DMARC, SPF and DKIM: What and Why?

The short answer is email security delivery and spam prevention which are related in many ways. Do not ignore these seemingly boring acronyms: DKIM and SPF. They help us assess whether we can trust emails.

What is the problem?

Opening every email is a risk. You need to trust emails you open. You need recipients to trust the ones you send.

One way to reduce that risk is to know who has sent it and assess whether or not we trust them. So how do we know who the sender is? Not by the sender name, that is for sure. Something purporting to come from a large trustworthy company, perhaps? Nat West bank or “SCREWFIX” (i.e. the tools and materials retailer) might mail you about your account or a competition. It may have come from from a different email domain if you click into it. SCREWFIX<dhlkjlj@zxyildgt .ru> is an example where you can see the “friendly name” “SCREWFIX” is completely different to the email domain name (the bit after the@-sign). See if you can spot this in the email below received as I looked for examples whilst writing this.

So people send emails “spoofing” that they are someone else. Much spam is probably going out from your company name right now and causing damage to your reputation. This happens to every company after a while. So, how can we be even more sure of the sender?

How do you check a sender?

Where does this email come from?

Each server on the internet has a unique “IP” address to identify it. The IP address of the server where the mail originated provides a little more assurance. You can see the IP where an email originated (and all the servers it went through before getting to your email inbox by looking in the email “headers”. Different mail programs hide this in different places but you should be able to google where it is. It is a bit like the postmark on an envelope. If it says it was posted in Leeds, and your sender lives in Leeds, you can have a bit more confidence. If it says it comes from Santa Claus and the postmark says “North Pole” any grown up knows post marks can be forged. Regrettably, an IP can be spoofed in the same way. However, there are a couple of major problems even if the IP address of the sender is completely genuine. How do you know if it is the IP of the sender or just some other IP? The answer is SPF (Spam Protection Framework).

The SPF standard allows email domain owners to say: “Email from my domain may only come from the server with this IP address and any other IP addresses should not be trusted.” That is really helpful because even if you do not go comparing the IP address from which the email originated and the IP address(es) that the domain owner has configured, the mail relays will do so. It is relatively easy for them to compare the two and many will block mails that do not comply before you receive them. Now turn it around the other way. If you do not set this up for your email domain, more and more servers will block your emails and people will not receive them. I.e., you will have a “deliverability issue”.

To add your valid originating IPs for your company, you need to add the details to the “SPF record”. This is done in the DNS control panel for your domain. The task requires technical knowledge. Do not attempt DNS changes unless you understand how it all works. Call your ISP or hosting company to ask their advice. Also, you should make sure you (or a technical manager you trust) know the access credentials for the DNS for any domain in your business so you can make changes when required.

What, When and Who are valid for this email?

Experts soon saw that the above weaknesses in SPF needed to be addressed. A new method was needed. There had to be some way machines could trust an encrypted key mechanism to see if the email was genuinely:

  • sent at that date and time
  • from that email address (sender)
  • to that/those email addresses (recipients)
  • Subject line.

This is accomplished by DKIM (Domain Keys Identification Method) whch was designed to address the problem. You need to make sure you have this set up correctly for any servers you authorise to send your email. You need to make sure your incoming email servers check it, too.

The way it works is that the email server generates an encrypted string (2048 bit is acceptable at time of writing) which encodes the above facts as the email is sent. When any mail “relay” server receives it, it can check this against a 2048 bit DKIM key that is shown publicly on the domain. If the two “fit” together, the email is passed along. If not, some other action ranging from nothing to an alert to blocking (or even deleting) takes place. Because of the challenging rise in spam and dangerous emails, the servers and mail applications are getting increasingly strict.

Once again, to set this up, you need a DNS skilled professional. The whole process should be less than half-an-hour including checking with a tool like MXToolox.com or demarcian.com. It may seem expensive and complicated but “doing nothing” is will probably come with a cost! Your business emails will get blocked and become more and more undeliverable.

You may hear about another Acronym: DMARC. (Domain-based Message Authentication, Reporting and Conformance) This is a way that email management professinals configure their servers to react to the SPF and DKIM data associated with the emails. Basically, the rules as to whether it is fine, marked a spam or so dangerous it needs to e deleted. Different professinals take different views. However, the large organisations that move the most email traffic also getting stricter. So you need to be verified byut them also or your email will be rerouted or deleted if not properly configured to prove you are who you say you are.

Verification records

In addition to the above internationally accepted DMARC standards, the major email traffic players have their own additional verification checks. If you or your clients or staff or any other stakeholders or consumers have gmail addresses or other google mail services such as G-Suite, You will need Google Verification. Ask your tech person to click here and follow the process for Google Verification. There are similar processes for other mail relay providers including Apple and Microsoft.

Some further reading

You may also wish to read this article from AccountingWeb which explains it in easy-to-understand lay terms.

Support

If you are experiencing deliverability issues sending mail from your AXLR8 system, please contact Support by email or call. We will review all of the above with you.

AXLR8 Cyber Essentials for 2023-4

AXLR8 Cyber Essentials for 2023-4

We have just passed the Montpellier level assessment for Cyber Essentials and we are preparing for the AXLR8 Cyber Essentials Plus audit in January. Thanks again to Right Cue and IASME. This exercise is always encourages thought about our cyber security and is a springboard for the internal trainings and audits for the rest of the year.

Between now and January we are doing our annual Penetration Testing exercise. This is involves attempted hacking by skilled consultants and many vulnerability tests and infrastructure and code reviews.

Maintenance App

Maintenance App

Check out the new version of our maintenance app for Android and Apple phones and tablets.

As you and the team walk around your facilities you can see-snap-send.

  • See: notice a fault and log a repair job
  • Snap: take a photo
  • Send: upload the details to the maintenance team

The maintenance team will have manager access and allocate the work to someone (internal or external if it requires specialist knowledge or equipment). Then you can see when it is repaired and also view and “AFTER” photo along side the “BEFORE” photo you had previously uploaded.

Watch the video.

Please see this article for more details

Secure Passwords

Your passwords should be unique and memorable. If you do not read any more of this article, just remember to make your passwords from three random words.

Passwords should be…

  • long at least 10 characters
  • unique – do not use the same password for more than one purpose
  • memorable – if possible so you do not have it on a yellow sticky!
  • complex – add some numbers upper and lower case characters and some non-alphanumerics such as $, -,!,@ (special characters)
  • regularly changed
  • securely stored if stored at all. Possibly an encrypted file or a specialist recognised password vault
  • changed occasionally (changed too often can create its own security weaknesses). It is accepted that a more complex long password changed less frequently (say annually) is better than a simpler, shorter password changed frequently (e.g. every quarter).

Some of the above may conflict. The better (long, uncrackable, frequently changed, etc.) your password is, the more difficult it is to recall. Therefore, you need to record it and, unless this is done securely, that in itself becomes a security weakness. The familiar yellow sticky on the screen is dangerous but writing them all down on a piece of paper is asking for trouble.

Only secure systems should be trusted with your personal information:

  • encrypted password storage so not even the programmer of the system can read it.
  • SSL encrypted browser to server communications (padlock HTTPS:// in the URL) so that it is not compromised between your PC and the server
  • A ban on further attempts at password attempts after a small number of tries – five to ten attempts maximum.

Your information is probably already compromised

You must assume your password has already been found out and is available to many hackers. How?  Check this site to see where your details.

https://haveIbeenpwned.com

Put your email into the box and see the results showing how many sites, where you used that site, and what personal information has already been stolen and has been on sale for many months or years. Everyone should know this but we reckon nineteen out of twenty AXLR8 clients we show this to are completely unaware of how exposed they are.

Brute Force Dictionary Attack

Someone can easily guess my password?

There are hacking tools that attempt thousands of username and password combinations. Many of our servers that are open to the internet have 45,000 attempts per day which are blocked.

The way password guessing works is by using information already available to the hacker’s computer. Your name is an example so do not use your name with “123” after it. Further, your first & last name, school and many more pieces of personal information must be assumed to be known by hackers. If you have a word that is typically used in your password such as a pet name, animal, flower, place, or whatever, a “Dictionary” attack will probably find it by using a list of common words and configurations of those words. For example, Dictionary attacks are really good at words and phrases. They also check adding your date of birth and other information they have derived or purchased. Thus, if your password is made from the word Banana and your date of birth (in this example 10th November), you might make a password like “B4n4n4-1011” On the face of it, this is more than 8 characters and obeys many of the accepted rules from a few years ago.

Good dictionary attacks already have your date of birth, first pet’s name, primary school name, and many other answers to “hint” and “ID check” questions you might have entered in other sites as mentioned above.  Most know dates of birth and names of children, which are very common combinations for passwords. All know combinations of common passwords like “Secur1ty”, “pass1234”, “Password!” and “letmein” is well known. Similarly, although it is not the subject of this article, please do not keep your default firewall or blue tooth PIN as “1234” or “0000”. Also, obviously, do not make it the same as your bank PIN!

Yikes! What shall we do then?

Password reset

You should change your password now.

Dictionary attacks are very, very good at finding a word or phrase and number combination. However, they are unable to begin to guess at something you passed on the way to work, a randomly selected object in your house and a film you like or three things you saw on holiday or in a film plus your favourite actor.

Just choose three random words to make a memorable password and chuck  in some number(s)/non-alpha(s) characters.

e.g. apple sock ship might end up apple1812-$hipSocks.

Maximum password attempts is a good way to protect against such attacks.

In conclusion make sure your passwords obey the rules at the top of this page and, if you do nothing else, use three random words that only you would recall because only you saw a jaguar, a robin and a bike tyre puncture on your way to the shop this morning.

Repercussions

If it is your personal password for, say a private bank, game or subscription, you may lose money or pride. Worse is possible if someone steals your identity and commits criminal offences in your name. It is not enough to know you are not guilty. There are several cases where an innocent victim of such ID theft has been attacked by another victim of the crime. Lastly, if you are at work and responsible for other people’s data on a system and neglect your duty to create a secure password and keep it secret, you could damage many other people. This could happen if you are working on any accounts, CRM, HR system and many others.

Also, if you are an AXLR8 client running a business you have built up for years, you will need to make sure that you and your staff abide by these simple rules in a complex world.

If this raises any queries, please call AXLR8 support on 01344 776500 and we can help your Super Users with your system security and staff security training.

Clear new AXLR8 Portal interfaces

Clear new AXLR8 Portal interfaces

AXLR8 has been spending the last three years updating and improving the AXLR8 User Experience (UX). Many parts of the system are now being systematically added and seamlessly replacing exisiting client systems.

Staffing Agencies

Field staffing apps have been evolving for a while and are now customised to your company and also have all the functionality you would expect from AXLR8’s comprehensive staffing agency systems.

Applicants for different job postings
AXLR8 Application Tracking System: effective recruitment metrics

The staffing systems internal HQ Admin wokflows are being improved, functon by function, starting with the recruitment team using AXLR8 applicant tracking systems.

Dashboards

AXLR8 Dashboards are built internally at clients with knowledgeable accredited AXLR8 Super Users now. They can be built and placed any where in the system but the most popular place is the opening page with a management overview.

AXLR8 Dashboards
AXLR8 Dashboards give a real time overview of business health

Finance

AXLR8 are growing in the commercial finance and loan management systems markets as a direct result of improving user interfaces.

AXLR8 LoanMatrix
AXLR8 Loan Management Systems

Government

AXLR8 is updating the Information Request Management and Information Asset Register systems in use across central and local government and NHS.

AXLR8 IAR
Information Asset Register keeps data sources inventory maintained

Apps

AXLR8 have been delivering Apps on all major operating environments for seeral years for our clients to replace and complement our web apps and web portals.

App Screens
Simple to use fault reporting and service logging app

The above maintenance app is a simple “see snap send” reporting mechanism as well as containing all the information requied for service, installation and other equipment management tasks for an engineer.

The comprehensive AXLR8 Staffing App is simpl for the staff member to use for shift information, work planning availability calendar, pay, expenses, field reporting and surveys (on and off line) updating personal details, Chat mechanism, proof of attendance and so much more. It is used by tens of thousands of staff every day.

Staff App Screens
Staffing App with client customised content and functionality

Please email sales@axlr8.com or call us about your business systems requirement 01344 776500

AXLR8 Checkpoints Rev 4

AXLR8 Checkpoints Rev 4

We are delighted with the field testing of revision 4.0 of this device following client feedback – mostly from the security and retail field marketing industries. More information on the dedicated AXLR8 Event Staffing website.

All weather

AXLR8 Checkpoints are weather resisitant even in a very rainy country like the UK. We will also test them in cold countries soon to see if they can get through minus 30 cold snaps in Canada or Scandanavia. Not sure we will bother testing at 10m under the sea – even if it would make a good picture! The AXLR8 Checkpoint would survive in high pressure salt water for around a year, we believe. We would need to research sealants for longer than that. However, if you had mobile guards or countercover staff down there, then the scanning device would also need military specification sealing. We think about these things so you don’t have to.

Surface Attachment

AXLR8CheckPointV4
AXLR8CheckPointV4

It seems that small seemingly insignificant changes are more expensive than you would imagine but also more satisfying for us when done. If your client does not allow you to attach your proof of attendance check in and check out devices on to the walls with screws (the original designs) then we have 100% back surface for adhesive or double sided tape or velcro. Too many options to list. The AXLR8 Checkpoints may be customer installed. Obviously, do a “patch test” on a single device first if you use glue with chemicals that may contain acids or other corrosive chemicals. This caveat applies to the client’s wall or other surfaces too, of course. Some of these devices are under counters and several are in cupboards.

No power or network cabling

These devices are passive and so they do not need electricity or any network cabling. Staff checking in, out or about, just need a BYOD device (reasonably up-to-date iPhone or Android device) which virtually all of your staff carry with them, anyway.

Low deployment costs

Live powered networked intelligent scanning devices are expnsive to install and maintain. Where you need an intelligent networked device internet and electric suply plus battery back up and plenty of local memory, the costs are normally £1000 minimum to purchase, install, wire up and connect to the net. They are then vulnerable to weather, power and internet interruption, vandalism, etc. So insurance and maintenance are necessary. They do help if you have hundreds of staff with swipe cards as the cost per staff check in is low. We have relationships with Paxton and Almas Industries if you need this sort of swipe/ biometric device installed and we keep up-to-date on new products on the market all the time. However, AXLR8 Checkpoints are around £150-£300 installed and maintenance is basically occasional replacement due to landlords or clients restrictions on adesion methods on their walls or other surfaces. There are also cheaper share survices where AXLR8 have identified, for example, that three countercover agencies and one security firm all have staff working at the same location and all need the same check in, out and about recording functionality when their staff are working.

AXLR8 Dashboard functions

AXLR8 Dashboard functions

We recently launched a new set of functions for building dashboards.

The functionality is being provided to beta clients and some new clients now.  It will soon become widespread.

AXLR8 Dashboards will address two key UI issues we have been working through in the last four years.

Cx Dashboard

The CEO and Cx suite (board, VPs, etc.)  will want different dashbards to the functional dashboards we have as standard in the project. A staff booker will log in to an overview of campaigns and a sales person may log in to their active deals. Howver, a CEO or COO may need a couple of graphs and two buttons to take them to some areas of P&L detail or other KPIs for the business such as client feedback scores.  Previously, we have built these as custom developments and they have been expensive and mostly only applicable to one specific customer.  Now AXLR8 can quickly model and deploy different dashboards for different directors/executive officers.

Functional Dashboards

These are the dashboards that would be used by specific staff and managers to achieve their job objectives on a daily basis.  For example a warehouse manager may need to know tools availability and testing schedules for the purposes of kitting out vans during each week with safe, servicable tools.  A talent manager may wish to see how many applicants came in over night and how the talent pool stands including whose SIA licence paperwork or work visas are coming up for renewal.

We will follow up with an article with some Use Cases in different industries.

AXLR8 Geofencing for Staff Attendance

AXLR8 have a proven reliable track record in the BYOD geo-location of staff using smartphones. However, geofencing has always been reserved for our asset tracking modules.
Now our staffing agency clients and others in construction, debt collection, and many other verticals want to be able to stop people checking in for work at remote locations unless they are actually there.
Unfortunately, there has always been a tiny minority of remote workers who check in on time but are actually a mile or more away from the place where they are being paid to provide a service. In a couple of cases, people have checked in for a work day at a retail outlet demonstrating products and it has been proven by the AXLR8 system they were still at home. Reputations take a long time to build in staffing agencies. Those guys wreck an agency’s hard earned reputation and they have nowhere to hide if they attempt to defraud an AXLR8 client using AXLR8 Proof of Location systems.
Please contact us for more details.

AXLR8 off line data collection

AXLR8 has been providing the tools for clients’ mobile workers to collect data using an online tablet or smart phone for around ten years.  The first ones ran on devices like the the Blackberry.

For example:

  • building surveys
  • health and safety audits
  • field marketing store visit reports
  • supplier audits
  • staff vetting workshops
  • local authority social sureys
  • consultation surveys
  • staff surveys

AXLR8 Clients collect tens of thousands of data items around the world, every minute, using this technology.

Surveys with no internet

However, customers still find that there are some places they must go where it is impossible or inconvenient to acquire an internet connection.  Places with unreliable or no internet connection include:

  • an agricultural setting
  • a basement or underground carpark
  • festival fields
  • on board ship
  • a shop or building that blocks or shields 4G and 3G
  • no data allowance for the period using  BYOD
  • a remote foreign location with no (secure) internet.

So a couple of years ago, AXLR8 created an app that allowed offline reporting.

You download the surveys/ report questions to your device before setting off at a point where you can use a WIFI connection.  Then you open the questionnaire and fill in the responses as you move around:  inspect the building or inteview the public or check merchandise levels – or whatever your field task is.  Following that field survey, when you return to the internet connection,  you can submit the saved survey and all the data and pictures/files/video are uploaded to the cloud.

From there, the usual functions are possible by you or by your trusty back office support staff: creating documents, presenting the data on AXLR8 designed client portals, extracting the data and writing analyses, etc.

Explainer animation: Click here

For more information, please call AXLR8 on  +44 1344 776500.