Identifying Email Phishing

There are two types of email phishing:

  1. Phishing emails that come to you
  2. Phishing emails that come from you

Consumers are typically the target of phishing emails, while the domains of businesses with great brands are typically used to send the false emails.  In a separate blog post, our experts discuss how to recognize phishing email in your inbox.  In this post, we will discuss recognizing phishing email that leverages your business’s domain.

Why would I care if phishing comes “from” my domain?

Put yourself in the place of your customers, partners and suppliers.  If you received an email that appeared to be from one of them but it turned out the be phishing, would you still trust them?  Would that erode their brand in your mind?  Would you be more likely to check their legitimate emails for mistakes, issues, and threats?  Phishing using your domain hurts your brand, even when your customers know that you are not responsible!

Further, phishing puts your email delivery at risk.  Increasingly, email inbox providers like Google, Yahoo! and Outlook.com look at the domain an email comes “from” and what the reputation of that domain is in their systems.  If your domain name has been used for phishing, then all of your email may come under additional scrutiny.  If uncontrolled, this could lead to mistaken blacklisting or lower inbox placement.

How do I recognize phishing from my domain?

Occasionally, email recipients will ask you directly “Did you send this email?”, but by then, it’s already too late.  Phishing emails are like cockroaches – seeing one means potentially hundreds hidden in the woodwork.  Without adopting three new(ish) technologies, you really can’t know when your domain is being used for fraud and phishing.

The technologies you need to think about are SPF, DKIM and DMARC, and each work together.  SPF allows you to tell the world who can send email on your behalf, DKIM allows you to digitally sign your emails and DMARC allows you to designate an email address for feedback on your email, among other things.  Once you have SPF and DKIM setup for most of your email, you can get feedback on your email via the email address in the DMARC record.  Each email inbox provider (Google, Yahoo!, Outlook.com, etc.) will provide feedback containing everyone sending email for your domain – legitimate and phishing – that they received.  You’ll want to comb through that feedback to identify IP addresses and domains not legitimately connected to your business.

How do I stop phishing with my domain?

Here again, SPF, DKIM, and DMARC are important technologies to understand.  IP addresses and Domains that fail alignment or authentication with SPF, DKIM or DMARC will be likely candidates for phishing scams.  However, these may also be legitimate senders that are misconfigured or not included in you SPF.  You will want to investigate each to make a determination as to their legitimacy.

Once you are sure you know who is legitimate and that they are passing SPF, DKIM and DMARC checks, you can begin to tell inbox providers what to do with email that fails these checks.  DMARC allows you to set the steps a recipient should take with email that is failing SPF, DKIM and/or DMARC checks:

  • None – Do Nothing
  • Quarantine – Set this email aside and tell me you quarantined it
  • Reject – Bounce the email entirely

Your DMARC record also allows you to set the percentage of traffic subject to these rules, from 0-100%.  This level of granularity is important in allowing you to control how quickly you move all of your email to a reject status.  In this way you can test to see if any legitimate email is affected without negatively impacting your business.  Once you reach a 100% Reject policy, you will be filtering out all of the phishing using your domain.

How can MxToolbox help?

MxToolbox is your Expert in Email Delivery.  We understand how complex SPF, DKIM and DMARC can be to understand and implement and how costly fraud and phishing can be to your brand.  Our team has created a new product called Fraud Center that includes assistance from our expert support team to help you through this journey.  Fraud Center provides insight into both legitimate and illegitimate email sent on behalf of your domain as well as:

  • Configuration suggestions for your SPF, DKIM and DMARC
  • Consolidated reporting across inbox providers
  • Recommendations for when to change DMARC policies
  • Forensic examinations of rejected email
  • Access to our expert support to help you with Email Delivery