By Jeff Stein, Information Security Architect, Reputation.com
Once known as electronic mail and used for simple but near-instantaneous communication between computers, email has evolved to be used for a variety of important business purposes. They range from massive marketing campaigns to closing business deals as well as the ability to use the address associated with an email account as an almost universal identity that you can leverage across multiple sites and accounts. The varied modern functions of email have made it an integral part of our daily lives and the modern work environment. As with any core technology, as the popularity of it has grown, so has the attack vectors that malicious actors have targeted such as compromise of a system, social engineer a user and spoof the domains of reputable organizations.
The regularity at which domains are spoofed by malicious senders illustrates the issue and the need for message integrity in email. At a basic level, the challenge of message integrity arises because of a fundamental lack of security in the design of SMTP, the underlying message protocol used to send an email. When reviewing the SMTP message protocol from a security perspective using the CIA triad as a barometer, you will observe that the protocol lacks provisions for both authentication and encryption. Encryption is important when looking to add confidentiality to the emails you are sending while authentication is important to ensuring the integrity of a message.
Where the original SMTP standard is lacking from a security design standpoint, standards are now available to compliment SMTP that provides a more secure messaging experience. Communication can be sent over TLS to provide for encryption and therefore, confidentially of email during transmission. From a message integrity standpoint, a combination of three email authentication standards, SPF, DKIM, and DMARC provides for a secure implementation of email.
SPF acts as a whitelist for your domain, providing the ability for mail senders to define which IP addresses are allowed to send mail on behalf of the email domain. While leveraging a whitelist may seem sufficient in providing message integrity, one limitation of SPF to be aware of is that the framework only allows for up to 10 IP addresses to be associated with the SPF record. Depending upon how many authentic parties are sending on behalf of a domain, this may be quite limiting. Additionally, to increase the trust in the source of the message, DKIM enables message integrity by adding a digital signature to the message. By validating the digital signature, a recipient of the message can identify if the message is valid or if it has been altered or forged.
To improve the proper handling of the two standards highlighted above, DMARC is a framework that allows a domain owner to instruct the message recipient on how to handle any messages that are received from the domain which do not pass a combination of SPF and DKIM authentication. In essence, the DMARC framework overlays the protections of both SPF and DKIM and provides domain owners a vector to give specific guidance to mail relays on how to handle the message, whether it be to reject the message outright, quarantine the message or take no action at all, merely reporting on infractions.
The important takeaway from these authentication standards is that while SPF and DKIM can be used independently without DMARC, the overall framework provided by DMARC will yield a more holistic message integrity posture, combining the benefits of all three standards. Leveraging a DMARC strategy will put your business ahead of the curve when it comes to message integrity. A recent study on Global DMARC Adoption by 250ok, an email intelligence platform, found that nearly 80% of all domains do not employ a DMARC policy.
Even when DMARC is deployed, March 2019 data provided by Microsoft uncovered that of Fortune 500 companies which did leverage DMARC as a part of their message integrity strategy, a full third had the framework configured to report-only, providing no technical controls over the fate and enforcement of outbound emails sent on behalf of their domain. As highlighted in the studies above, to get the most value out of a message authentication strategy you will want to leverage SPF, DKIM, and DMARC together and configure DMARC to reject messages not originating from sources contained in your SPF record or with proper DKIM signing. By choosing to reject messages from unauthorized sources rather than to quarantine or simply gather reporting information on who is sending on your behalf, you have the ability to prevent those messages from ever reaching recipients. This protection-focused stance will improve your message integrity posture by reducing potential messages spoofed and phished from your domain. Reducing the amount of malicious mail associated with your domain will also help improve the overall reputation of your domain and business brand to mail recipients.
As an Information Security Architect with Reputation.com, an industry leader in online reputation management providing customers with a full range of solutions to handle their presence online, I look to address our own online posture, from a security perspective. Message integrity plays a key part in that strategy and the reputation of those emails sent on behalf of our domain is very important to the reputation of the business. In focusing on message integrity and fully leveraging SFP, DKIM, and DMARC, I have been able to gain visibility into the spoofed mail representing the Reputation.com domain, as well as, a framework of technical controls to prevent unauthorized mail from reaching potential customers, customers and business associates. This has provided a boost to our security posture and has helped to reinforce the trust which our customers place in us, as well as our SAAS platform.
As a technology medium that is a target for malicious exploits such as email spoofing, the integrity of email is important to ensure its secure use and the trust associated with it. While the underlying email protocol may be lacking in security, a combination of the SPF, DKIM and DMARC standards provide the integrity not build into the SMTP protocol by default. By using DMARC with both SPF and DKIM set with a reject disposition, you will not only be provided valuable visibility on where your domains are being spoofed but also give you the ability to take proactive measures on how spoofed messages, representing your domain and business, are handled by recipients. Taking these steps to protect the integrity of your domain will lead to a higher level of trust by your mail recipients and reduce any negative impact on your business brand associated with spoofed mail.
About the Author
Jeff Stein, is currently the Information Security Architect at Reputation.com, an industry leader in online reputation management. His prior experience includes the FinTech space and both the United States House of Representatives and the United States Senate. In addition to holding numerous security and IT certifications, including his CISSP, he received a Master of Science in Information Security and Assurance from Western Governors University. Jeff can be found online on his blog, https://www.securityinobscurity.com and reached at both firstname.lastname@example.org or on twitter at @secureobscure and at our company website https://www.reputation.com and on twitter at @Reputation_Com.