This is the first in a series of posts covering the basics of email authentication. Read the rest of the series:
For most of the past 40 years, we’ve had to make a leap of faith every time we opened an email. Do you believe that the email really comes from who it appears to come from? In most cases, that’s an easy “yes” -- but in fact, it has been surprisingly easy to fake an email from almost anyone.
That’s because the people who first created the Internet didn’t include any way to verify the sender’s identity. When they set up email’s basic protocols, they balanced costs in computing power, implementation, and ease of use versus the risk of fraud. At the time, it was nearly inconceivable that 84 percent of all email would be malware, phish or spam. So they didn’t include any provisions for authentication.
The result: Email headers, including the From: and Reply-to: fields, are remarkably easy to fake. In some cases it’s as simple as typing “email@example.com” into the From: field. Couple that with a legitimate-looking message and some persuasive graphics and formatting, and it’s entirely possible to fool people into thinking that a message in their inbox actually comes from their bank, the IRS, or their boss.
Combine that with the ubiquity and utility of email (98% of consumers check their email daily), and you have the basis for our current security crisis. This weakness in email has led to a rash of phishing attacks aimed at getting employees or customers to click on malicious links, download and open malware-infested files, send W-2s and employee data to scammers, or wire funds into criminals’ accounts. Just recently Coupa, a Silicon Valley company, got tricked into sending the payroll details for all 625 employees to a scammer. Russian hackers managed to distribute malware-infected PDF files by sending emails impersonating Harvard’s Kennedy School. And last year, one of Europe’s biggest companies lost $45M when an employee mistakenly wired the money to a fraudster’s account in response to a bogus email. The FBI estimates that one type of phishing attack, the Business Email Compromise (BEC), costs U.S. companies $3 billion per year.
But it doesn’t have to be this way. Email authentication is the modern fix to this fundamental flaw. By implementing email authentication you can ensure that anyone -- an employee, customer, partner or prospect -- who receives an email that purports to be from your company can determine if the email is legitimate and, if not, flag or discard it. Even further, you can get complete visibility and control over who sends email in your name. The importance of this has grown dramatically with the rapid growth in cloud services, over 10,000 of which send email on behalf of their customers for sales, marketing, customer support, HR, accounting, legal and myriad other services. By enforcing authentication and only enabling senders you explicitly authorize you can block everyone else who attempts to send in your name - spammers, phishers, and even “shadow email” senders that may be legitimate but have not been vetted or authorized.
Email authentication standards enable any mail server, anywhere, to verify that an email with your domain in the “From:” address has been has been authorized to send in your name. Before it delivers a message to a recipient’s inbox, a mail server can check: Does the server sending this have the right to use the domain name (or names) listed in the message’s headers? If there’s a cryptographic signature attached to the message, does it match the public key on file for the domain it appears to be from? And do the headers match one another? (For instance, are the From: and Reply-to: fields the same?)
Depending on the rules that the owner of the sending domain has set up, the answers to these questions can either validate a message (yes, it’s authentic, go ahead and deliver it!) or invalidate it (it’s not authentic--watch out!). The rules include instructions for what the receiving server should do with non-authenticating messages, such as discard them, or put them in a spam folder, or flag them as potentially dangerous. Email authentication gives the domain owner global control of what happens to messages sent in their name by anyone, to anyone. It’s amazingly powerful and unlike any other kind of security tool.
What’s more, modern email authentication standards include a means for domain owners to get reports on who is using their domain names. In other words, if a company has authorized an email list provider, like MailChimp, to send messages on its behalf, it can see information about all emails sent by MailChimp’s servers and whether they authenticated properly. They can also see all activity from scammers sending spam and phish from unknown, unauthorized servers as well as “shadow email” services that may be legitimate but are not authorized.
Armed with this information, organizations can get a 360-degree view of their email ecosystem, which is a key requirement for having the confidence to enforce authentication globally. Fortunately, email authentication eliminates the need to constantly monitor for and respond to alerts in real time. Implemented properly, email authentication provides continuous protection and blocks anything that isn’t explicitly authorized. The reports tell the domain owner that a phishing attack was attempted - and failed.
As you can see, for email authentication to work it needs to be supported by both the originating domain (company.com) and the receiving email server (Gmail, Outlook.com, or your company’s email servers, for instance). The good news is that there is widespread support for email authentication standards. Virtually every major provider of consumer and business email services including Gmail, AOL, Microsoft, Yahoo, and more support email authentication, representing more than 2.7 billion mailboxes in all . The same is true for the major providers of email servers and secure email gateways (SEGs), and support is growing rapidly.
Email authentication is based entirely on open Internet standards that are widely accepted. The trio of standards are SPF, DKIM, and DMARC; the third builds on and incorporates the previous two.
Great! You've got the basics. Now read the next chapter in our explanation of email authentication: What is SPF?
Top photo credit: Dee Bamford/Flickr