DNS in Email Security
What is DNS? How does it relate to email security? Explain that emails are sent by either IP addresses or domains, both of which are related to DNS. DNS, or the domain name system, is one of the backbone systems of the contemporary internet. People typically only know that the DNS is responsible for converting (resolving) domain names to IP addresses and vice versa. However, the DNS has a lot of other functions as well. Today we are going to check out its applications in email security.
What are DNS Records, and How are They Used in Emails?
You might wonder, what do emails have to do with DNS? For that, you need to know how DNS and emails work. So, let’s learn about that.
The DNS is basically a system of distributed domain name servers. These servers have text files stored on them which are called DNS records. These records contain information about a domain. One domain can have a lot of records. And one can access those records via a DNS record check.
Some of the well-known records are:
- A/AAAA records. These store IP address information. I.e., which IP address the domain is mapped to.
- MX records. MX stands for Mail Exchange. This record directs emails addressed to the domain to the mail server that is responsible for handling them. Domains themselves cannot handle emails; specific email servers are required to do so, and those are what MX records deal with.
- NS record. Lists all the DNS nameservers that are responsible for holding the domain’s records.
- TXT records. A special type of record that can hold any kind of text data. TXT records play a huge part in email security.
When a computer searches for a website, it sends a request to its assigned DNS resolver. The request demands the IP address of the domain that the website is hosted on. The resolver queries the DNS servers to find the records of that domain and pull the relevant information and send it to the client computer.
This process happens anytime any computer needs to connect or contact a web resource. That includes emails. When you send an email to a company, your computer is actually making a request for the MX record and the A/AAAA record so that it knows which server to send the email to.
However, if the process was as simple as that, there would be a lot of security concerns. That’s because the DNS system is not designed with security in mind. It was created in a simpler time when security risks were non-existent and stealing data wasn’t financially viable.
In 2024, data is probably worth more than gold. So, unsecured DNS are a good attack vector. Emails are also frequently used for sensitive information, so attacking them is also a great option.
This where specific DNS records concerned with security are introduced. Let’s take a look at them.
Which DNS Records Deal with Email Security
Given below are the four DNS record types concerned with email security. They serve a variety of functions and deal with different kinds of attacks. Their details are given below.
1. SPF Record
SPF stands for Sender Policy Framework. It is a type of TXT record. The SPF record lists all servers that are authorized to send emails on a domain’s behalf. These servers can be 3rd party servers belonging to Gmail, Outlook, or Yahoo!, or the first party servers.
When an email service provider (ESP) receives an email from a domain, they do a SPF record lookup. Then they check whether the IP address of the sender is present in the record or not. If it is, then everything is fine. If it isn’t then the email will either be rejected or sent to the spam folder.
2. DKIM Record
DKIM stands for Domain Keys Identified Mail. DKIM records are used to verify that an email has not been tampered with.
They utilize public key cryptography to create a sign that is attached to the email’s header. The header is signed using a private key that only the domain admin knows. The receiver of the email has to verify the signature in the email header using the public key.
The public key is available to everyone because it is stored in the DKIM record of the sending domain. The receiver does a DKIM record lookup, retrieves the key and verifies the signature. If the verification is positive, the email is received normally and placed in the inbox. If it is not verified, then it means one of the following things has occurred:
- The contents of the email have been tampered with.
- The sender is impersonating the real sender.
In this case, the email is rejected or sent to the spam folder.
3. DMARC Record
DMARC stands for Domain-based Message Authentication, Reporting, and Conformance.
This is a record that works in conjunction with SPF and DKIM. Its primary purpose is to tell the receiving email server and ESP what to do with emails that fail the DKIM or SPF checks.
The actions it lays down are called the DMARC policy. DMARC tells the receiver whether they should deliver the emails that failed the checks to the spam folder, not deliver them at all, or deliver them to the inbox.
If DMARC records don’t exist, ESPs can do what they think is the best course of action. However, those can be inconsistent and affect an email sender’s reputation or even land them on a blacklist.
With DMARC, there are no such concerns and that’s because of the second function it does: generating and sending a DMARC report. A DMARC report informs the sender about any emails of theirs that failed SPF or DKIM checks and what action was taken on them i.e., rejected, sent to spam, or accepted.
4. DNSSEC
DNSSEC is a security protocol that protects DNS records form being tampered with. It utilizes public key cryptography to verify that DNS records came from the correct source and that their contents have not been altered mid transit.
While DNSSEC is not directly related to email security, it does help secure the records that are, such as, DKIM, SPF, and DMARC. Without DNSSEC, you cannot verify whether the aforementioned records are correct or not.
The particulars of DNSSEC are another topic altogether and beyond the scope of this article.
What Security Problems do these Records Solve?
You may have already guessed what kind of problems the email security records solve. However, we will lay them for you just in case.
1. Prevent Phishing
Phishing attacks are any kind of attack where the perpetrator tries to trick the victim into revealing sensitive information by impersonating trusted sources.
In emails, phishing attacks often come from domains whose names closely resemble those of a real legitimate domain. The attacker acts like the recipient needs to log-in to their bank account and reset its credentials because its password got leaked and provides a fake link for doing so. By clicking on the link, the hapless victim compromises their security.
This kind of attack used to be really easy to do. However, now with SPF records, the receivers ESP can easily verify whether the email is from the legitimate source or not and send that email to spam or delete it. Thereby saving the receiver from getting scammed.
2. Preserving Sender Reputation
DMARC reports help frequent email senders find out if an unusual number of their emails are failing DKIM and SPF checks. This can tip them off to impersonators who using tactics like spoofing to use their domain in their scams.
This can help them crack down on the bad actors or inform the cyberpolice so that they can be taken down.
3. Protecting From Spoofing
As we already mentioned, spoofing of email domains is a great way for scammers to dupe people into revealing sensitive information. Email spoofing used to be really easy to do, but now due to DKIM records it has become extremely hard.
Since DKIM records use cryptographic signatures (which are really difficult to forge) , email service providers can easily check the authenticity of an email. If the sender is legitimate, their DKIM header signature can be verified with the public key stored in the record.
An impersonator’s signature won’t be verified because they don’t have the secret private key used to create the original sign.
4. Man-in-the-Middle Attacks
Man-in-the-middle attacks refer to the interception of digital communication between the sender and intended recipient by a malicious 3rd-party. This 3rd party can tamper with the content of the communication (in this case an email).
Due to DKIM records, it is virtually impossible to send a tampered email into the inbox. The DKIM check will fail because change in the email contents will result in a different hash then those contained in the signature. Som the email won’t be accepted.
Conclusion
So, there you have it, the role of DNS in email security. With DNS records like SPF and DKIM, it becomes very easy for email service providers to verify that the emails came from the right source, untampered. So, it becomes harder to use emails for phishing, spoofing, and man-in-the-middle attacks. This makes the email ecosystem much more secure.