Email security is often overlooked as an important element in this universal medium. In the business world, an email inbox is the basic form of communication between business owners, contractors, customers and other stakeholders. Unfortunately, in addition to important and substantive messages, a large amount of spam and promotional offers land in our inboxes every day. As a result, without established authentication protocols, your brand’s communication is much easier to forge, exposing you and your customers to hacking and phishing attacks.
How does email authentication work?
Authenticating a message means securing its delivery and proving to the email service providers that it came from you and not a spammer impersonating you. If authenticated, the recipient's server will process the email securely. If the authentication fails, the message is blocked or quarantined, or managed according to the rules set by the authentication policy.
Currently, there are five preferred ways to authenticate messages - SPF, DKIM, DMARC, BIMI, and VMC. The protocols differ from each other in the method of authentication, the degree of advancement, and the difficulty of configuration. Let's take a closer look at each one:
1.Sender Policy Framework (SPF)
This authentication protocol verifies that each email originates from a trusted server that is authorized to send messages from a given domain, resulting in the acceptance of the rejection of the message. SPF was created to reduce the number of fake messages sent by scammers posing as valid email addresses or by viruses. It was once suitable for early email systems but presents some problems for modern methods of sending an email.
The main problems with SPF authentication include:
- It does not support email forwarding - The recipient's server does not validate the forwarded message because the identification domain appears to be the forwarding server's domain, not the original domain.
- It can be easily tricked - SPF uses a hidden return path field for verification, not a "from" field that the recipient can see. A hacker trying to get information can submit a valid field looking for a domain and email address in the "from" field, but use their email as the return path and use their authentication system to pass server verification.
- It could get too complex - SPF records are stored in plain text in the DNS domain and specify IP addresses that have permission to send from the domain. If they are not correct, authentication fails even if the message and sender are genuine.
- It approves multiple users on the same IP addresses - Shared systems, such as cloud platforms, can host multiple services with dynamically assigned IP addresses. Although you can specify and approve one IP, it can also allow anyone else to use the same shared IP with your SPF record.
Despite the problems associated with this type of security, SPF must be implemented. It provides the foundation on which you can build greater all-around security. And if you haven't implemented the SPF entry, there's a chance your messages won't reach their recipients at all. However, as a standalone method, it's simply not enough with today's technology.
2. DomainKeys Identified Mail (DKIM)
This is a more secure authentication protocol since it ensures that the message has not been altered during transmission. The DKIM standard allows the use of an encrypted signature that verifies the origin of the message. When an email is sent, a "hash" is generated based on the content of the message. This hash is encrypted with the domain's private key and appended to the email header. The recipient's email server reads the encrypted information with a public key located in the DNS, and if everything matches, authentication is performed. The whole process of decrypting messages is done automatically by mailbox providers. It is also crucial that DKIM authentication survives email forwarding.
The main problems with the DKIM authentication protocol are:
- Key provisioning and management - Longer and more secure keys can be problematic when used in a DNS domain. These long data strings can be easily abused, including copy and paste.
- Flexible content - It becomes problematic when the content of the email is changed. As a result, the signature cannot be positively verified. Therefore, you should change the settings and disable the ability to change the content or configure DKIM to encrypt only after this change.
- Key security - A hacker who signs messages using someone else's domain can verify their emails using that domain's private key.
- Inconsistent signatures - A valid DKIM signature can use a completely different domain than the one specified in the "From" field. This makes phishing from a different email domain easy.
DKIM is very important for the kinds of businesses that are the objects of phishing and spoofing attacks. Keep in mind, that lack of the DKIM signature may cause even the most valuable content from trusted senders to go to Spam or be blocked by the provider at the server level.
To make the best use of DKIM, it is necessary to connect it to DMARC and include the domain used in the "from" field. Thanks to this, the recipient, knowing that the real sender uses DKIM, can check if it is a spam attack. To check, it is worth sending an email to a trusted recipient or to another email address you use. Email service providers often allow the recipient to verify the accuracy of the DKIM key.
3. Domain-based Message Authentication, Reporting, and Conformance (DMARC)
DMARC ensures that emails meet both SPF and DKIM requirements before delivery. As mentioned earlier, DMARC enforces the use of the domain set in the from field to prevent hackers and attackers from using alternate domains to bypass security checks. It also includes a reporting mechanism that allows the sender to decide how to handle the verification results. Note that protection set to "strict" can successfully result in the rejection of newsletters and other messages, such as those from different branches of the same company. To determine the appropriate option, it is worth reading the reports in advance.
DMARC allows domain owners to publish policies that tell DMARC mailbox initiators how to handle unauthenticated messages sent from their domains. The policy has three outcomes: do nothing, quarantine (mark as spam), or reject. The DMARC report alerts domain owners to where such failed messages are coming from and provides important information about the breach and what they can do to further protect themselves.
Proper configuration of DMARC is the only known way to prevent spoofing of email messages. The user using DMARC does not need to take any additional actions because DMARC tests are performed by the service providers.
If you decide to combine these protocols into one, you will soon notice a stable increase in the number of delivered messages per campaign, leading to an improvement in email communication and brand authenticity.
4. Brand Indicators for Message Identification (BIMI)
BIMI allows your company to publish a new standardized DNS record for your domain. This means that when using this standard, your company logo will be visualized next to an email in the customer's inbox. With Google's integration of BIMI into G Suite, it's only a matter of time before the rest of the world follows suit.
BIMI performs a final check focused on sender trustworthiness and displaying the sender's brand image in the recipient's inbox (if currently supported). For brands, BIMI means greater trust from recipients who feel confident receiving verified emails. It, therefore, provides identification of content and its creators help combat phishing, and has a positive impact on security while reinforcing brand identity and trust.
How do you prepare for BIMI?
BIMI is important for branding purposes and email deliverability. To enable BIMI, you must first verify emails with SPF, DKIM, and DMARC authentication protocols and ensure they match (the domain is the same in all cases). For the resulting authentication to appear in the recipients' mailboxes, you must also place the corresponding logo file as a link. Before that, however, the logo URL is scanned and verified with VMC.
In other words, you have to prove to BIMI that you have the right to use images associated with the brand, most notably its logo. The purpose of this is to protect your brand by ensuring that recipients only receive emails sent by you and not someone else. Plus, since it is a free standard, you have the opportunity to increase the value without any investment.
6. Verified Mark Certificate (VMC)
VMC is a new type of digital certificate that certifies the authenticity of the logo associated with the sender domain of an email. It is likely that VMC certificates will become a requirement for BIMI operation. Importantly, the logo used for VMC must be registered with the Patent Office. For the European Union, it’s the EUIPO and the USPTO for the USA.
The whole process of sharing and transferring the logotype with the help of BIMI and the VMC certificate is not yet specified in practice - the pilot program of the Gmail service is still underway. However, soon users will be able to associate their logotype with sent messages and check for themselves how great benefits can be achieved in practice through such activities.
Every day dozens or even hundreds of emails arrive in our inboxes. Some of these go unnoticed, others are considered spam, and still, others represent various forms of abuse. Unfortunately, choosing just one email authentication method doesn't provide a comprehensive solution that will make your brand scam-proof. However, if you decide to combine these protocols into one, you will soon notice a stable increase in the number of delivered messages per campaign, leading to an improvement in email communication and brand authenticity.