In the previous post of this four-part series on the email security ecosystem, we highlighted both legacy and trending phishing techniques, such as business email compromise (BEC), spoofing, smishing, impersonations, polymorphism and more. We discussed what makes each technique distinct, how they are commonly deployed, and what attackers’ most frequent motivations are when choosing one attack technique over the next.
In this blog post we turn our attention to defenses, and we begin by diving into email authentication standards and protocols.
Email authentication isn’t only about protecting the integrity of messaging. Rather, it is about how brands can ensure deliverability, in particular, with bulk email distribution. But as phishing and spam have evolved from an occasional annoyance to a never-ending threat, email authentication has emerged as a popular means of reducing the risk of malicious messages.
There is a common misunderstanding though as to how much of a role authentication protocols and standards play in email security. While some vendors and email clients will have you believe that compliance will significantly reduce risk, the truth is that these safeguards represent just a small piece of the ever-growing anti-phishing puzzle.
The opportunity cost of email authentication
It’s important to know that each standard and protocol was designed to solve one very specific problem. As such, these technical defenses often struggle against mitigating complex phishing attacks, especially those not spoofing domains. Further, many are difficult to implement and require intensive and costly maintenance over time.
Nonetheless, email authentication standards and protocols can be helpful as a part of a robust email security strategy. Here’s a list that every security analyst and IT professional be aware of:
- Brand Indicators for Message Identification (BIMI) - As the newest and least utilized email authentication standard, BIMI intends to reduce fraudulent brand spoofing emails by visualizing a logo as a measure of authenticity. Compliance requires DMARC configuration with active “quarantine” or “reject” policies, a positive sender reputation and a BIMI Assertion Record.
- Domain Keys Identified Mail (DKIM) – This is an email security standard that uses cryptography to ensure that messages aren’t manipulated between sender and receiver. DKIM helps improve email deliverability rates, while also reducing the frequency of domain spoofing. Learn how to setup DKIM here.
- Sender Policy Framework (SPF) – This is a policy that protects against domain spoofing by hardening DNS servers and restricting access to senders. SPF enables Internet Service Providers (ISPs) to verify that a mail server is authorized to send an email from a specific domain. Learn how to setup SPF here.
- Simple Mail Transfer Protocol (SMTP) - The purpose of SMTP is to help organizations send and receive emails. While helpful for deliverability, this protocol remains highly vulnerable because it does not encrypt or authenticate messages.
Domain Message Authentication Reporting & Conformance Protocol (DMARC)
At a high level, the Domain Message Authentication Reporting & Conformance (DMARC) protocol is a way to determine email authenticity and empowers senders to determine the fate of an email should the email fail SPF and/or DKIM verification. As such, DMARC helps reduce risk associated with only one very specific type of spoofing: domain spoofing.
While DMARC has been around for over a decade, it boomed in popularity in recent years thanks to vendor promotions and public sector adoption. While overall usage is trending upwards, only about 20% of the Fortune 500 have implemented this protocol.
In 2018, the Department of Homeland Security threw DMARC into the mainstream when it mandated that the entire agency become compliant. This direction, while well-intended, inadvertently gave off the perception that DMARC solved more email security challenges than it actually does.
In response to the mandate, I wrote an op-ed in NextGov about how DMARC was not the email security silver bullet that so many were making it out to be. Here’s an excerpt from my article, Attention Federal Agencies: DMARC is Not a Silver Bullet for Email Security:
DMARC was first launched in 2012 to better detect and prevent email spoofing. It is built on the DomainKeys Identified Mail and Sender Policy Framework and offers linkage to the sender’s domain name, reporting, and policies on how to handle authentication failures. When implemented by both sender and receiver, DMARC can help foil domain spoofing and enables organizations to filter out and reduce the number of fraudulent emails.
For DMARC to work as intended, both the sender and the receiver need to implement it correctly. But even if they have, exact domain spoofing attacks can exploit vulnerabilities in email clients to mislead end users on the validity of a message. In a direct spoofing attack, an adversary can exploit a vulnerability in a web browser or in a code to change the return path details. Mailsploit, one of the latest and most dangerous phishing techniques, can easily render DMARC obsolete by exploiting how mail servers handle text data differently than operating systems. In other words, government agencies could remain at risk of exact domain spoofing whether or not they have implemented DMARC appropriately.
Even when it is effective, DMARC can be cumbersome. It often leaves some organizations accidentally rejecting legitimate messages, and it can also break a company’s mail flow by creating a backlog of messages. DMARC is also very complicated to configure with many cloud-based solutions and can require significant maintenance beyond authorization.
DMARC, like the other email authentication protocols and standards, is only effective for solving one particular challenge. But therein lies the problem: such technical controls are only meant to solve specific problems.
We have reached the point where security teams and IT leaders are spending far too much time analyzing and responding to phishing threats, and part of that is due to an over-reliance on point solutions (which is essentially what email standards and protocols are).
In the fourth and final part of this series, we’ll explore the tools and technologies at the epicenter of solving the worldwide phishing epidemic. In the meantime, get to know the IRONSCALES self-learning email security platform by clicking here.