Do not underestimate the power of the spammer, and others those that are trying send messages that look like they belong to your company even when they are not from you. Every day we all receive spoofed email messages. These messages imply a real issue with email security for enterprises.
This also sparks some questions for me.
How many messages are being sent to impersonate other corporate domains? How do you know who is impersonating your organization trying to look like they came from your company? What email messages are being sent that we do not know about?
These answers do not come easy, so email security must become a priority for all organizations.
So How can Organizations Improve Email Security?
The answer to this question is that it can be very challenging to “see” what others are doing. In fact, it’s almost impossible to see this type of abuse without leveraging a 3rd party that can be configured to analyze this type of information for your company. These services typically cost money, and depending on the size of your organization it may or not this may or may not be an item that fits in your budget.
What to do to improve email security?
There are a few different ways to ramp up email security, and stop the spoofed messages. This involves a few different approaches that all involve updating your external DNS TXT records. When using these approaches, any organization that receives email can use their mail gateway to validate your message is legit.
Let’s take a look!
DKIM – Organizations should be using a 3rd party email gateway to send email out of your organization. Modern day email gateways typically have the option to enable DKIM signatures on all your outgoing email for your email domain(s). But this one step will not do the trick. These DKIM signatures will also need to be added to your DNS TXT records with your external DNS hosting company. If this is not done message failure is likely, and without you even knowing.
Another important note about DKIM signatures within email security is that if you have any 3rd party providers that send email on your behalf then then game changes a little bit. They too will need to provide the messages they send as you with a DKIM signature. They will also need to share this signature with you so that it can be added to your DNS TXT records. Here is another great article we where we covered this topic. It also provides some additional insights into the technical requirements of implementing this.
DMARC – In its simplest form this is a DNS text record that will also work to combat email spoofing. This record can also be used to validate that your messages are yours. The TXT record will validate the origin of the email, and can prevent delivery if it is a spoofed email.
External entities that receive your messages can double-check that the messages they are receiving are truly from your organization. If they do not align then the message will not be delivered. For some additional technical insights on how this can work see this article we previously posted covering this topic.
SPF – Last, but not least you will want to incorporate an SPF DNS TXT record into your plans. SPF stands for Sender Policy Framework, and will not only prevent spoofing it increases the likelihood that your corporate email will not be marked as spam. These records can be set to Quarantine, Detect Only, or even delete spoofed messages that do not line of with the identification of being from your organization.
The value in this type of record comes from the fact that if you have 3rd party entities that can send email on your behalf you can simply approve this by adding them to your SPF record in DNS. Looking for some additional technical detail, here is some coverage we provided previously on this topic.
What if my email is in the Cloud?
DKIM, DMARC, and SPF can all be used if your email has been migrated to the cloud. Some providers even do this automatically, so it is worth asking before you start the journey of implementing these concepts to improve your email security.
If you find that the cloud provider doesn’t have these implemented, then you will still need to work with them to put together your DNS records per their specifications. Each cloud provider has documentation, and in many cases, will offer you assistance with the configuration of these.
Next Steps for You
Take a look at the value of brand protection for your organization. If this is important then improving your email security is a necessary, step. From there begin researching the details of your email system, and understand who you have hired to send email on your behalf. Once all the facts are known then implementing DKIM, DMARC, and SPF becomes achievable. Cheers!