Last week, I wrote about the importance of the human element in preventing payment redirection and other email-related attacks.
Today’s article is about how we can leverage technology to help protect ourselves against these attacks.
One of the reasons for lack of security in email is lack of any assurance that an email is really from who it claims it’s from. An apt analogy is that email, by design, is like a traditional letter: the sender’s name in the letter and on the envelope can be anything the sender wants it to be, as can the message.
This historical problem contributed to the rise of email spam and phishing emails.
Technology to protect against Spam and Phishing
Fortunately, several technological solutions have been devised over the last several years that help to address this. The technologies in question are SPF, DKIM, and DMARC, and these are typically all used together.
An important note is that these are normally completely transparent to the end user and are normally only of concern to email administrators and the marketing department. The sender organisation makes any email authentication they use public and the recipient organisation can use this information to check email for authenticity.
What is DKIM?
DKIM is a way to sign the email message content using cryptography. Continuing with our analogy from earlier, this is a way to sign our letter before sealing it in the envelope.
What is SPF?
SPF is a way to publish a list of systems that are allowed to send email on our behalf. To stretch the analogy somewhat, SPF is like looking at “From” address on an envelope and checking whether where it was sent from looks legitimate.
What is DMARC?
DMARC combines any results from DKIM and SPF into a pass/fail result and includes recommended actions to take in either event, as well as the option to report on pass/fail metrics back to the named sender organisation.
Email Authentication Protection
Once implemented these technologies can help protect your and your business partners’ users against receiving email that looks like it came from inside your organisation.
Unlike WhatsApp or iMessage or any other vendor-controlled messaging platform, email is an open communications platform.
As such, any proposed new standard needs to be widely adopted in order to be useful in practice.
Fortunately, the techniques described have been widely adopted and are generally supported by Google and Microsoft.
Not only that, but having all email authentication features set up is practically a requirement today to avoid having your own email marked as spam by Gmail and Office 365.
Enforcing Email Authentication in your Organisation
Enforcing email authentication can however bring to light just how many 3rd party email platforms are expected to impersonate your organisation, typically for marketing purposes.
Most email marketing services are very aware of the need for email authentication and how enabling it improves email deliverability, and make it easy to integrate their systems as verified senders.
While potentially challenging at first, email authentication is an essential measure to protect your organisation and your business from fake emails. Having at least the basics implemented is necessary to ensure email deliverability.
Technical controls combined with quality Security Awareness Training can substantially reduce the risk of cyber incidents.
As always, stay vigilant.
Does your staff know how to identify a malicious email? Learn more about Security Awareness Training, provided by Calibre One.