Feb 12, 2019

Five myths of email authentication

Pegasus scene 3D illustration

Email is one of the most vulnerable points in an enterprise’s cyber defenses. Multiple studies (from Proofpoint, Verizon, and others) have shown that over 90% of all cyberattacks start with email-based phishing. An anti-impersonation defense focused on email authentication can block a significant portion of these exploits, but there is a great deal of confusion around email authentication. Email is a legacy technology with a lot of accumulated “technical debt” and standards limitations, and there aren’t many true email experts who understand the full set of standards backwards and forwards. As a result, staying on top of the real-world workings of email is a challenge for most.

Valimail has years of experience implementing and maintaining email authentication for our customers — and in addition we’re an active contributor to many of the relevant standards bodies, open-source projects, and industry groups. As such, we see a lot of misconceptions about how email authentication works. This post will clear up some of the most common misunderstandings we’ve run across.

Myth #1: Email authentication is a one-time project

Fact: It’s a process. If you were hoping for a one-stop solution to check the box on email authentication, you’re going to be disappointed when you have to continuously add, remove, and re-authenticate 3rd party cloud services – again and again (and again). You’ll need to manage it continuously both during and especially after deployment. Monitoring incoming DMARC reports, adjusting SPF records as you add and remove email senders, and updating DKIM signatures on a regular basis are just some of the protocols you’ll need to consistently manage in order to be protected.

Myth #2: Email authentication is easy

Fact: If it were easy, success rates among companies that have attempted email authentication would be high. Our research, based on scanning 16 million DNS records daily, shows only around 20% of the domains with DMARC records actually succeed at getting to enforcement (a policy of quarantine or reject, which is where you actually get protection against impersonation). The other 80% of domains with DMARC records are still vulnerable to impersonation attacks. With few exceptions, this low 20% success rate is consistent across verticals and company size. It’s almost like a mathematical constant.

Many of these projects run into trouble when they can’t identify all the cloud-based services sending mail on their behalf, so they’re unable to move to an enforcement policy for fear of accidentally blocking “good” email. Or, they run into configuration problems or built-in limits in the standards, like the SPF 10-lookup limit.

There’s no disgrace in calling for reinforcements — this is seriously tedious work. Given the volume of daily work most security teams need to manage, taking the additional time and focus necessary for DMARC enforcement can be a pretty big luxury. Valimail developed an automated system as a response to what we were seeing in the market, and exists precisely to ensure enforcement and avoid the tedium.

Myth #3: Email authentication is impossible

Fact: If it were impossible, the U.S. federal government wouldn’t have gone from having 4 percent of its domains protected by DMARC to over 70 percent — in just one year. In fact, the federal government is one of the few sectors to buck the trend mentioned in myth #2 — federal agencies have a DMARC enforcement success rate around 80 percent.

Email authentication is eminently achievable, and maintenance doesn’t have to overwhelm you. Like government agencies, companies just need to prioritize it — and use the right tools to implement it.

Myth #4: DMARC, SPF, and DKIM are the only standards you need

Fact: There are at least five protocols you need to know about. ARC (Authenticated Received Chain) and BIMI (Brand Indicators for Message Identification) are two emerging standards that you also need to understand. ARC helps ensure that authentication works even when a message passes through a forwarding service (like a mailing list), and BIMI provides companies that have successfully protected their domains through DMARC with the ability to include a customizable digital watermark next to authenticated emails that they send.

And that likely won’t be the last of it. As technology changes, and hackers adapt, new protocols will always be a thing.

Myth #5: DMARC is not broadly supported by email receivers

Fact: This is actually the complete opposite of true, but for some reason is widely believed to be otherwise. Our published research shows that 75% of all inboxes worldwide support DMARC — including 100% of major U.S. providers like Gmail, AOL/Yahoo, and Microsoft Office 365.

These five myths are just scratching the surface of the misconceptions we come across in the market. In my next post, I’ll tackle a few more myths of email authentication. In the meantime, get in touch if you have feedback or questions about email authentication!

Subscribe to our newsletter