BLOG

Email Security: Email headers

Email is and has been an essential communication tool for us. But with all the email scams out there, we need to be smart about email security. Think that little blue checkmark guarantees an email's legit? Not always. So, let's dive into how to really check if an email’s safe.


Email Headers Clues

Every email has these things called headers. They’re like a map of where the email’s been, from the sender to your inbox. By checking these headers, you’ll be able to tell whether an email’s real or not. What to check:

🌍 Sender's IP Address: Verify that the IP address matches the domain of the sender. If not, red flag!

☑️ SPF (Sender Policy Framework): This tells us if the sender's IP address is allowed/authorized to send emails on behalf of that domain. It’s like a VIP list for email senders. If the sender IP isn’t on the list, their email gets the side-eye.

🔐 DKIM (DomainKeys Identified Mail): This signature verifies that the email content hasn't been messed with on the way to you. It’s like the tamper-proof seal on your bottle of oat milk - yes, you read that right, oat milk.

⚖️ DMARC (Domain-based Message Authentication, Reporting & Conformance): This policy determines how receiving servers should handle emails that fail SPF or DKIM checks. The judge, jury and executioner for emails that fail the SPF or DKIM security check.


How to Use Email Headers

Checking headers isn't as hard as it sounds. Your favorite email client might have tools built-in to help. There are also websites that can do the work for you - I like MxToolBox and Google Toolbox for this. Just learn the basics I mentioned above, and you'll be waaay better at spotting fake emails than you were yesterday.


Conclusion

By getting the hang of email headers, you can really up your game in spotting and dodging phishing scams. That blue checkmark's nice, but it's not bulletproof. Take a minute to verify emails that seem fishy or come out of the blue. Understanding these headers might seem tricky at first, but going through the steps will put you on your way towards boosting your email security skills. Still don't get it? Then reach out to your tech-savvy friend or your friendly neighborhood "interwebs guru" for help.


Chase: Scam or Real

Recently, a family member received an email from Chase, notifying them about a phone number being removed from their Chase Mobile account. This raised some red flags, especially since there were posts online suggesting similar emails were phishing attempts. To be safe, they didn’t call the number in the email but instead reached out to Chase using a different contact number. Surprisingly, the Chase representative told them the email was fake, and the phone number wasn’t associated with Chase.


That didn’t sit right with me, so I decided to look into it and asked my family member to provide me with the original email message headers.


My Findings

Was the email legit? I examined the email headers, which are technical details that reveal where an email came from (delivery path) and whether it’s been tampered with. Here’s what I found:

- The email passed key security checks: It had valid digital signatures (DKIM), came from an approved server (SPF), and met Chase’s email security policies (DMARC).

- The phone number is real: Despite what the representative said, the phone number in the email, 877-242-7372, is actually listed on Chase’s official website as a contact for their Online and Mobile Banking support.

- The deleted phone in email: The phone number referenced as deleted was still an active number in the Chase Mobile app.


My Takeaway

This email turned out to be legit, despite initial concerns. I don't blame them for being cautious, but it’s just as important to verify information before dismissing something as a scam. Email headers can provide valuable insights, and checking official sources like the company’s website is always a good move.


Should the average person have to go through these steps? Nope. Unfortunately, this is the state of email security today. Even though the Chase logo displayed with the blue check (thanks, Google), most people don’t fully understand what that signifies. Also, Chase could do better by providing more context in their emails.


If you receive an unexpected email, don’t just rely on what you hear—do some digging yourself or reach out to your family IT pro! It could save you from unnecessary worry or missed information.

Phishing: Panic or Legit link?

“Don’t click…have you already…? You didn’t reply…? Forward it to me...”


It was late last year and I was doing volunteer work at a local non-profit. We were knee-deep in the aftermath of Central Texas’s “Treemageddon”, dragging dead limbs and branches to burn piles, trying to reclaim some semblance of beauty to a small patch of land. Then, the site boss’s phone erupted - a flurry of texts and calls which led him to grab his laptop so we could investigate.


What prompted the texts and calls? Unable to access their LinkedIn account and receiving email responses for unsent messages, the person in question suspected a compromise. They created a new account and reported the ‘old’ one to LinkedIn support as compromised. Because of everything they’d experienced, they were asking if they should trust the email from LinkedIn asking to submit a photo, name, etc… via a link in the email.


Analyzing the email headers for DKIM, SPF, and DMARC verification we found DKIM passed while SPF indicated a ‘softfail’, which means any sender not listed in the SPF record should be allowed through to the server, but should be tagged as spam or suspicious. DMARC passed, and it handled the message properly by letting it through (please setup DMARC in your environment, if it’s not already).


The email path - The email originated from 'webac20. int. rightnowtech. com'. A quick search online indicated RightNow Technologies, a CRM, is part of Oracle Service Cloud. The email was then sent to 'rntac72.rnmk.com', which is another server owned by “RightNow Technologies” (Oracle).


Based on the analysis, we were confident the email was from LinkedIn, but were still skeptical about the link in the email.


The '10tix. me' email link (nothing found in LinkedIn HELP) redirected to a link at 'au10tixservices. com'. With the help of Google Bard, we confirmed the domain in question appeared to be operated by AU10TIX, an AI-based identity verification provider, and is a service used by LinkedIn for customer onboarding and customer verification automation.


So what was our response to the texter and caller who sent us down this path? “There’s strong evidence the email came from LinkedIn and the link should be safe to click.”


Conclusion

This isn’t just about one email. While further transparency from LinkedIn about '10tix. me' and wider adoption of BIMI are advisable, remember it's crucial to stay vigilant with email links and seek help if needed. Stay safe online!