Here's all you need to know about email security

Physical mailbox full of letters

This blog is written by Jeremy Rivera at KushoAI. We're building the fastest way to test your APIs. It's completely free and you can sign up here.

While working on an email marketing strategy for a client in a previous role, I quickly realized that email security is more complex than just writing a subject line. Emails are often taken for granted by developers, but are a critical communication channel that we all rely on to connect with their peers. Behind every email sent lies a network of security protocols designed to ensure that the message reaches its intended recipient without being intercepted, spoofed, or compromised..

Email security is a multi-layered approach to ensure that emails reach their intended destinations safely and to protect against bad actors such as: spoofing, phishing, and unauthorized access. There are three main protocols used to secure email authentication and prevent fraudulent emails: SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting, and Conformance). All you need to know how each works and how they contribute to overall email security are discussed as follows:

The purpose of SPF is used to verify that the email is sent from an IP address authorized by the domain's owner. It works by the domain owner publishing an SPF record in their DNS (Domain name system), listing the IP addresses and servers permitted to send emails on their behalf.

Then when an email is received, the receiving server checks the sender’s domain’s DNS records to see if the sending IP matches the SPF record. This framework prevents spammers from sending unauthorized emails that appear to be from your domain.

v=spf1 ip4:192.168.0.1 include:_spf.example.com ~all

  • Here, 192.168.0.1 is an authorized IP, and _spf.example.com is a secondary source of valid IPs.

DKIM uses a digital signature to confirm that an email has not been tampered with in transit.

It works in two key ways, first: the sending server attaches a cryptographic signature in the email header, which is linked to a public key published in the domain’s DNS records. Then the receiving server uses this public key for verification of that cryptographic signature. If the message content or headers were altered in any way post-send, the verification will fail.

This process ensures message integrity and authenticity, preventing attackers from altering the message content or headers.

v=DKIM1; k=rsa; p=public_key_data

  • Here, public_key_data is the public key published for DNS verification.

Reading email from phone

DMARC builds on both SPF and DKIM to give domain owners more control over how receivers should handle emails that fail authentication checks. It works when domain owners publish a DMARC policy in their DNS records, specifying how the receiving server should handle emails that fail SPF and/or DKIM checks (reject, quarantine, or none).

DMARC can also be configured to send reports to the domain owner about failed authentication attempts. DMARC provides more visibility and control, enabling the owner to monitor and protect against unauthorized use. DMARC policies also help in the reduction of spam and phishing attacks, as fraudulent emails are more likely to be rejected or flagged.

v=DMARC1; p=reject;

  • Here, p=reject specifies that emails failing DMARC should be rejected, and rua provides an email address for aggregate reports.
  • SPF, DKIM, and DMARC complement each other, providing several layers of security that help verify that emails are legitimate and left untampered.

  • SPF verifies the source IP, DKIM confirms the integrity of the message, and DMARC provides policies for handling failed verifications.

  • Using all three protocols maximizes email security, protecting both senders and recipients from phishing and spoofing attacks.

This blog is written by Jeremy Rivera at KushoAI. We're building an AI agent that tests your APIs for you. Bring in API information and watch KushoAI turn it into fully functional and exhaustive test suites in minutes.