E-Mail Spam Prevention

Spam

Spam

E-mail spam is still annoying as hell. Especially when someone else is sending e-mail on your behalf, and even more annoying if your e-mail address is used for phishing purposes.

From a (SMTP) protocol perspective, there's not much that can be done. SPAM wasn't something they considered when they developed it in the early 80's (remember that S in SMTP stands for Simple). But there are several enhancements that can be used to prevent others by abusing your e-mail (domain). These enhancements are:

  • Sender Policy Framework (SPF)
  • Domain Keys Identified Mail (DKIM)
  • Domain-based Message Authentication, Reporting and Conformance (DMARC)

Both are enhancements that receiving mail servers can use to verify the received mail, and report violations to the e-mail domain admin. Note the 'can be used' because it something that must be enabled on the receiving mail server.

Thankfully, most more, and more ISP's and mail service providers enable these features. And when everything is configured correctly, the owner of the e-mail domain receives mail with the violations / warnings. Just like the following warnings I got on a test/development mail domain.

DMARC reports from Google and Yahoo

Apparently, some IP in Russia is trying to send several e-mails (Yellow) on my behalf, but both Google and Yahoo mail servers reject these e-mails based on DKIM and SPF results (Green). So there are a number of people on the Internet that didn't receive spam out of my (domain) name.

These DMARC reports are send on a daily basis, and when there's nothing to reports (no violations of the SPF policy, or DKIM failures) you won't get a report for that day.
I get several of these report on a monthly basis, and always from either Yahoo or Google.

The downside of SPF, and DKIM is that you cannot force receiving mail servers to use it. It's something that 'the other guy' needs to configure. But at least I can say that I did my part in preventing SPAM/phishing.

NOTE: Enabling/implementing SPF en DKIM is relatively easy (from a technical point-of-view), but may have tremendous organizational challenges. You need to know exactly who or what is sending e-mail from your domain. It's not uncommon that a very strict SPF policy rejects the (expensive) mails of a marketing agency that's working for you. They usually have own e-mail servers, and send bulk e-mail in your (domain) name.

Posted on May 10, 2017 by Willem.