Since the coronavirus pandemic, scam emails have been on the rise, including emails with spoofed email addresses.
Increasingly, scammers send out emails that appear to come from the WHO. This is possible because the WHO has not set up their DMARC/DKIM policy strictly enough.
To be fair, it is very hard for large, federated organizations to implement DKIM and DMARC in a strict enough manner to prevent any abuse. Strict DKIM/DMARC policies in federated organizations might also lead to legitimate emails failing DKIM/DMARC checks and ending up in spam folders. Keeping up with the federated email servers can be challenging to administrators, and therefore they prefer to not set the DKIM/DMARC policy too strict.
The WHO warns everyone that they
To the WHO's defense, no big, federated organization tested - e.g. Greenpeace, Human Rights Watch, Amnesty International - did set up a strict DKIM/DMARC policy.
While some guides claim that setting up DKIM and DMARC would be easy, it is in fact very complicated to get it right. Nevertheless, it is very important to combat fake emails as the Australian Cyber Security Center points out.
Tutanota has implemented a strict DKIM and DMARC policy to make sure that attackers can not spoof mails from our domains to other mail providers, such as:
We also have a DMARC policy of quarantine, which tells other providers that emails from Tutanota domains that do not have a valid DKIM signature and that do not come directly from our servers should be treated as spam.
It is a lot of work, but taking care of such things - as well as others - pays off with great results on email security checks.
Tutanota also supports SPF, DKIM and DMARC for custom domains. With the help of our instructions, it is very easy for every Tutanota user to activate SPF, DKIM and DMARC for their own domains.
During configuration we also provide some helpful icons to show you if you have correctly configured SPF, DKIM and DMARC records.
To protect our users from faked emails coming from outside:
Unfortunately, we can't block all emails that fail a DMARC check because as the WHO example described above shows this would lead to lots of legitimate emails being blocked as well.
We hope that the uptake of DMARC and DKIM will continuously increase for the security of every email user. At Tutanota, we work hard to enable all our users to only send emails with valid DKIM signatures, even when you use your own domain.
Recommended for further reading: How to prevent email phishing.