DMARC, SPF and DKIM: What and Why?

The short answer is email security delivery and spam prevention which are related in many ways. Do not ignore these seemingly boring acronyms: DKIM and SPF. They help us assess whether we can trust emails.

What is the problem?

Opening every email is a risk. You need to trust emails you open. You need recipients to trust the ones you send.

One way to reduce that risk is to know who has sent it and assess whether or not we trust them. So how do we know who the sender is? Not by the sender name, that is for sure. Something purporting to come from a large trustworthy company, perhaps? Nat West bank or “SCREWFIX” (i.e. the tools and materials retailer) might mail you about your account or a competition. It may have come from from a different email domain if you click into it. SCREWFIX<dhlkjlj@zxyildgt .ru> is an example where you can see the “friendly name” “SCREWFIX” is completely different to the email domain name (the bit after the@-sign). See if you can spot this in the email below received as I looked for examples whilst writing this.

So people send emails “spoofing” that they are someone else. Much spam is probably going out from your company name right now and causing damage to your reputation. This happens to every company after a while. So, how can we be even more sure of the sender?

How do you check a sender?

Where does this email come from?

Each server on the internet has a unique “IP” address to identify it. The IP address of the server where the mail originated provides a little more assurance. You can see the IP where an email originated (and all the servers it went through before getting to your email inbox by looking in the email “headers”. Different mail programs hide this in different places but you should be able to google where it is. It is a bit like the postmark on an envelope. If it says it was posted in Leeds, and your sender lives in Leeds, you can have a bit more confidence. If it says it comes from Santa Claus and the postmark says “North Pole” any grown up knows post marks can be forged. Regrettably, an IP can be spoofed in the same way. However, there are a couple of major problems even if the IP address of the sender is completely genuine. How do you know if it is the IP of the sender or just some other IP? The answer is SPF (Spam Protection Framework).

The SPF standard allows email domain owners to say: “Email from my domain may only come from the server with this IP address and any other IP addresses should not be trusted.” That is really helpful because even if you do not go comparing the IP address from which the email originated and the IP address(es) that the domain owner has configured, the mail relays will do so. It is relatively easy for them to compare the two and many will block mails that do not comply before you receive them. Now turn it around the other way. If you do not set this up for your email domain, more and more servers will block your emails and people will not receive them. I.e., you will have a “deliverability issue”.

To add your valid originating IPs for your company, you need to add the details to the “SPF record”. This is done in the DNS control panel for your domain. The task requires technical knowledge. Do not attempt DNS changes unless you understand how it all works. Call your ISP or hosting company to ask their advice. Also, you should make sure you (or a technical manager you trust) know the access credentials for the DNS for any domain in your business so you can make changes when required.

What, When and Who are valid for this email?

Experts soon saw that the above weaknesses in SPF needed to be addressed. A new method was needed. There had to be some way machines could trust an encrypted key mechanism to see if the email was genuinely:

  • sent at that date and time
  • from that email address (sender)
  • to that/those email addresses (recipients)
  • Subject line.

This is accomplished by DKIM (Domain Keys Identification Method) whch was designed to address the problem. You need to make sure you have this set up correctly for any servers you authorise to send your email. You need to make sure your incoming email servers check it, too.

The way it works is that the email server generates an encrypted string (2048 bit is acceptable at time of writing) which encodes the above facts as the email is sent. When any mail “relay” server receives it, it can check this against a 2048 bit DKIM key that is shown publicly on the domain. If the two “fit” together, the email is passed along. If not, some other action ranging from nothing to an alert to blocking (or even deleting) takes place. Because of the challenging rise in spam and dangerous emails, the servers and mail applications are getting increasingly strict.

Once again, to set this up, you need a DNS skilled professional. The whole process should be less than half-an-hour including checking with a tool like MXToolox.com or demarcian.com. It may seem expensive and complicated but “doing nothing” is will probably come with a cost! Your business emails will get blocked and become more and more undeliverable.

You may hear about another Acronym: DMARC. (Domain-based Message Authentication, Reporting and Conformance) This is a way that email management professinals configure their servers to react to the SPF and DKIM data associated with the emails. Basically, the rules as to whether it is fine, marked a spam or so dangerous it needs to e deleted. Different professinals take different views. However, the large organisations that move the most email traffic also getting stricter. So you need to be verified byut them also or your email will be rerouted or deleted if not properly configured to prove you are who you say you are.

Verification records

In addition to the above internationally accepted DMARC standards, the major email traffic players have their own additional verification checks. If you or your clients or staff or any other stakeholders or consumers have gmail addresses or other google mail services such as G-Suite, You will need Google Verification. Ask your tech person to click here and follow the process for Google Verification. There are similar processes for other mail relay providers including Apple and Microsoft.

Some further reading

You may also wish to read this article from AccountingWeb which explains it in easy-to-understand lay terms.

Support

If you are experiencing deliverability issues sending mail from your AXLR8 system, please contact Support by email or call. We will review all of the above with you.

AI developments

AI developments

AI can help us with all sorts of work. We have been looking for about five years at how we could integrate the power of AI developments into AXLR8 product lines. Here are a few examples.

  • Sales One simple early success came from batch OCR reading of visiting cards brought back from a trade show or trip. It works really well with competing offers from MS, Amazon, Google and others. The offers are provided on a Freemium basis. Last time we checked you could use 1000 searches a month before hitting a paywall. Nowadays, however, more utility from AI Developments when entering data into your CRM comes from customer enquiry forms on your website or AXLR8 Import Admin for, e.g. your LinkedIn contacts. Specialist suppliers are creating interesting marketing applications. We are monitoring these tools. Soon we will integrate a “best of breed” partner’s offering. Most likely, this will be for lead generation and proposal writing.
  • Information Governance We researched the claims of suppliers offering AI to help with SAR redaction. Their utility did not match the claims except in the simplest examples. I would describe the results as worthy of a Khaby Lame reactions TikTok video. We will come back to that in future.
  • ATS (applicant tracking systems) seems a good area for AI developments. Applying AI to recruitment strategies could really speed up onboarding staff for rapid deployments or growth. We are also looking at spotting issues with vetting and rights to work.
  • Workforce planning Optimising staff journeys and bookings for shifts in security, field marketing, hospitality and counter cover seems achievable. Clients with large data sources to learn from is proving an interesting area of study.
  • Finance Brokers We have seen some success with selecting funders. However, none of the AXLR8 AI developments match an experienced commercial finance intermediary professional. You need the experience and client knowledge. Like the IG example of redaction, above, there is a limit to how useful the tool an be. Also, it needs material to learn from. How much insight of a client situation is an AR prepared to type into a system. Any algorithm created by banks for loans seems to miss great funding requirements. It creates the very conditions where clients work through brokers!
  • Marketing The next stage of our marketing functions would be if they autogenerated content and knew and could learn from e.g. campaign timing. Most of our clients need quality with low unsubscribe rates in their mailings. So, care would be needed. Can you spot one of our blogs that was co-written by ChatGPT?
  • Systems reliability AI is most helpful behind the scenes in predictive self-healing algorithms. These fix our systems regularly before problems arise. This has been a positive AI development.

AXLR8 will carry on investing in development trials. If you feel an area of our products could be automated, please let us know.

Start up companies using AXLR8

Start up companies using AXLR8

It is an old adage that more companies go bust coming out of recessions and depressions than during them. So now there are very competent managers who are starting out with their new businesses and using AXLR8 from the very beginning.

AXLR8 packages for startups

We have responded with a start up pricing package. It is summarised as: “Start at a low cost whilst you need to keep costs and risks down. Pay us more when you get richer”. So we are effectively investing in start ups. Obviously, some make it and some do not – for all sorts of reasons.

Many are staffing companies where their previous employers went bust. Most are successful. See this article. There are no surprises why some succeed and some fail – hard work and keeping lots of plates spinning.

We are just exploring and testing different offers customised for startups. It really started when we had to lend money to clients during the recessionary period in order to keep their systems going. The reason for this was that their services have not been required for two years! Thankfully, most of those have recovered and are paying us back as their shift numbers increase.

Others have come across from competitors who have been left with balance sheets tens of thousands underwater and in two cases a quarter of a million under. So make sure you check out the financials of any prospective supplier before gambling your business future on them!

New Finance Broker Portal User Experience

Thanks to the commercial finance intermediary clients and their teams who have helped us develop and improve this new look and feel. We hope you feel we acted on your feedback and you like the results. If your organisation has not switched your user account over to it yet, here is a video showing how it works.

AXLR8 Commercial Finance Systems
Easy to use and improves productivity

AXLR8 has been working for two years on a new set of portal development tools to create user experience (UX) – simple workflow systems that are easy to use. We have deployed them on modules of our other systems before but this is the first full systems refresh to come all the way through a year of broker feedback.

In addition to improving productivity, the new user interfaces we hope the systems are

  • easy to use
  • simple to understand
  • quick to learn (virtually no training is our goal)
  • flexible to change and evolve for your company
  • easy to pick up again after a break
  • friendly
  • secure and quick

Please judge for yourself. Watch this video.

The new interface development tools are proven in many of our systems now including the Loan Matrix (Loan Management System), Information Asset register (IAR) and the new Talent Management and Applicant Tracking Systems (ATS) from AXLR8.

Easy to use AXLR8 Portals
Easy to use AXLR8 Portals

Secure Passwords

Your passwords should be unique and memorable. If you do not read any more of this article, just remember to make your passwords from three random words.

Passwords should be…

  • long at least 10 characters
  • unique – do not use the same password for more than one purpose
  • memorable – if possible so you do not have it on a yellow sticky!
  • complex – add some numbers upper and lower case characters and some non-alphanumerics such as $, -,!,@ (special characters)
  • regularly changed
  • securely stored if stored at all. Possibly an encrypted file or a specialist recognised password vault
  • changed occasionally (changed too often can create its own security weaknesses). It is accepted that a more complex long password changed less frequently (say annually) is better than a simpler, shorter password changed frequently (e.g. every quarter).

Some of the above may conflict. The better (long, uncrackable, frequently changed, etc.) your password is, the more difficult it is to recall. Therefore, you need to record it and, unless this is done securely, that in itself becomes a security weakness. The familiar yellow sticky on the screen is dangerous but writing them all down on a piece of paper is asking for trouble.

Only secure systems should be trusted with your personal information:

  • encrypted password storage so not even the programmer of the system can read it.
  • SSL encrypted browser to server communications (padlock HTTPS:// in the URL) so that it is not compromised between your PC and the server
  • A ban on further attempts at password attempts after a small number of tries – five to ten attempts maximum.

Your information is probably already compromised

You must assume your password has already been found out and is available to many hackers. How?  Check this site to see where your details.

https://haveIbeenpwned.com

Put your email into the box and see the results showing how many sites, where you used that site, and what personal information has already been stolen and has been on sale for many months or years. Everyone should know this but we reckon nineteen out of twenty AXLR8 clients we show this to are completely unaware of how exposed they are.

Brute Force Dictionary Attack

Someone can easily guess my password?

There are hacking tools that attempt thousands of username and password combinations. Many of our servers that are open to the internet have 45,000 attempts per day which are blocked.

The way password guessing works is by using information already available to the hacker’s computer. Your name is an example so do not use your name with “123” after it. Further, your first & last name, school and many more pieces of personal information must be assumed to be known by hackers. If you have a word that is typically used in your password such as a pet name, animal, flower, place, or whatever, a “Dictionary” attack will probably find it by using a list of common words and configurations of those words. For example, Dictionary attacks are really good at words and phrases. They also check adding your date of birth and other information they have derived or purchased. Thus, if your password is made from the word Banana and your date of birth (in this example 10th November), you might make a password like “B4n4n4-1011” On the face of it, this is more than 8 characters and obeys many of the accepted rules from a few years ago.

Good dictionary attacks already have your date of birth, first pet’s name, primary school name, and many other answers to “hint” and “ID check” questions you might have entered in other sites as mentioned above.  Most know dates of birth and names of children, which are very common combinations for passwords. All know combinations of common passwords like “Secur1ty”, “pass1234”, “Password!” and “letmein” is well known. Similarly, although it is not the subject of this article, please do not keep your default firewall or blue tooth PIN as “1234” or “0000”. Also, obviously, do not make it the same as your bank PIN!

Yikes! What shall we do then?

Password reset

You should change your password now.

Dictionary attacks are very, very good at finding a word or phrase and number combination. However, they are unable to begin to guess at something you passed on the way to work, a randomly selected object in your house and a film you like or three things you saw on holiday or in a film plus your favourite actor.

Just choose three random words to make a memorable password and chuck  in some number(s)/non-alpha(s) characters.

e.g. apple sock ship might end up apple1812-$hipSocks.

Maximum password attempts is a good way to protect against such attacks.

In conclusion make sure your passwords obey the rules at the top of this page and, if you do nothing else, use three random words that only you would recall because only you saw a jaguar, a robin and a bike tyre puncture on your way to the shop this morning.

Repercussions

If it is your personal password for, say a private bank, game or subscription, you may lose money or pride. Worse is possible if someone steals your identity and commits criminal offences in your name. It is not enough to know you are not guilty. There are several cases where an innocent victim of such ID theft has been attacked by another victim of the crime. Lastly, if you are at work and responsible for other people’s data on a system and neglect your duty to create a secure password and keep it secret, you could damage many other people. This could happen if you are working on any accounts, CRM, HR system and many others.

Also, if you are an AXLR8 client running a business you have built up for years, you will need to make sure that you and your staff abide by these simple rules in a complex world.

If this raises any queries, please call AXLR8 support on 01344 776500 and we can help your Super Users with your system security and staff security training.

New AXLR8 Commercial Finance interfaces

AXLR8 are migrating users to new interfaces to reduce training and make the system quicker and easier to use. Simple lists of proposals and clients have clicks through to more details if desired. Adding new propsals uses a step-by-step wizard approach that even the world’s greatest technophobe will embrace!

Easy to use AXLR8 Portals
Easy to use AXLR8 Portals

These announcements (and see here) are part of the product roadmap which started nearly 20 years ago and will continue with many interfaces to external lenders and other information sources.

Please call to discuss your team’s requirements.

01344 776500

Clear new AXLR8 Portal interfaces

Clear new AXLR8 Portal interfaces

AXLR8 has been spending the last three years updating and improving the AXLR8 User Experience (UX). Many parts of the system are now being systematically added and seamlessly replacing exisiting client systems.

Staffing Agencies

Field staffing apps have been evolving for a while and are now customised to your company and also have all the functionality you would expect from AXLR8’s comprehensive staffing agency systems.

Applicants for different job postings
AXLR8 Application Tracking System: effective recruitment metrics

The staffing systems internal HQ Admin wokflows are being improved, functon by function, starting with the recruitment team using AXLR8 applicant tracking systems.

Dashboards

AXLR8 Dashboards are built internally at clients with knowledgeable accredited AXLR8 Super Users now. They can be built and placed any where in the system but the most popular place is the opening page with a management overview.

AXLR8 Dashboards
AXLR8 Dashboards give a real time overview of business health

Finance

AXLR8 are growing in the commercial finance and loan management systems markets as a direct result of improving user interfaces.

AXLR8 LoanMatrix
AXLR8 Loan Management Systems

Government

AXLR8 is updating the Information Request Management and Information Asset Register systems in use across central and local government and NHS.

AXLR8 IAR
Information Asset Register keeps data sources inventory maintained

Apps

AXLR8 have been delivering Apps on all major operating environments for seeral years for our clients to replace and complement our web apps and web portals.

App Screens
Simple to use fault reporting and service logging app

The above maintenance app is a simple “see snap send” reporting mechanism as well as containing all the information requied for service, installation and other equipment management tasks for an engineer.

The comprehensive AXLR8 Staffing App is simpl for the staff member to use for shift information, work planning availability calendar, pay, expenses, field reporting and surveys (on and off line) updating personal details, Chat mechanism, proof of attendance and so much more. It is used by tens of thousands of staff every day.

Staff App Screens
Staffing App with client customised content and functionality

Please email sales@axlr8.com or call us about your business systems requirement 01344 776500

AXLR8 Login Tips

Security is only going to get stronger in the world of business applications.

Therefore, some of your legitimate users will face occasional barriers to accessing your business applications including the one you have purchased from AXLR8.

Quick fixes

Assuming they are legitimate users, the quick solutions you can try are as follows.

Common user issueWhat to do about it
Forgot password (includes typing the wrong case e.g. “ABCD1234” instead of “AbCd1234”)They should go through the password reset process. It sends them a temporary login and instructions on how to create a new secure password.
A Super User can also kick off this password reset process.
Too many false login attemptsThe users account will be disabled. A Super User needs to go to their User Admin area, select that user and take their account from the “disabled” to the “active” list. Don’t forget to check they are still legitimate users!
Not received password reset emailThe email with the reset password instructions has probably gone into their spam folder.*
The user must check their spam folder, retrieve the mail and follow the instructions.
User forgot login name (includes typing it wrong such as “JOHN SMITH” when it is actually “JOHNSMITH” without a space)They can use the user name reminder process.
You can send them the correct user name and explain the importance of typing it exactly.

*If all go to spam, then your DKIM and SPF records a may not be set up correctly and you may need to ask assistance of whoever manages your DNS.  AXLR8 can re-supply the correct values for these.

The above should solve it (and probably similar problems from any system you may use, from any supplier). If not, one of your company’s AXLR8 Super Users should follow the steps in the link below with your user (client, field staff, etc.) in order to resolve the matter.

Detailed help notes

For more detailed instructions about how to troubleshoot problems when users cannot log in, please click here.

AXLR8 SMS Pricing 2020

AXLR8 have reduced the prices again for 2020. 

Text messaging is ever more used by companies to remind or alert people and organise activities quickly. It is more effective and faster than email.

The reason for this price reduction is the multi-million volumes now purchased by the AXLR8’s “buying club” of clients. Also, to a lesser extent, we reduced administration with small price rises for buyers of lower volumes that cause proportionately more admin. Prices now start at under 2p/unit for our very high volume clients. Very low volume clients buying 1000 occasionally for example pay more than four times that cost per unit but have a low entry point, a low MoQ (1000 for £85 plus VAT to cover admin) and “pay as you go” preference.

AXLR8 SMS Price List

Most commonly, staffing agencies or businesses that need to alert clients or others to events, buy 10k units as “stock” for their AXLR8 Text Tank. The price for 10k texts if you are a buying club subscriber is £294 plus VAT from 1st December 2019 (instead of £323 plus VAT till end November 2019). Partly this is achieved by reducing admin costs. The minimum order quantity (MOQ) is 10k for these prices.  This has a couple of implications.  First, you are less likely to run out and secondly, we suggest  you change your low units alert levels to 3000 and 1000 minimum reminder level so you have enough time to order a top up.  You can log in to https://sms.axlr8.com to change these parameters and see the level of texts in your tank as well as many other facilities.

Hopefully , you will join other clients who are using AXLR8 apps for iPhones and Android devices so that AXLR8 Chat to reduce messaging conversation costs further.

Use cases

  • Appointment reminders
  • Tactical instructions for mobile workers
  • Tracked assets moved to unexpected locations (usually outside geofence)
  • Security alerts for night guarding
  • Stock replenishment in FMCG, warehouses or medical supplies
  • Informing BSL translators of work opportuities
  • Power cut alert as UPS kicks in
  • Refrigerated goods below a pre-set temperature
  • Alerting staff to new work shifts you need to fill
  • Staff booking confirmations
  • Surveys for clients and staff
  • work completion or pre-ordered item availability
  • and may more

AXLR8 at Cannes 2019 Film Market

Following up with several fast growing Film Sales Agents around the world who showed interest in the AXLR8 Film Rights system.  Many will be able to replace their present disparate systems including CRM, mailing, Film Rights and many spreadsheets with one comprehensive AXLR8 Film Sales system.

Looking forward to speaking with you soon and hope everyone ‘s trip went well.