Why is email security important?
Email security is important because malicious email is a popular medium for spreading ransomware, spyware, worms, different types of malware, social engineering attacks like phishing or spear phishing emails and other cyber threats.
Email is also a common attack vector for attackers looking to gain entry into an enterprise network to steal sensitive data like personally identifiable information (PII), protected health information (PHI) or intellectual property (industrial espionage).
Secure email is necessary for both individual and business email accounts, and there are multiple measures organizations should take to enhance email security that we outline below.
Email consists of three components:
- The envelope: Concerned with how the email is routed, e.g. the path it takes to get to your inbox
- The header(s): Contains information about the sender, recipient and various authentication details.
- The body of the message: The contents of the message, e.g. what you read and reply to.
What is Sender Policy Framework (SPF)?
Sender Policy Framework (SPF) is an email authentication method designed to detect forging of the sender address (Return-Path header) during the delivery of an email.
SPF allows the receiving mail server to check during mail delivery that an email claiming to come from a specific domain was sent by an IP address authorised by that domain's owner.
Why is SPF not enough to authenticate an email?
SPF alone can only authenticate the source of the message (Return-Path) but not the original author.
There is nothing stopping an attacker from setting up their own mailbox and domain, with an SPF record that authorises the attacker's IP address to send email on behalf of that domain.
Any email sent would pass SPF checks and they could still spoof the From header which is out of the scope of SPF.
Only in combination with DMARC and DKIM can SPF be used to prevent email spoofing, a technique often used in phishing and spear phishing campaigns.
What is DomainKeys Identified Mail (DKIM)?
DomainKeys Identified Mail (DKIM) is an email authentication method designed to detect forged sender addresses in emails.
DKIM allows the receiver to check that an email claimed to have come from a specific domain was authorised by the owner of that domain.
This is achieved by affixing a digital signature, linked to a domain name to each outgoing email message.
The recipient system can then verify the email by looking up the sender's public key, which is published in the DNS.
A valid signature also guarantees that some parts of the email (such as email attachments) have not been modified since the signature was affixed. DKIM signatures are not generally visible to end-users and are affixed or verified by infrastructure rather than the message's author and recipients.
What is the benefit of DKIM?
When a valid DKIM signature is affixed to an email, the receiver can be confident that the DKIM signature has been created by the owner of that domain.
Why is DKIM not enough to authenticate an email?
A valid DKIM signature only verifies that the DKIM signature was created by the owner of that domain. It does not necessarily mean that the From domain is the same.
An attacker could easily create a valid DKIM signature for a domain she controls while still spoofing the From domain.
Thus, like SPF, DKIM alone is not always enough to authenticate the domain in the From header.
What is Domain-based Message Authentication, Reporting and Conformance (DMARC)?
DMARC is an email authentication protocol designed to give email downer owners the ability to protect their domain from unauthorized use, e.g. email spoofing.
The purpose and primary outcome of implementing DMARC is to protect a domain from being used in business email compromise (BEC) attacks, phishing emails, email scams and other email threats.
DMARC provides a mechanism to:
- Authenticate the domain in the From header of an email, based on the results of SPF and DKIM
- Allow domain owners to set a policy for handling email based on the result of that authentication
- Allow domain owners to get feedback reports from mail receivers on the results of DMARC checks
Is DMARC enough to authenticate an email?
Yes. DMARC allows you to authenticate an email because DMARC aligns the domain from the SPF and DKIM results from the From domain and gives you confidence about the identity of the author.
Don't forget about DNSSEC.
DNSSEC provides a way to protect against DNS spoofing and is an often overlooked part of email security. DNS spoofing is a type of cyber attack where an attacker reroutes a valid DNS address to the IP of a malicious server.
As SPF, DKIM and DMARC all rely on DNS TXT records, DNS spoofing undermines the security they provide.
Additional email security controls.
There are a variety of additional email security solutions you can employ to improve your email security beyond SPF, DKIM, DMARC and DNSSEC such as:
- Email encryption: Encrypting or disguising the contents of email messages or email attachments to protect potentially sensitive information from being read by anyone other than the intended recipients. This can also help with data loss prevention (DLP).
- An antivirus: Antivirus software often has real-timeadvanced threat protection that can detect known virus and malware signatures
- A secure email gateway (SEG): A cloud-hosted or on-premise device or software used to monitor emails that are sent and received.
- Anti-spam: Refers to any software, hardware or processes that are used to combat the proliferation of spam or keep spam from entering a system. For example, opt-in email is a common anti-spam process.
- Strong passwords: Require employees to use strong passwords and mandate password changes periodically. See our secure checklist password for more information.
- Cyber security awareness training: Security teams must invest in training their staff as many cyber attacks are spread through malicious email attachments. Sandboxing email attachments such as Microsoft Office or Office 365 files can help too.