M3AAWG’s email authentication checklist is clear, concise, and timely
The Messaging, Malware, and Mobile Anti-Abuse Working Group (M3AAWG) recently published a best-practices document on email authentication (.pdf) based on SPF, DKIM, and DMARC that outlines exactly why authentication is so important, and how to do it right.
“Proper email authentication is a foundational principle for establishing trust in email and protecting a domain’s reputation,” M3AAWG wrote in this document. In a related blog post, they write, “Effective email authentication establishes user trust.”
In short, if you don’t know who sent a message, how can you trust the message? Authentication addresses that.
Email authentication establishes identity, and paves the way for making email a safer, more trusted medium for everyone.
The document will be influential because M3AAWG represents a broad cross-section of the email industry, including large senders of email, large receivers (mailbox systems like Gmail, Yahoo Mail, Microsoft, and so on), and other significant players in the ecosystem. Best common practice (BCP) documents are M3AAWG’s way of delivering recommendations to this broad universe of email stakeholders, and they carry weight.
Valimail is a longtime member and supporter of M3AAWG, and we’ve held various leadership positions throughout our tenure. Currently, I serve as M3AAWG’s technical committee co-chair, a role Valimail CTO Peter Goldstein previously held. We take these roles at M3AAWG seriously, specifically because the output of the group is so valuable for the ecosystem.
Key recommendations for DMARC, SPF, and DKIM
- Publish SPF records for MAIL FROM and EHLO domains. SPF records should end in “~all”.
- SPF records should not authorize more IPs than necessary.
- SPF (which validates the Return Path) should be aligned with the domain used in the “From” field.
- Publish SPF “-all” on domains that do not send mail.
- Sign all outbound mail with a domain that aligns with the domain used in the “From” field.
- Follow best practices for key management, which includes rotating keys regularly, maintaining the industry-standard minimum key sizes, and storing private keys securely.
- Policy statements should be “p=reject” where possible, “p=quarantine” otherwise.
- “p=none”, “sp=none”, and pct<100 should only be viewed as transitional states, with the goal of removing them as quickly as possible.
- DMARC policy records should include a reporting tag (“rua” tag).
Why guidelines are needed for DMARC, SPF, and DKIM
The problem M3AAWG is trying to overcome is the lack of clarity around well known technical requirements. In many aspects of the email world, decisions are made based on stochastic or algorithmic rules — percentages of likelihood that content is malicious, spam scores, behavior analysis, general recommendations, and so forth.
Authentication is different. Authentication is binary — it’s done properly, or it’s not. This BCP serves as a single place where anyone dealing with authentication can look and see exactly what must be done.
Ultimately, “No Auth, No Entry” is the ecosystem’s goal. This means that email simply won’t be delivered unless the source is definitively known. This doesn’t mean all mail is wanted by the recipient — it just means all mail is attributable to a sender, which allows anti-abuse protections to be deployed effectively and consistently.
There’s a long way to go until “No Auth, No Entry” is a reality, but providing signposts on how to get there is the goal of organizations like M3AAWG and its member companies (including Valimail, of course!). This BCP is an important step in the right direction.
DMARC email authentication is picking up steam
The industry has had a major shift over the past year. SPF, DKIM, and DMARC are now far more well known than they once were. Globally, more than 1 million domains now utilize DMARC. Various M3AAWG members track uptake of these standards and publish regular research reports. The research is encouraging, but penetration is nowhere near where it needs to be.
It’s not for want of trying. There are quite a few technical and process issues involved in deploying email authentication effectively. The fact that many organizations deploy DMARC but don’t get beyond monitoring mode (p=none) shows that there are still hurdles involved in getting to DMARC enforcement (p=quarantine or p=reject).
Note that email authentication prevents the most damaging fraud vector: exact domain impersonation. If I can use your full email address, I can defraud people who trust you. This is why executive impersonation and W-2 phishing are such damaging and costly problems, and why the move to implement email authentication properly is so critical.
But while domain impersonation is the source of the most financially damaging fraud, there are other types of fraud, for which we need other solutions. Registering lookalike domains or using throwaway accounts on open-signup systems (like free webmail providers) are also frequent attack vectors for phishers. For more information on how Valimail addresses these kinds of impersonation, see our web page on Valimail Enforce.
Even with strong authentication — using DMARC at enforcement as outlined by M3AAWG’s BCP — there are ways to accidentally allow others to authenticate as you, or for your authentication to get mixed with others via shared services. These are all issues being discussed at M3AAWG, and which are crucial for the ecosystem to solve.
The latest guidance from M3AAWG is an important step in the right direction. Utilizing this document gives domains — whether they send email or not — a solid foundation upon which to build a robust defense-in-depth strategy.