For the last four decades, email recipients have had to make a leap of faith every time they check their inbox. This is because the people who created the Internet didn’t include a way for email recipients to verify a sender’s identity.
At the time, there was no indication that 84 percent of all emails would be fake — malware, phishing attacks, or spam. So, they didn’t include provisions for sender authentication, a significant flaw in the overall security of email. It leaves recipients wondering, “Is this message really from who it appears to come from? Or is it fake?”
With email’s original sin, it’s easy for an impostor to imitate another person by manipulating the ‘From:’ and ‘Reply-to:’ fields in an email header. In some cases, it’s as simple as typing “firstname.lastname@example.org” in the ‘From:’ field. As such, fake email that exploits this systemic shortcoming has led to unprecedented levels of phishing and business email compromise attacks.
But it doesn’t have to be this way. Email authentication is the modern fix to this legacy flaw.
With email authentication, a domain owner can enable only those senders that it explicitly authorizes. Thus, they block everyone else who attempts to send digital communications using that domain name—malicious actors sending fake mail as well as legitimate cloud service providers that have not yet been given explicit permission.
By successfully implementing email authentication, you can ensure that only those entities you authorize can send email in your name.
Email authentication provides CIOs and CISOs with a significant weapon to stop fake email communications from impostors, and a new tool to manage shadow IT’s adoption of cloud service providers that use the domain name to send email.
DMARC Email Authentication
Email authentication is based on the application of three widely accepted standards. The most recent one, Domain-based Message Authentication, Reporting and Conformance (DMARC) incorporates and builds on its two predecessors, Sender Policy Framework (SPF), and DomainKeys Identified Mail (DKIM).
Because of DMARC’s effectiveness, virtually every large email service provider has implemented the standard, including 100 percent of major North American mailbox providers, including Gmail, Microsoft, and Yahoo!/AOL/Oath. Furthermore, a large and growing majority of companies across the globe are adopting DMARC.
When fully enforced, DMARC ensures that only authorized senders can transmit messages on the domain owner’s behalf, and guarantees a match of the visible ‘From’ address with the hidden ‘Return-Path’ or DKIM signature field in each message. This eliminates same-domain phishing attacks, which account for two thirds of all fake email.