Australian Signals Directorate: Defence Against Email Attacks
Defence against email attackers.
Adversaries commonly conduct social engineering attacks against organisations using fake emails. For example, by modifying the sender’s address or other parts of an email header to appear as though the email originated from a different source. This is a common method used by adversaries to increase the likelihood of compromising systems as they know that users are more likely to open a malicious attachment from yourorganisation.com.au than from hacker.net.
Organisations can reduce the likelihood of their domains being used to support fake emails by implementing Sender Policy Framework (SPF) and Domain-based Message Authentication, Reporting and Conformance (DMARC) records in their Domain Name System (DNS) configuration. Using DMARC with DomainKeys Identified Mail (DKIM) to sign emails provides further safety against fake emails.
SPF and DMARC records are publically visible indicators of good cyber hygiene. The public can query a DNS server and see whether an organisation has SPF and/or DMARC protection. DKIM records are attached to outgoing emails and their presence (or lack thereof) is also visible to any external party you email.
This publication provides information on how SPF, DKIM and DMARC work, as well as advice for security practitioners and information technology managers within organisations on how they should configure their systems to prevent their domains from being used as the source of fake emails.