analysis of 1.3M Emails Unveils Hidden Threats Missed by Other Email Security Solutions
Domain Spoofing Control – The Trustifi Way

Domain Spoofing Control – The Trustifi Way

Email domain spoofing aims to impersonate someone or an organization intending to steal information, falsify documentation, or distribute counterfeit goods.

While DMARC is an effective tool for mitigating email spoofing attacks, managing it can be challenging, and it often requires using third-party services to implement it correctly. Despite the difficulties, it is crucial to prioritize email security protection solutions to help prevent cyber-attacks and protect your organization’s reputation. Domain Spoofing Control from Trustifi, a global email in cloud-based advanced email security, continues to drive innovation into the market by addressing domain spoofing attacks by delivering an additional layer of protection.

The Domain Spoofing Control portal also extends visibility into the origin of the messages, including traffic being sent between ecosystem partners, supply chains, and corporate subsidiaries. Often, these domains are seen as a way to penetrate larger organizations. Enabling Domain Spoofing Control protects the organization with far more graduality than DMARC, SPF, and DKIM.

This article will discuss the challenges of email domain authentication and how Trustifi’s groundbreaking Domain Spoofing Control module is essential to organizations protecting their external and internal email-sending domains.

What is DMARC?

DMARC (Domain-based Message Authentication, Reporting, and Conformance) is a protocol for email authentication, policy, and reporting.” Along with two other domain protection layers:

  • SPF: Approved list of sending IP addresses associated with an email sender service (Blue Ocean, MailChimp)
  • DKIM: Applies a digital signature to outgoing messages.

DMARC links them to the author’s domain name (“From:”), publishing policies for how recipients should handle authentication failures and providing receivers with a way to report back to senders. By doing so, DMARC aims to enhance and monitor protection against fraudulent emails to prevent unauthorized use of the domain.

Even with this proven strategy, domain spoofing attacks contribute to the risk of business email compromise (BEC) and email account compromise(EAC).

The Imperfection of DMARC, DKIM, and SPF

Preventing email spoofing is a challenging task primarily because of organizations concerned with blocking legitimate messages, the overhead of addressing lookalike domain attacks, and DNS spoofing.

Deploying DMARC involves a service engagement that requires significant collaboration among internal and external teams to avoid any genuine emails from being blocked. However, managing DMARC policies and ensuring their accuracy can be time intensive and prone to errors, which may unintentionally prevent legitimate corporate, supply chain, or customer emails from reaching their intended recipients.

Can a Hacker Bypass DMARC, SPF, and DKIM?

Indirectly, yes.

A domain may still be susceptible to spoofing attacks even after setting up a DMARC policy with p=reject and an SPF declaration of fail-hard. This vulnerability can involve an attacker redirecting their mailbox address toward the victim’s mailbox and including the fake address in their list of allowed sender addresses. They can now email from a fraudulent domain to the email address.

  • If DKIM doesn’t sign all components of an email and only grants authorization to certain parts, then ill-intentioned individuals can forward the email by appending header fields.
  • If the SPF record is improperly configured or the sending IP address changes, this will cause delays in email sending and receiving.

To add to the complexity of this attack vector, if the hacker implements a redirection rule, it will redirect the email to the victim’s email address. Here, as the spoofed domain email address:

  • Will be added to the attacker’s allow-list
  • This attack method will overwrite the quarantine decision typically set as DMARC failed.
  • The email becomes forwarded to the victim’s mailbox with the attacker’s DMARC as a “pass.”

In certain instances, the middleman server for redirection may not consider the hard-fail of SPF or DMARC fail and thus maintain the envelope domain. The SPF declaration of the faked domain could sanction the IP address of the second section, resulting in an SPF and DMARC clearance when reaching the recipient’s server, strengthening the false impression.

Protecting the Internal Domains – A Must Have

Internal domains are as vulnerable as external ones regarding domain spoofing. When hackers manage to compromise internal domains, they can easily send malicious emails within the organization where security measures may not be strong enough. It is worth noting that sending inbox-to-inbox emails internally often bypasses cloud-based email security layers.

Basic Internal Domain Protection Settings

  • Enabling SPF: SPF is used to prevent external and internal spoofing attacks. However, including all IP addresses allowed to send emails on your network is necessary for complete protection. This can be challenging if your company has a large and complex network, as it may include servers, printers, web applications, and third-party applications.
  • Enabling Exchange Server Receive connectors: These control incoming SMTP communication from external messaging servers, services in the local or remote Exchange servers, and email clients that use SMTP. These connectors are automatically created when Exchange Mailbox Server is set up.

Exchange Servers are programmed to accept emails from unidentified users. This loophole leaves the system susceptible to exploitation by nefarious employees. Regrettably, it is not feasible to completely block anonymous email addresses since this may result in missing crucial correspondence from external sources.

Why Trustifi Domain Spoofing Control is a Critical Augmentation?

Trustifi has introduced a new “Domain Spoofing Control” feature, which provides complete visibility and scoring of all sources that send emails from your internal and external domains based on DMARC, DKIM, and SPF reporting and effectiveness.

The users can manually sign the domains or enable the Domain Spoofing Control portal to sign the source domains automatically.

This advanced security setting helps organizations implement an anti-spoofing domain control policy by addressing spoofing while reducing false positives from legitimate senders and domains.

This feature allows you to leverage an allow-list-only approach, which blocks all emails unless you sign and approve them. With this feature, you can effectively control and prevent email spoofing, a common tactic cybercriminals use to send fraudulent emails that appear to come from a trusted source.

Trustifi’s Domain Spoofing Control ensures that only allowed sources can send emails from your domains, enhancing your organization’s email security and reducing the risk of email-based cyber attacks.

In addition, Trustifi scores the domain and presents a “strength graph” that visually represents information about the domain and how strong the source for the authentication results of the SPF, DKIM, and DMARC statuses are of different email servers (internal systems, services, applications, etc.) that are sending on behalf of this domain. The admin can access the “Actions” dropdown menu and view the sources to get the specific domain source signatures.

The Trustifi domain spoofing protection module supports both internal and external domains.

Visibility, Validate, and Sign

Validating whether the domain is authenticated or spoofed is critical to any email security or email fraud solution. Trustifi’s Domain Spoofing Control module extended greater visibility into rogue domains and the risk to the organization.

Similar to NGFW solutions, this portal grants the ability for SecOps and email security teams visibility before adding the sending source to the allowlist.

Organizations have a manual review and sign or a fully automated workflow option. Most organizations will choose the manual validation and sign process, similar to adding extended ACLs on an NGFW or IPS adaptive control.

What level of authentication did the failure occur? Some sending domains could pass DKIM and SPF. However, they could have failed DMARC.

The effectiveness of the “Domain Spoofing Control” mechanism depends on the proprietary signature comparison, which may identify genuine emails as potential threats if their origin is unfamiliar or recently added to the system, for instance, via a new mail flow or MTA.

If you received an email flagged as an unverified source but are confident the source is legitimate, you can simply sign this new source as fair to avoid having it quarantined in the future.

With this groundbreaking capability, you can sign the domain with a click and allow quarantined emails to flow. The email security team can access the sources tab within the management console to determine if they should validate or block messages from the spoofed domain.

Other solutions in the market require extensive time and resources to research, validate, and augment their security controls. Trustifi expedites this change with a single “click” inside their admin console.

Why Trustifi?

Trustifi is a cyber security firm featuring solutions delivered on software as a service platform. Trustifi leads the market with the easiest-to-use and deploys email security products, providing both inbound and outbound email security from a single vendor.

As a global cybersecurity provider of both inbound and outbound email protection, Trustifi currently supports customers from countries including the USA, Canada, Brazil, the Dominican Republic, the UK, the Netherlands, India, the UAE, China, and Japan, Cyprus, the Philippines, and more. The company has also developed “One-Click Compliance” capabilities that cater to world security regulations, including PDPO for Hong Kong, POPI for South Africa, GDPR for Europe, and LGPD for Brazil.

Hadas Ifraimov
Hadas Ifraimov
Security Researcher

Hadas Ifraimov is a Cyber Security Researcher at Trustifi. With 9 years of experience in the cybersecurity field. She is passionate about developing innovative solutions to protect users from phishing, malware, and other email threats. She holds a degree in Information Systems and is committed to staying up-to-date with the latest developments in cybersecurity through continuous learning and professional development.

Related Posts