We all use email, more than 200 billion (!!!) emails are sent and received every day.
However, such an extensive system that is deeply integrated into our daily lives remains a mystery: many technicians don’t really know how the technical side of emails function.
To get a better grasp of the aspects of email, we have to go back in time.The operation of email started quite similar to the traditional written letter: you create a message and indicate the recipient and the sender of the message .
A server that sends your mail, contacts the recipient and delivers the message when the latter is found. Simple as that right?
That used to be the case, but due to abuse such as spam and phishing, various measures and additional systems have been built on top of this simple system.
This brings us to a wide variety of additional features that have been developed for email over the years and are now making it a topic that most don’t venture into or can no longer see the wood for the trees.
In these posts, we try to provide some clarification, and preferably in human language instead of technical gibberish.
The topic of email is so vast that we have to split it into several parts, so be sure to follow us so you won’t miss a single part!
Here we GO!
Part 1: And who are you?
Imagine the following:
Person A sends a letter to person B, a normal transaction you would think. But what if someone else pretends to be person A? What prevents someone from writing another name as the sender on the letter? Apart from the legal aspect as this would be considered identity fraud, nothing will stop you from writing another name on the letter. This is exactly the same with email, or rather it was the same.
Due to the misuse of this possibility by hackers, spammers, and fraudsters. Of course, solutions have been invented to prevent this. By the way, this problem is called “spoofing”: impersonating an identity or activity as something or someone else to abuse trust has unfortunately not only been limited to email. If you send an email now, you will almost always have to through verification providing a password and login for your outgoing mail (SMTP) server. This prevents someone from sending malicious emails on your behalf through the server.
Great, problem solved! … Right? Or does that seem too obvious? Well, it is, because people are not lacking inventiveness, and certainly not when they have malicious intentions. The spammer just creates his own mail server and because of that, he has all the authentication he needs. He can even turn off all verification, which is possible because he is the administrator and therefore has total control over his own system.
Huzzah, the criminals can send to their heart’s content under any name or domain, and as much as they want as well. As such we need a system that checks whether the sender is the correct sender. But how do you approach something like this? Because you can determine your own name to send an email. An email address consists of 2 parts: the user and the domain. Everyone can register a domain but this is exactly where the problem starts for fraudsters. A domain can almost always be traced back to a natural person or to an organization where people can be held responsible. And it also costs a small amount every year to keep active. If you are going to do dark things, you do not want this to be traced back to you and in most cases, it should also cost nothing because you will still have a “money trail” that can also be traced back to a person (except cryptocurrency, but that’s a story for another time).
A domain uses DNS records, settings that you can specify, and which are copied to other servers all over the world and are freely retrievable via the internet. In addition to email, DNS is another part of IT which many computer techs prefer to stay away from as far as possible. This creates an area of tension since it is an essential part of the foundations of the internet. This is also interesting material, so there will certainly be a separate post covering this topic. Mind that it will be divided into different parts, so make sure to stay on top of things by following us on our social media and website.
Back to Email … By setting an SPF (Sender Policy Framework) record in the DNS records of your domain, the receiving server can check whether the server who sends the email, has the permission to send emails for this particular domain name. We totally understand if you have to read that sentence at least twice. We now have a kind of check whether the email comes from a server that is allowed to send on behalf of this domain. Nice in theory, but in practice it is somewhat different.
The problem starts with implementation because not all mail servers check for SPF records. There is also a lot of misinformation on the internet about SPF and so they are often set incorrectly. Besides, SPF records can be set in various ways.
For example: No other server is allowed to send on behalf of this domain using “-all” at the end of the record. Mark the message as suspected spam by adding “~ all” if it would come from another server that is not listed in your SPF record. Then we have “? all” which indicates that no validation should be done and incoming mails from any server are allowed. And as the icing on the cake we still have “+ all”, and this would indicate that all servers that try to send on this domain’s behalf would be marked good and trustworthy. Of course, you only use “-all” and possibly “~ all” in an emergency, otherwise you might as well not set an SPF record. But even then SPF records are suggestions for the receiving server and the receiver can ignore this completely. Fortunately, this has become rare.
By the way, did you know that Microsoft was the first major player in the field of SPF implementation as a control mechanism in 2007? If you ever want to be able to get into Outlook, Hotmail, or Live mailboxes, you better have your SPF records in order. The rest of the world is still catching up: still not everyone uses SPF checks. Ridiculous of course, but on the other hand the protocol is not strict enough in my opinion due to the options of “+ all” and “? All” in the official RFC guidelines. Before 2007, you were virtually free to pretend to be anyone you wanted to be. The Wild West of the internet is gradually getting organised, but we are far from finished.
So now you have SPF records to check but not everyone uses them or they set them incorrectly. You should also know that SPF only checks the envelope sender of the e-mail, the email itself can contain all kinds of incorrect information and the display name can still be changed to anything you like. For example: An email from firstname.lastname@example.org can still look like it was coming from the queen of England herself to those who are not paying attention.
Still, SPF has a clear use for email. For example, do you want to be able to send from 2 servers at the same time? One for internal business mail and one for newsletters to customers. Or perhaps automatic mails from your webshop for the order confirmations and promotions that you want to announce. You should definitely regulate this correctly in your SPF records, otherwise, your mail will not arrive or end up in the spam of most mailboxes.
In part 2, we’ll continue with email, because at this point we don’t have a good way to track the sender and prevent spoofing, not to mention spam!
By the way, do you have problems with email? We would be more than happy to assist you!
You can always reach us by phone if your email would not (yet) be up to the job .