Resource Corner

Understanding Email Authentication

Learn how email authentication technologies reduce the chances of phishing scams.
man typing in password on phone and laptop

Email authentication technologies significantly reduce the risk of scammers sending phishing emails that appear to originate from your company. These technologies enable a receiving server to confirm the legitimacy of an email purportedly sent by your company, effectively blocking or quarantining emails from imposters and alerting you about the attempt.

When you set up your company's business email with your domain name (for example, yourbusiness.com and email like name@yourbusiness.com), without email authentication, scammers can exploit your domain to dispatch emails that mimic your business's communications. If your business email utilizes your company's domain name, ensure your email provider supports these three critical email authentication tools:

  • Sender Policy Framework (SPF) clarifies which servers are authorized to send emails under your business’s domain name, allowing the receiving server to verify and accept legitimate emails while flagging suspicious ones.

  • DomainKeys Identified Mail (DKIM) attaches a digital signature to outgoing emails, enabling servers to confirm that an email from your domain was indeed dispatched from your organization’s servers and remains unaltered during transit.

  • Domain-based Message Authentication, Reporting & Conformance (DMARC) complements SPF and DKIM by ensuring the sender's address matches the “from” address seen by the recipient. DMARC also allows you to specify actions for suspicious emails and receive notifications of such events.
Configuring these tools requires expertise to avoid mistakenly blocking legitimate emails. Ensure your email hosting provider is capable of setting them up properly. If not, consider switching providers.

The Danger of Spoofed Emails to Customer Relations

When scammers spoof your company's email to send fraudulent messages to your customers, it can lead to several harmful scenarios:

  • Loss of Trust: Customers might lose trust in your brand, fearing that their personal information is not secure with your business.

  • Financial Fraud: Scammers might trick customers into sending money or revealing sensitive financial information.

  • Identity Theft: Customers could be duped into providing personal details, leading to identity theft.

  • Malware Infection: Links or attachments in spoofed emails could infect customers' devices with malware, leading to data theft or loss.

  • Damage to Reputation: News of the spoofing can spread, damaging your business reputation, and potentially leading to losing current and future clients.
Action Steps If Your Email Is Spoofed

If you discover that your company’s email has been spoofed, immediately:

  • Report the Scam: Contact local law enforcement, the FBI’s Internet Crime Complaint Center at IC3.gov, and the FTC at FTC.gov/Complaint. Forward phishing emails to spam@uce.gov and reportphishing@apwg.org.

  • Notify Your Customers: Promptly inform your customers through mail, email, or social media, avoiding hyperlinks in emails to prevent confusion with phishing scams. 

  • Alert Your Staff: Use this incident to refine your security practices and educate your staff on recognizing and responding to cyber threats.
SUGGESTED ARTICLES
All content is for informational purposes only and does not constitute legal, tax, or accounting advice. You should consult your legal and tax or accounting advisors before making any financial decisions.