A Potential (but Preventable) Risk

Feature

A Potential (but Preventable) Risk

If you use email, you want to prevent spoofing.

Imagine getting a call from a customer asking why you sent them an invoice for $10,000 and you have no idea what they are talking about. Even worse, imagine a customer paying an invoice that looks exactly like it’s from you, but it’s not. While these may sound like opening scenes from a new crime thriller, the potential for one of the aforementioned scenarios is more possible than you think, and the culprit might be something as seemingly innocent as your email domain.

Component manufacturers (CMs) face plenty of risks on a daily basis but one risk you’re probably not thinking about has nothing to do with manufacturing building components, contract negotiation, or insurance requirements: It’s email spoofing.

Before we get into how you can protect yourself, let’s talk about what spoofing is and why you should care. If your domain is vulnerable to spoofing, it means that someone else can pretend to be you. Then, as illustrated in the scenarios above, a bad actor could send out invoices using your email address hoping to collect payments in their own bank accounts.

If you are like most companies in the component industry, you have to be concerned that your email domain is at risk of being spoofed. A quick review of numerous industry email domains, for both vendors and manufacturers, showed a nearly 100 percent failure rate. That means that most of us are exposed to spoofing risk. But don’t feel bad (or yell at your IT staff). Reports show that even though roughly one-third of Fortune 500 companies protect their email, only six percent have fully implemented the protocols.

What is DMARC/DKIM/SPF?

If you are not your company’s dedicated IT person or contractor, now would be a good time to hand this article off to your expert. If you ARE the expert, keep reading.

Now for the good news: Protecting yourself is relatively easy. One way to prevent this vulnerability is by deploying Domain-based Message Authentication Reporting and Conformance, or DMARC, to your email servers. DMARC uses two existing technologies to verify the sender of an email is authorized. The first is Sender Policy Framework (SPF), which verifies the server from which the email is sent. The second is DomainKeys Identified Mail (DKIM), which proves that the sending domain is the owner of the email. Then, DMARC uses both of these Authenticated Identifiers and compares it to the email sender “From” address. DMARC also specifies how a receiving email server should process a failed message: Receiver can delete, send to spam, or deliver the message as normal.

An additional benefit is that DMARC helps valid messages reach their intended recipients. Most spam filters rate servers with DMARC enabled as less of a threat, and avoid sending their emails to the junk folder.

How can you deploy DMARC?

DMARC is free and it can be relatively easy to setup. If you are using SPF, and over 80 percent of businesses are, you have already done the heavy lifting! Keep in mind that these steps are highly dependent on your environment, but the following is an example of how quickly you can have DMARC up and running.

1) Identify valid sources for your email:

  • If you are using a hosted email solution, like Office365, this is simple.

2) Set up SPF:

  • Add the SPF TXT record to your DNS server using the sources identified in step 1.

3) Set up DKIM:

  • Generate an encryption key pair.
  • Add the DKIM encryption key as a CNAME record to your DNS server. 
  • Set your email server to sign messages with your encryption key.

4) Setup DMARC:                     

  • Create the DMARC TXT record. This record describes the domain to be protected and the policy to apply to failed messages.
  • Add the DMARC CNAME record to your DNS server.

Why should you set up DMARC?

DMARC won’t protect you or your users from falling victim to a cybercriminal phishing for information. You’ll need to continue to educate your employees about trusted links and the potential for malware in emails and email attachments. But on a larger scale, DMARC can play a part in protecting the industry as a whole. In a scenario where a bad actor spoofs a well-known vendor and sends an email to a large list of component manufacturers, many people could fall prey. However, if the same vendor had DMARC enabled, most receiving servers would delete that message before a user ever saw it.

Taking steps to shield your email domain has many benefits. Not only can it help protect your customers and your company, it discourages cybercriminals who are less likely to go after a company with a DMARC record. Put simply: If you use email, you need to use DMARC.

About the Authors: Greg Dahlstrom, Villaume Industries, Inc.'s IT/IS Manager, is also chair of SBCA's IT Committee and a member of the Emerging Leaders Committee.
Molly Butz searches for industry best practices that can help component manufacturers grow a stronger safety culture throughout their operations.