16/03/2020

Email Security and the Changing Landscape

Most of us are well aware at this stage that email is a complete disaster for security. Phishing, anyone? It was originally developed in a university for academic types to communicate between each other. 

Of course, in the rarefied air of college campuses the fact that no one ever thought about security slipped past everyone until the whole thing had become the de facto standard in communications for all us mere mortals. By the time we realised, back porting security into it was nigh on impossible.

Over the last 40 years a few attempts have been made to help and let’s face it, they have all ended in tears. More recently though, the new approach, known as DMARC (Domain Based Message Authentication, Reporting and Conformance), has been slowly gaining a following and has real potential to fix what should never have been broken in the first place.

So, what is DMARC?

The easiest way to explain this is to say that in the same way that Amazon publish their domain “amazon.com” and then secure their communication with you using an SSL certificate, this is very similar. When you publish your DKIM (Domain Keys Identified Mail) record you are publishing your public key. When anyone receives an email from you (signed by you with your key) or claiming to come from you the receiver can go to your DNS record, get your public domain key and use this to confirm that it was actually you.

As a little aside, DKIM also allows you to confirm that the content you received is the same as the content that was sent (if configured to do that) and not tampered with in transit over the internet.

The whole system works well because of the reporting scheme associated with it. If someone receives an email from you and it doesn’t check out, they send your DMARC administrator an email telling them why they rejected it. This helps admins spot misconfigurations and people trying to send emails on your behalf. For example, if Marketing sends a bulk email from MailChimp and forgets to configure it correctly you would know very quickly rather than just assuming it all went through and wondering why you didn’t get any responses.

The long and short is though that this is gaining popularity and acceptance, especially with bigger companies. As we know, when the bigger companies start demanding it to do business with them it will have a cascading effect down to the likes of us.

Taking Added Steps to Security

A recent piece of research from Valimail has suggested that turning this on basically stops people trying to pretend to be you. This makes perfect sense if you think about it, as from a spammer point of view, the reporting element of DMARC nicely collates people who are failing verification, and this allows folk like Mimecast and other anti–spam companies to identify and target them really easily – exactly what spammers don’t want. From a spammers point of view it’s better to remove people with DMARC from your spam target list, a little like how burglars avoid houses with video cameras, allegedly. Another jolly good reason for doing it, as if its primary purpose wasn’t enough.

As if yet another reason was needed we are seeing anti–spam engines start to degrade the spam scores of domains that do not have this, which means not configuring DMARC can mean more of your legitimate outbound mail can find its way into other people’s Junk Mail folder. This can even be the case where a user specifies that, for example,joe@bloggs.com is a trusted sender. The thought process being, how can I trust joe as a sender if I can’t verify “bloggs.com”. It’s hard to argue with that logic, to be fair.

At Nitec, we are working hard to build this functionality into our Customer Portal so you can see any issues and monitor your configuration, and we’re hoping to have something ready in early April. In the interim, we would advise all our customers to consider adding DKIM and DMARC records.

  • Connectwise
  • Logitech
  • Microsoft Partner Gold x 6
  • HP Enterprise
  • HP Preferred Partner, Gold
  • Aruba
  • Mimecast
  • Watchguard
  • Citrix
  • BT
  • Webroot
  • Arcserve
  • APC
  • Plantronics