DMARC, SPF and DKIM: What and Why?

22nd February 202419th September 2024Rick Marengo

The short answer is email security delivery and spam prevention which are related in many ways. Do not ignore these seemingly boring acronyms: DKIM and SPF. They help us assess whether we can trust emails.

What is the problem?

Opening every email is a risk. You need to trust emails you open. You need recipients to trust the ones you send.

One way to reduce that risk is to know who has sent it and assess whether or not we trust them. So how do we know who the sender is? Not by the sender name, that is for sure. Something purporting to come from a large trustworthy company, perhaps? Nat West bank or “SCREWFIX” (i.e. the tools and materials retailer) might mail you about your account or a competition. It may have come from from a different email domain if you click into it. SCREWFIX<dhlkjlj@zxyildgt .ru> is an example where you can see the “friendly name” “SCREWFIX” is completely different to the email domain name (the bit after the@-sign). See if you can spot this in the email below received as I looked for examples whilst writing this.

Spam Example with false "friendly name" — Spam example with false “friendly name”

So people send emails “spoofing” that they are someone else. Much spam is probably going out from your company name right now and causing damage to your reputation. This happens to every company after a while. So, how can we be even more sure of the sender?

How do you check a sender?

Where does this email come from?

Each server on the internet has a unique “IP” address to identify it. The IP address of the server where the mail originated provides a little more assurance. You can see the IP where an email originated (and all the servers it went through before getting to your email inbox by looking in the email “headers”. Different mail programs hide this in different places but you should be able to google where it is. It is a bit like the postmark on an envelope. If it says it was posted in Leeds, and your sender lives in Leeds, you can have a bit more confidence. If it says it comes from Santa Claus and the postmark says “North Pole” any grown up knows post marks can be forged. Regrettably, an IP can be spoofed in the same way. However, there are a couple of major problems even if the IP address of the sender is completely genuine. How do you know if it is the IP of the sender or just some other IP? The answer is SPF (Spam Protection Framework).

The SPF standard allows email domain owners to say: “Email from my domain may only come from the server with this IP address and any other IP addresses should not be trusted.” That is really helpful because even if you do not go comparing the IP address from which the email originated and the IP address(es) that the domain owner has configured, the mail relays will do so. It is relatively easy for them to compare the two and many will block mails that do not comply before you receive them. Now turn it around the other way. If you do not set this up for your email domain, more and more servers will block your emails and people will not receive them. I.e., you will have a “deliverability issue”.

To add your valid originating IPs for your company, you need to add the details to the “SPF record”. This is done in the DNS control panel for your domain. The task requires technical knowledge. Do not attempt DNS changes unless you understand how it all works. Call your ISP or hosting company to ask their advice. Also, you should make sure you (or a technical manager you trust) know the access credentials for the DNS for any domain in your business so you can make changes when required.

What, When and Who are valid for this email?

Experts soon saw that the above weaknesses in SPF needed to be addressed. A new method was needed. There had to be some way machines could trust an encrypted key mechanism to see if the email was genuinely:

sent at that date and time
from that email address (sender)
to that/those email addresses (recipients)
Subject line.

This is accomplished by DKIM (Domain Keys Identification Method) whch was designed to address the problem. You need to make sure you have this set up correctly for any servers you authorise to send your email. You need to make sure your incoming email servers check it, too.

The way it works is that the email server generates an encrypted string (2048 bit is acceptable at time of writing) which encodes the above facts as the email is sent. When any mail “relay” server receives it, it can check this against a 2048 bit DKIM key that is shown publicly on the domain. If the two “fit” together, the email is passed along. If not, some other action ranging from nothing to an alert to blocking (or even deleting) takes place. Because of the challenging rise in spam and dangerous emails, the servers and mail applications are getting increasingly strict.

Once again, to set this up, you need a DNS skilled professional. The whole process should be less than half-an-hour including checking with a tool like MXToolox.com or demarcian.com. It may seem expensive and complicated but “doing nothing” is will probably come with a cost! Your business emails will get blocked and become more and more undeliverable.

You may hear about another Acronym: DMARC. (Domain-based Message Authentication, Reporting and Conformance) This is a way that email management professinals configure their servers to react to the SPF and DKIM data associated with the emails. Basically, the rules as to whether it is fine, marked a spam or so dangerous it needs to e deleted. Different professinals take different views. However, the large organisations that move the most email traffic also getting stricter. So you need to be verified byut them also or your email will be rerouted or deleted if not properly configured to prove you are who you say you are.

Verification records

In addition to the above internationally accepted DMARC standards, the major email traffic players have their own additional verification checks. If you or your clients or staff or any other stakeholders or consumers have gmail addresses or other google mail services such as G-Suite, You will need Google Verification. Ask your tech person to click here and follow the process for Google Verification. There are similar processes for other mail relay providers including Apple and Microsoft.

Some further reading

You may also wish to read this article from AccountingWeb which explains it in easy-to-understand lay terms.

Support

If you are experiencing deliverability issues sending mail from your AXLR8 system, please contact Support by email or call. We will review all of the above with you.

AXLR8 Cyber Essentials for 2023-4

24th November 202327th November 2023Rick Marengo

We have just passed the Montpellier level assessment for Cyber Essentials and we are preparing for the AXLR8 Cyber Essentials Plus audit in January. Thanks again to Right Cue and IASME. This exercise is always encourages thought about our cyber security and is a springboard for the internal trainings and audits for the rest of the year.

Between now and January we are doing our annual Penetration Testing exercise. This is involves attempted hacking by skilled consultants and many vulnerability tests and infrastructure and code reviews.

Maintenance App

5th September 20235th September 2023Rick Marengo

Check out the new version of our maintenance app for Android and Apple phones and tablets.

As you and the team walk around your facilities you can see-snap-send.

See: notice a fault and log a repair job
Snap: take a photo
Send: upload the details to the maintenance team

The maintenance team will have manager access and allocate the work to someone (internal or external if it requires specialist knowledge or equipment). Then you can see when it is repaired and also view and “AFTER” photo along side the “BEFORE” photo you had previously uploaded.

Watch the video.

Please see this article for more details

Duty of Care: Business Travel Safety

22nd March 202210th May 2022Rick Marengo

As a supplier of lone worker applications we were thinking about our own commuting to and from AXLR8 and business travel in general which is growing now in the UK as people in commerce are mostly back in the office. The employer has to take due care of workers. The law also stipulates¹that the staff must carry some responsibility for their own safety.

Every Monday morning we have our regular sales and management meetings. Yesterday, we added in a tyre check.

Lessons learned

Know what your pressures are. This will be in the glove compartment, door frame of door edge or in the owners manual. Failing that, try online and at a professional main dealer
Set an alarm every week (Sunday morning?) with you tyre pressures on it and the car. So Mine says Hyundai 36F&B and Toyota 33F 32B (B is back wheels and F is front wheels)
If you have a foot pump use that in the convenience of your home but check it monthly against the garage with a professional pump for peace of mind.
If you use a garage or supermarket petrol station please do not hog the machine and hold up the queue whist you take your valve caps off. Unscrew the caps whilst you wait in the queue. Then you will be able to pump your tyres up in less time and use less change in the machine. Once filled, immediately move your car forward a few yards to let the next person into the machine area to pump their tyres whilst you replace your caps. The quicker the queue, the less likely someone who joined it with the best of intentions will give up.
It is better to get you hands dirty than to have a crash.

Don’t forget oil, windscreen awash liquid, radiator, etc., as well!

Stay safe. Prepare for all trips and build in time to pause and allow others out of turnings and not have to speed. Planning is everything. Distractions are dangerous. If you get in a car tired and cause a crash, nobody will congratulate you on your work ethic.

¹If you are an employer or employee Health and Safety law needs professional advice. However, if you want to read up and acquire general knowledge, google The Health and Safety at Work Act 1974 and the Health and Safety at Work regulations 1999.

Secure Passwords

26th January 202126th January 2021Rick Marengo

Your passwords should be unique and memorable. If you do not read any more of this article, just remember to make your passwords from three random words.

Passwords should be…

long at least 10 characters
unique – do not use the same password for more than one purpose
memorable – if possible so you do not have it on a yellow sticky!
complex – add some numbers upper and lower case characters and some non-alphanumerics such as $, -,!,@ (special characters)
regularly changed
securely stored if stored at all. Possibly an encrypted file or a specialist recognised password vault
changed occasionally (changed too often can create its own security weaknesses). It is accepted that a more complex long password changed less frequently (say annually) is better than a simpler, shorter password changed frequently (e.g. every quarter).

Some of the above may conflict. The better (long, uncrackable, frequently changed, etc.) your password is, the more difficult it is to recall. Therefore, you need to record it and, unless this is done securely, that in itself becomes a security weakness. The familiar yellow sticky on the screen is dangerous but writing them all down on a piece of paper is asking for trouble.

Only secure systems should be trusted with your personal information:

encrypted password storage so not even the programmer of the system can read it.
SSL encrypted browser to server communications (padlock HTTPS:// in the URL) so that it is not compromised between your PC and the server
A ban on further attempts at password attempts after a small number of tries – five to ten attempts maximum.

Your information is probably already compromised

You must assume your password has already been found out and is available to many hackers. How? Check this site to see where your details.

https://haveIbeenpwned.com

Put your email into the box and see the results showing how many sites, where you used that site, and what personal information has already been stolen and has been on sale for many months or years. Everyone should know this but we reckon nineteen out of twenty AXLR8 clients we show this to are completely unaware of how exposed they are.

Brute Force Dictionary Attack

Someone can easily guess my password?

There are hacking tools that attempt thousands of username and password combinations. Many of our servers that are open to the internet have 45,000 attempts per day which are blocked.

The way password guessing works is by using information already available to the hacker’s computer. Your name is an example so do not use your name with “123” after it. Further, your first & last name, school and many more pieces of personal information must be assumed to be known by hackers. If you have a word that is typically used in your password such as a pet name, animal, flower, place, or whatever, a “Dictionary” attack will probably find it by using a list of common words and configurations of those words. For example, Dictionary attacks are really good at words and phrases. They also check adding your date of birth and other information they have derived or purchased. Thus, if your password is made from the word Banana and your date of birth (in this example 10th November), you might make a password like “B4n4n4-1011” On the face of it, this is more than 8 characters and obeys many of the accepted rules from a few years ago.

Good dictionary attacks already have your date of birth, first pet’s name, primary school name, and many other answers to “hint” and “ID check” questions you might have entered in other sites as mentioned above. Most know dates of birth and names of children, which are very common combinations for passwords. All know combinations of common passwords like “Secur1ty”, “pass1234”, “Password!” and “letmein” is well known. Similarly, although it is not the subject of this article, please do not keep your default firewall or blue tooth PIN as “1234” or “0000”. Also, obviously, do not make it the same as your bank PIN!

Yikes! What shall we do then?

Password reset

You should change your password now.

Dictionary attacks are very, very good at finding a word or phrase and number combination. However, they are unable to begin to guess at something you passed on the way to work, a randomly selected object in your house and a film you like or three things you saw on holiday or in a film plus your favourite actor.

Just choose three random words to make a memorable password and chuck in some number(s)/non-alpha(s) characters.

e.g. apple sock ship might end up apple1812-$hipSocks.

Maximum password attempts is a good way to protect against such attacks.

In conclusion make sure your passwords obey the rules at the top of this page and, if you do nothing else, use three random words that only you would recall because only you saw a jaguar, a robin and a bike tyre puncture on your way to the shop this morning.

Repercussions

If it is your personal password for, say a private bank, game or subscription, you may lose money or pride. Worse is possible if someone steals your identity and commits criminal offences in your name. It is not enough to know you are not guilty. There are several cases where an innocent victim of such ID theft has been attacked by another victim of the crime. Lastly, if you are at work and responsible for other people’s data on a system and neglect your duty to create a secure password and keep it secret, you could damage many other people. This could happen if you are working on any accounts, CRM, HR system and many others.

Also, if you are an AXLR8 client running a business you have built up for years, you will need to make sure that you and your staff abide by these simple rules in a complex world.

If this raises any queries, please call AXLR8 support on 01344 776500 and we can help your Super Users with your system security and staff security training.

AXLR8 Checkpoints

16th December 202016th December 2020admin

As well as many other forms of Proof of Attendance (Check in/ Check out) systems: Geolocation, continuous tracking, Intergation to leading biometric and other hardware such as Almas and Paxton, AXLR8 Checkpoints are proving themselves year after year in different locations.

We have some exciting new videos about the popular AXLR8Checkpoints product on our Specialist staffing website.

Click here to head over and check out the article.

Clear new AXLR8 Portal interfaces

16th July 202016th July 2020Rick Marengo

AXLR8 has been spending the last three years updating and improving the AXLR8 User Experience (UX). Many parts of the system are now being systematically added and seamlessly replacing exisiting client systems.

Staffing Agencies

Field staffing apps have been evolving for a while and are now customised to your company and also have all the functionality you would expect from AXLR8’s comprehensive staffing agency systems.

Applicants for different job postings — AXLR8 Application Tracking System: effective recruitment metrics

The staffing systems internal HQ Admin wokflows are being improved, functon by function, starting with the recruitment team using AXLR8 applicant tracking systems.

Dashboards

AXLR8 Dashboards are built internally at clients with knowledgeable accredited AXLR8 Super Users now. They can be built and placed any where in the system but the most popular place is the opening page with a management overview.

Finance

AXLR8 are growing in the commercial finance and loan management systems markets as a direct result of improving user interfaces.

AXLR8 LoanMatrix — AXLR8 Loan Management Systems

Government

AXLR8 is updating the Information Request Management and Information Asset Register systems in use across central and local government and NHS.

AXLR8 IAR — Information Asset Register keeps data sources inventory maintained

Apps

AXLR8 have been delivering Apps on all major operating environments for seeral years for our clients to replace and complement our web apps and web portals.

The above maintenance app is a simple “see snap send” reporting mechanism as well as containing all the information requied for service, installation and other equipment management tasks for an engineer.

The comprehensive AXLR8 Staffing App is simpl for the staff member to use for shift information, work planning availability calendar, pay, expenses, field reporting and surveys (on and off line) updating personal details, Chat mechanism, proof of attendance and so much more. It is used by tens of thousands of staff every day.

Staff App Screens — Staffing App with client customised content and functionality

Please email sales@axlr8.com or call us about your business systems requirement 01344 776500

AXLR8 Checkpoints Rev 4

28th November 201929th November 2019Rick Marengo

We are delighted with the field testing of revision 4.0 of this device following client feedback – mostly from the security and retail field marketing industries. More information on the dedicated AXLR8 Event Staffing website.

All weather

AXLR8 Checkpoints are weather resisitant even in a very rainy country like the UK. We will also test them in cold countries soon to see if they can get through minus 30 cold snaps in Canada or Scandanavia. Not sure we will bother testing at 10m under the sea – even if it would make a good picture! The AXLR8 Checkpoint would survive in high pressure salt water for around a year, we believe. We would need to research sealants for longer than that. However, if you had mobile guards or countercover staff down there, then the scanning device would also need military specification sealing. We think about these things so you don’t have to.

Surface Attachment

It seems that small seemingly insignificant changes are more expensive than you would imagine but also more satisfying for us when done. If your client does not allow you to attach your proof of attendance check in and check out devices on to the walls with screws (the original designs) then we have 100% back surface for adhesive or double sided tape or velcro. Too many options to list. The AXLR8 Checkpoints may be customer installed. Obviously, do a “patch test” on a single device first if you use glue with chemicals that may contain acids or other corrosive chemicals. This caveat applies to the client’s wall or other surfaces too, of course. Some of these devices are under counters and several are in cupboards.

No power or network cabling

These devices are passive and so they do not need electricity or any network cabling. Staff checking in, out or about, just need a BYOD device (reasonably up-to-date iPhone or Android device) which virtually all of your staff carry with them, anyway.

Low deployment costs

Live powered networked intelligent scanning devices are expnsive to install and maintain. Where you need an intelligent networked device internet and electric suply plus battery back up and plenty of local memory, the costs are normally £1000 minimum to purchase, install, wire up and connect to the net. They are then vulnerable to weather, power and internet interruption, vandalism, etc. So insurance and maintenance are necessary. They do help if you have hundreds of staff with swipe cards as the cost per staff check in is low. We have relationships with Paxton and Almas Industries if you need this sort of swipe/ biometric device installed and we keep up-to-date on new products on the market all the time. However, AXLR8 Checkpoints are around £150-£300 installed and maintenance is basically occasional replacement due to landlords or clients restrictions on adesion methods on their walls or other surfaces. There are also cheaper share survices where AXLR8 have identified, for example, that three countercover agencies and one security firm all have staff working at the same location and all need the same check in, out and about recording functionality when their staff are working.

AXLR8 Dashboard functions

25th May 201911th January 2020Rick Marengo

We recently launched a new set of functions for building dashboards.

The functionality is being provided to beta clients and some new clients now. It will soon become widespread.

AXLR8 Dashboards will address two key UI issues we have been working through in the last four years.

Cx Dashboard

The CEO and Cx suite (board, VPs, etc.) will want different dashbards to the functional dashboards we have as standard in the project. A staff booker will log in to an overview of campaigns and a sales person may log in to their active deals. Howver, a CEO or COO may need a couple of graphs and two buttons to take them to some areas of P&L detail or other KPIs for the business such as client feedback scores. Previously, we have built these as custom developments and they have been expensive and mostly only applicable to one specific customer. Now AXLR8 can quickly model and deploy different dashboards for different directors/executive officers.

Functional Dashboards

These are the dashboards that would be used by specific staff and managers to achieve their job objectives on a daily basis. For example a warehouse manager may need to know tools availability and testing schedules for the purposes of kitting out vans during each week with safe, servicable tools. A talent manager may wish to see how many applicants came in over night and how the talent pool stands including whose SIA licence paperwork or work visas are coming up for renewal.

We will follow up with an article with some Use Cases in different industries.

AXLR8 Dashboards

2nd March 201925th May 2019Rick Marengo

AXLR8 has been working on a broad UI improvement strategy over the last four years. AXLR8 Dashboards are one of the main planks of that strategy. Apart from developer team alignment, creative new look and feel approaches and UI standards, the main UI development areas include:

Operational Apps which interact with the AXLR8 enterprise data in your company – built for
- Android tablets and smartphones
- iPhones and iPads running Apple iOS
Specialist portals for field staff
Simplified vertical market portals for specific job roles including finance brokers, request managers and asset/warehouse, transport and maintenance staff
AXLR8 Report Builder UI evolution
AXLR8 e-Learning
APIs to other systems extending access for users (e.g. integrated credit check searches for sales people or integrated proposal entry for finance brokers)
AXLR8 Dashboards

AXLR8 Dashboards are customisable by AXLR8 Support Consultants. In Q4 2019 we plan to add the skills into the AXLR8 Super User training course deliverables. Many AXLR8 SuperUsers will be able to customise these AXLR8 Dashboards for their board directors to see their KPIs and metrics as well as for operational and field staff in specific professional areas such as broking, job tracking, government information request management, talent management (including Applicant tracking, vetting and and staff bookings), sales, maintenance, and many more.

What is an AXLR8 Dashboard?

AXLR8 Dashboards are overview screens making access to your information quicker and easier. The AXLR8 Dashboards Manager allows the Super User or Consultant to:

customise a view (e.g. an opening view after login) of the system with only the buttons, graphs, etc. that a user or group of users needs
cascade more reports and dashboards when that user clicks through to them

This is best illustrated with examples of how dashboards are used.

Who needs AXLR8 Dashboards?

Use case: CEO dash

CEOs often identify 5-10 key metrics they need to run the business and identify trends. Most great CEOs also want to dig into the detail. So an opening screen with these key metrics and buttons leading to reports and data on the main functional areas of their business: sales forecast, sales league table, customer satisfaction survey feedback, delayed projects, bookings, etc. can easily be made for the Cx who would normally not engage with systems.

Use case: Warehouse Operations dash

In this specific area, the people in the warehouse are agents for any business critical processes and for change and evolution. To make a system easy for them to use, it must be built with their vocabulary and each function must be accessible from a simple menu or set of buttons: Book goods in, what equipment needs a PAT or PUWER test, what items are in repair, how many of those drills are available, which vehicles need an MOT (TuV, etc.), how many perishable items are three months from disposal.

Use case: Talent Manager dash

In one company this could mean a dashboard of applicant tracking data, in another it might be extended to vetting, staff surveys, staff work metrics and discipline. Yet another manager may be using AXLR8 e-Learning to develop staff and needs to make sure goals on staff numbers with certain qualifications are achieved. Talent managers will have differing goals from company to company and AXLR8 Talent Managment and ATS, Vetting and other functions need to be customised for each company’s needs.

Use case: Customer Support dash

The Support Manager, or Operations Manager will be measured by the Cx level managers on many critical metrics. This dashboard can be customised so that buttons and graphs on the opening page may show graphs of or allow access to such items as:

Map of where my maintenance staff are today
Current customer satisfaction feedback scores from AXLR8 Surveys and similar AXLR8 functions
Any tickets or requests that have taken longer than target response or resolution times

AXLR8

Systems for Event & Campaign Staffing, Sales and Marketing, Freedom of Information, Job Tracking, Assets, Case Management

Field Surveys