Ninety-three percent of REALTORS® in Texas report using email to communicate with clients and customers, according to the 2019 Profile of Texas REALTORS® Members. But real estate email communications are increasingly the target of wire fraud. In many instances, cybercriminals seek to “spoof” or pose as the email address of a legitimate participant in the transaction—such as an agent, broker, or title company—to trick victims. However, there are measures that can be implemented to help weed out messages from illegitimate sources.
Knowing the following terms can be helpful when discussing email security with technology staff or implementing email marketing services. Taking steps to prevent your email address from being associated with fraudulent activity can also lead to more of your messages being delivered correctly, as email service providers look favorably on the use of the technologies below.
DomainKeys Identified Mail (DKIM)
DKIM is a method of authenticating that an email message did come from the address shown as the sender in the From field that’s displayed in your email client. A digital signature goes out with each message that can be checked against the public Domain Name System (DNS) record of the sender’s address email. Only owners of a domain can edit its public DNS record.
Sender Policy Framework (SPF)
SPF is another authentication method. A list of servers that can send email on behalf of a domain is published in its public DNS record, which receiving email servers can use to check the sender in the digital envelope of a message. SPF is most effective when paired with DKIM, which checks the address visibly displayed as the sender.
Domain-Based Message Authentication, Reporting, and Conformance (DMARC)
DMARC functions as a set of instructions for how to verify email from a domain and what to do with messages that can’t be verified as authentic. Receiving email servers can check the DMARC policy in a domain’s public DNS record to see which authentication method to use (SPF, DKIM, or both), how the visibly displayed From field should be checked, and whether to quarantine or reject messages that fail authentication. A DMARC policy can also stipulate how to notify a domain’s owner of messages that fail authentication.