Many companies already use a Secure Email Gateway (SEG) as a bulwark against the ever-increasing waves of email-based phishing and malware attacks. So if you’ve got an SEG already, why would you need to add email authentication to the mix?
The reason is straightforward: Each technology addresses different vulnerabilities. The phishing problem is massive enough — and varied enough — that you need both.
View the full infographic on SEGs and Email Authentication now, or read on to see some bite-sized highlights.
91 percent of all cyberattacks start with a phishing email. Under the surface of that figure, though, lurks the fact that the majority of phishing attacks — ⅔ of them — use impersonation.
Some of those impersonation attacks are especially devious business email compromise (BEC) attacks, because the email messages contain no malware and are virtually indistinguishable from messages sent by your boss or your coworkers — right down to the email address in the From: field.
With no malware and no suspicious links, there’s nothing for SEGs to scan.
But email authentication (EA) can ensure that the sender really is who they claim to be, while blocking all imposters trying to pose as a user of your domain name.
This is why the best defense is a layered defense, including both SEGs (to stop malicious content before it reaches your mailboxes) and email authentication (to ensure that no one can spoof your executives, employees, or brand).
Secure Email Gateways
SEGs are a familiar technology and have been in use for two decades. SEGs offer protection against phishing threats, and also against spam and email-borne malware.
They do this by offering a combination of algorithmic and heuristic analysis to weed out the “bad actors” among incoming emails, ensuring that all (or most) of the inbound email reaching a company’s servers is legitimate.
URL link protection, sandboxing email attachments, and other techniques used by SEGs can help protect companies from many of these threats.
Email Authentication
Email authentication is a newer component of the anti-phishing toolkit. At its core, authentication is focused on fixing email’s original sin: There’s no accurate way to tell who the sender of an email is. This enables a criminal to pose as your CEO, CFO, partner, spouse, friend, etc., tricking you into carrying out their desired (and nefarious) actions.
There are an array of standards involved in email authentication, including DMARC, SPF, DKIM, ARC, and BIMI. Once correctly configured, and set to an enforcement policy (a DMARC policy of p=quarantine or p=reject), email authentication blocks all emails that do not authenticate properly.
That means all emails: Not just inbound messages coming in to your organization’s mail servers, but any messages sent from anywhere in the world to anywhere else in the world. If they’re using your domain name and they weren’t authorized, those emails will be blocked.
This protects a company’s domain against phishing abuse (both inbound and globally), provides visibility and control over the email services employed by the company, and helps protect the brand overall from damage done by fraud.
So How Do SEGs and EA Compare?
A core security principal is to layer your defenses. That means deploying varying approaches to security in order to maximize the effectiveness of your overall defense.
SEGs and EA provide exactly this complementary, layered approach.
And while some SEGs do check and enforce the DMARC authentication policy of incoming emails as part of their filtering mechanisms, that’s as far as they go. They don’t configure or maintain email authentication for your domains nor do they monitor or digest DMARC reports.
How SEGs and EA Complement One Another
In fact, authentication is a powerful complement to a SEG.
By combining these two approaches, a company benefits in several ways. One is by simply sharing authentication results (reporting and analytics) with each other. Email authentication feedback data, via DMARC aggregate reports, provides SEGs with additional data to rapidly update their databases and stop attacks that they may have otherwise missed.
Additionally, email authentication provides unique value that SEGs alone do not. In addition to protecting your organization against BEC, it also protects against brand hijacking (messages sent to consumers, attempting to leverage your brand for malicious purposes), targeted spear-phishing messages aimed at impersonating executives.
And email authentication also protects the email sent by cloud services that use your domain.
The Best Defense Is a Layered Defense
Domain spoofing is not the only email-based threat that companies face. For protection against viruses, Trojans, and other email-borne malware, SEGs are a terrific solution.
But for protection against the damage that fraudsters can do with spoofed email domains, email authentication is the answer.
That’s why a complete email security solution includes both an SEG and properly configured email authentication — with an enforcement policy.
Valimail can greatly simplify the process of setting up email authentication and ensure it works with all of the SaaS providers you may want to send email on your behalf. If you’d like to know more, contact us.
View the full SEG and email authentication infographic to see a quick, visual summary of the SEG-EA comparison and how they complement one another. And please feel free to share this infographic via Twitter, LinkedIn, Facebook, or your own blog!