Email is Changing
An email protocol called DMARC is starting to have a big impact on the way that companies of all sizes send email.
It’s the biggest change to email in a decade. IT engineers are scrambling to get in front of this change. And yet, very few people who use email for work have ever even heard of DMARC.
The change is in response to the explosive growth of email fraud and the dangers that this type of criminal activity creates. New readers of EO Advisor might want to refer to The Rapid Growth of BEC Fraud for perspective into the dangers of compromised company emails.
Why Email?
Cybercriminal hacking has moved from worming in through the backdoor to boldly sneaking in through the front door. Why try to outsmart the best tech talent in the world if you can trick innocent everyday users into letting you into a company’s networks instead?
Email is the productivity tool we love to hate. It’s a daily grind to sort out the important messages from the time-wasting noise. Criminals see this as an opportunity to trick us into making an innocent mistake. When we click on something nefarious, the bad actor slips into our computer and starts working his way into our company’s network.
This is why employee training is now a requirement for any company seeking to buy insurance for losses related to cybercrimes.
Email Senders Have a New Responsibility
At the heart of what makes email so useful is a benefit that is inherently insecure.
Let’s use a fake company to describe the situation. Company X has lots of reasons to send different types of emails to different people. Company X uses many 3rd party resources that play a role in generating useful emails. To name a few; Microsoft, HubSpot, Salesforce and Intuit are critical 3rd party tools that need to send emails on behalf of Company X to the right recipients. For a customer, these emails always look like they are coming from johndoe@somecompanyname.com even though many different SMTP servers are generating the email content.
The good guys – the cybersecurity engineers – want to allow dozens of legitimate 3rd party SMTP servers to easily send out emails using Company X email addresses while, at the same time, they need to spot SMTP servers that are using trickery to look legitimate from sending out any fake Company X emails at all.
The criminals understand how this works. It is not all that hard for a criminal to use an anonymous SMTP server and start sending out emails to random people that look like they came from johndoe@somecompanyname.com. This criminal technique is called Spoofing.
The bad guys know the dilemma that the good guys are dealing with. Strict protocols that instantly catch every email that might be malicious will also accidentally block emails that need to get through. The bad guys also have an advantage because they can send out 50,000 fake emails and if five of them get clicked on by innocent employees, they have opened five avenues into company networks that they can eventually exploit maliciously.
Email Cybersecurity Defenses
The first line of defense is called SPF (Sender Policy Framework). This tool has been around for two decades. It is a way of telling the Internet the names of all the 3rd parties who are authorized to send emails on behalf of the company. The next layer of defense is called DKIM (DomainKeys Identified Mail) which has been in use for a bit more than ten years. For a lay person, DKIM is a “signature” attached to every legitimate email that makes it easier to double check the validity of the SMTP server.
These tools are important, but they were originally built to pick either “yes” or “no” when deciding if an email should get to the inbox of the recipient. Today’s reality is much more nuanced. Some emails are obviously critically important. Other emails are obviously malicious. A whole bunch of emails are in a grey area somewhere in between. An email that provides news, entertainment, retail promotions and other content falls into a grey area where the value is in the eyes of the receiver of the email.
The new(ish) protocol is DMARC (Domain-based Message Authentication, Reporting and Conformance). DMARC leverages SPF and DKIM and then uses that information to give the email administrator a quick and easy way to participate in the sorting process.
- DMARC stops spoofing because the sender email administrator ensures the receiving administrator that the email has SPF and/or DKIM present within the email headers.
- With DMARC, the sender tells the recipient what to do with emails that appear to come from the sender but fail the DMARC checks. The choices are to deliver the email, quarantine the email in a junk folder or reject/delete the email.
- DMARC enables a process that can be very strict or very lax at the beginning and then become much more nuanced over time.
What to Expect
Internet protocols are changing to leverage the benefits of DMARC. On February 1st, Gmail and Yahoo! Mail announced strict new rules that can trigger email bouncing if DMARC is not leveraged. This is just the start. Administrators and users are going to see many changes to email evolving to take advantage of DMARC. Everyday users of Gmail are already seeing new and easier “Unsubscribe” buttons show up in their email.
All businesses that use email are going to be pressed into using DMARC. Even small businesses have started to see that emails sent to customers who use an @gmail address are not being delivered because Google did not see DMARC. Implementing DMARC is important, but it is not turnkey.
- DMARC is an investment that will help legitimate senders of email make sure that legitimate recipients are getting the messages they are intended to receive.
- DMARC will reduce and hopefully eliminate the embarrassment and costs associated with blocking legitimate emails.
- DMARC adoption is a big step forward in protection against malicious emails that can cripple a company’s networks and open them up for ransomware attacks.
Every company should be asking their IT tech lead or their email administrator to look into the costs and opportunities associated with DMARC implementations. As always, Electronic Office welcomes questions from all readers of EO Advisor so, if you want to dive deeper, CONTACT EO NOW.