Email Fraud Defense


Picture of a hand holding a phone Introduction:
Mail is a tool that continues to work very well for business: it is inexpensive, scalable, convenient, nearly ubiquitous and may be used for driving revenue generation. The popularity of email as a communication tool for business has made it an attractive target for cyber criminal activity. Indeed, email remains the number one vector for fraud and the delivery of malware. This is simply a symptom of the inherent insecurity of the simple mail transfer protocol (SMTP) which is the predominant email protocol.

Email fraud costs companies around the world billions of dollars and can hurt brand reputation and undermine consumer confidence. According to the CSO website, cyber-attacks-espionage phishing-is-a-37-million-annual-cost-for-average-large-company.htmllarge companies are incurring a $3.7 million price tag annually just to deal with phishing attacks.

Attack strategies associated with email fraud include:

Picture of Stop Icon

Mail with content intended to trick email recipients into exposing sensitive information to malicious actors.

Picture of Thermometer showing Hot & Cold

Unsolicited email sent in bulk.

Picture of house with rain falling

Forgery of email so that the message appears to have originated from a source other than the real source.

Authenticating Email

The Domain-based Message Authentication Reporting & Conformance (DMARC) standard, which was unveiled in 2012, is a powerful and

proactive countermeasure in the fight against phishing and spoofing. DMARC is an email authentication protocol that can make the “header from” domain (what you see in your email client) trustworthy. DMARC is built on two other extremely important email authentication standards, Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM).


SPF is an email authentication protocol that allows the owner of a domain to specify which mail servers they use when sending email from that domain. The domain owner lists the IP addresses of authorized senders in a domain name system (DNS) record. Here is an example of such a DNS record:

v=spf1 ip4: -all

If the IP address sending email on behalf of the owner is not listed in that SPF record, the message fails SPF authentication.

Picture of smiling Black girl using laptop

    Despite its usefulness, SPF does have some drawbacks, some of which are highlighted here:

  •   Keeping SPF records updated as the domain owner changes service providers and add mail streams is difficult.
  •   It is possible for a message to fail SPF and not get blocked from the inbox.
  •   The SPF protection is compromised when a message is forwarded.


DKIM is a protocol that allows an organization to transmit a message in a way that can be verified by email providers. Verification is possible through cryptographic authentication within the digital signature in the email. By using cryptographic authentication, DKIM can ensure that the message has not been intercepted during transit. An example of a DNS record for DKIM follows:


Picture of computer with g-mail

    Unfortunately, DKIM has several disadvantages that has retarded its widespread adoption.

  •   DKIM is difficult to implement.
  •   The DKIM domain is not visible to the non-technical end user and does nothing to prevent the spoofing of the visible “header from” domain.
  •   The SPF protection is compromised when a message is forwarded.

Further information on DKIM may be obtained from www.dkim.org


DMARC ensures that legitimate email is properly authenticating against established DKIM and SPF standards and that fraudulent activity appearing to come from domains under the owner’s control is blocked before ever reaching the receiver’s inbox. Moreover, DMARC policy may be configured to allow the sender’s domain to indicate that emails are protected with SPF and DKIM and instruct the receiver on handling authentication failure. Here is an example of a DNS record for DMARC:

V=DMARC1; p=reject;fo=1;;

Picture of Hacker using a computer

    The weaknesses of DMARC are:

  •   It is essential but DMARC is an incomplete solution.
  •   DMARC does not protect against spoofing.
  • Web Spoofing is a security attack that allows an adversary to observe and modifyall web pages sent to the victim's machine, and observe all information entered into forms by the victim.

An overview of the way DMARC works:

Picture of graph illustrating how DMARC works

Click here for further information on DMARC -


DMARC implementation is no easy task. Complexity comes from the fact that there are lots of legitimate email senders operating on an organization’s behalf, and if authentication is implemented incorrectly, legitimate email flow may be interrupted at great expense to the organization. The goal is to get to a reject policy without blocking legitimate email and this requires full visibility into the email ecosystem of the organization.

Click here to use Proofpoint's tool to start the process.

Picture of step#1 of proofpoint's process
Picture of step#2 of proofpoint's process
Picture of step#3 of proofpoint's process
Picture of step#4 of proofpoint's process

As an authorized Proofpoint partner, TRUSTWORTHY Systems Inc. has access to the resources to help organizations get protection against email fraud. Proofpoint’s Email Fraud Defense leverages the power of DMARC email authentication to help organizations authorize all legitimate senders and block fraudulent emails before they reach employees, partners, vendors, suppliers or customers.

Let TRUSTWORTHY Systems Inc. be the catalyst for risky behavior, change and development of a better digital experience within your organization.

Picture of TSI's Super Hero Character