How To: New Strategies for Securing Email


Email was never meant to be secure, which is why it’s so often used to attack organizations. From phishing to ransomware to business email compromise (BEC) attacks, the lack of native authentication for email results in billions of dollars in losses for criminals each year.

Fortunately, there are a few tried-and-true methods to strengthen your organization’s email. Here are the best ways to secure your email.

The problem with email

Email does not provide verifiable proof of the identity of the sender of a message. It’s easy to “dummy” an email to make it look like it’s from the White House instead of some local kid.

Spoofing is at the heart of many email attacks. A phishing email can spoof your bank’s domain name to trick you into visiting a fake login page. A ransomware attack can start with a booby-trapped invoice that appears to be from a long-standing vendor. BEC attacks often involve emails “from” CEOs or CFOs of companies ordering money transfers to unknown bank accounts.

“Although we hold training sessions and communicate about fraudulent emails, people are still clicking on things they shouldn’t, opening emails or attachments when they shouldn’t” , an information security official told SC Media. “If they don’t get a big red warning from security systems, they just don’t think about every email they touch.”

Email spoofing is not the same as email spam, and spam filters may not stop tampered messages. And not all malicious emails require spoofing – we’ve all seen phishing emails that appear to come from well-known companies but have sender addresses like “[email protected]”

But spoofing makes email attacks less obvious and more effective. A phishing email may actually appear to be from your bank, and an immediate payment order may actually appear to be from your boss.

These last scenarios, BEC attacks, are particularly common and harmful. A 2022 survey of CISOs and other information security leaders by CyberRisk Alliance, detailed in a recent whitepaper, found that half of respondents saw up to 25 BEC attacks each day, and 78% rated protection against BEC attacks as very important.

The FBI cited $2,395,953,296 in BEC losses in 2021, a 26% jump from 2019 losses and by far the costliest category of online crime. By comparison, ransomware resulted in reported losses of $49,207,908 despite their much higher public profile.

“A few months ago, our accounts [department] received a strange email saying our VP of Sales authorized this invoice for payment when it was an email claiming to be from our VP of Sales and sent to our accounting,” A CISO of a major manufacturing company recently told SC Media, “Our accountants almost made a payment.”

Spoofing also makes all emails inherently suspicious. Your messages will be treated as guilty until proven otherwise. The email authentication methods described below are now so common that if your organization does not implement them, emails sent from your domain may be flagged as risky, moved to spam folders, or rejected altogether. by the recipient mail servers.

Active DMARC registrations and percentage growth month by month, 2015-2021. Credit:

“Sending emails without monitoring email authentication status is nothing more than a shot in the dark,” the email reliability provider said. Dmarcly in a recent blog post.

Technical means to secure your email

The most trusted technology for securing email is DMARC (Domain-based Message Authentication, Reporting and Conformance), which makes sending and receiving mail servers communicate indirectly to verify the authenticity of messages.

DMARC relies on two older technologies: Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM). All three use records listed in the public Domain Name System (DNS), and DMARC needs SPF, DKIM, or both configured to work.

There are two ways to spoof a sender’s email address. The most obvious method is to change what the recipient sees: the sender’s address in the content of the message’s “From” header. In a typed business letter sent by regular mail, this address would appear in the “From” field at the top of the page. But what’s in the From field doesn’t have to be true.

Headers and envelope compared between email and regular mail. Credit:

DKIM addresses header spoofing by requiring the sending server to embed a hidden cryptographic signature directly into the email message. The receiving server can then verify this signature by checking the sending server’s public cryptographic key in DNS.

DKIM is not perfect. Because some mail servers still don’t use DKIM, a verification failure doesn’t always result in a delivery failure. Additionally, a malicious server could “borrow” the cryptographic signature embedded in a legitimate email to spoof the domain name and trick DKIM until the signature is changed.

The other way to spoof a sender’s address is in the “MAIL FROM” field in the message’s “envelope”, the routing part that the mail user usually doesn’t see. Even to the receiving server (as opposed to the email recipient), a spoofed MAIL FROM envelope field will appear to come from the spoofed domain.

SPF stops this by matching the Internet Protocol (IP) address of the MAIL FROM domain with the IP address listed by the purported sending domain in its DNS records. If there is no match, the message is flagged, quarantined, or resent directly, depending on the configuration of the receiving server.

(You can see some of these settings in Gmail by opening a message and choosing “Show original” from the three-dot options menu.)

The FPS isn’t perfect either. It lets through messages with spoofed from addresses if their MAIL FROM addresses are real, leaving recipients exposed to phishing attacks. It can also interfere with forwarded messages or with messages routed through mail exchanges. Many receiving servers mitigate this problem by having whitelists of known good mail exchanges.

DMARC extends SPF and DKIM by letting sending mail servers specify in their DNS entries whether they use SPF, DKIM, or both. It also introduces the concept of “alignment” to check whether the MAIL FROM field, the From field, and the DKIM signatures of a given message all match.

Significantly, DMARC allows sending domains to have a say in how their messages are handled by setting a policy advising receiving servers to quarantine, reject, or accept messages that fail. to alignment. Finally, it notifies the sending domains whether email messages were successfully delivered.

This still doesn’t quite solve the mail exchange and message transfer issues, especially since DMARC adoption isn’t universal. A newer system called Authenticated Received Chain (ARC) allows mail exchanges and forwarders to impersonate a sender’s SPF or DKIM records to ensure that DMARC validation is possible on the receiver side.

Information flow during DMARC authentication. Credit:

How to implement DMARC, SPF and DKIM

Configuring your domains and mail servers to use DMARC, SPF, and DKIM can be complex, but there are some basic steps. You’ll need to follow these steps for every domain you own, and even parked domains should at least get SPF records.

1. Configure SPF by editing your domain’s DNS list with your domain hosting service.

2. Set up DKIM with your email delivery service, which will generate DKIM records – you’ll need two – or manually on your own email server. Then add the DKIM records to your DNS lists.

3. Wait 48 hours for SPF and DKIM records to propagate throughout DNS.

4. Generate your DMARC record and add it to your DNS list. Set your DMARC policy to “none” to indicate that no email sent from your domain should be rejected due to misalignment.

5. Create an email address to receive DMARC reports. You will get many reports, so you can subscribe to a DMARC analysis service to manage them all.

6. After a few days, start analyzing your DMARC reports, both aggregated (to provide an overview) and forensic (to spot and diagnose issues).

7. Use reports to identify and resolve DMARC issues, especially delivery and alignment issues.

8. One month after all your DMARC issues are resolved, set your DMARC policy to “relaxed” to indicate that misaligned emails should be sent to quarantine.

9. If quarantine mode does not create major problems, wait another three months and change the DMARC policy to “dismiss”. This tells the receiving servers that misaligned emails sent from your domain should be resent.

10. Continue to monitor these DMARC reports and continue to fix as needed.

Authentication settings for an email sent to Gmail. Screenshot: ARC

Google offers more detailed guides here:

Help prevent identity theft and spam with SPF

Increase outbound email security with DKIM

Increase security for forged spam with DMARC

The best defense is between your ears

The most reliable way to prevent email spoofing from succeeding may be to train your staff to spot fake emails. No technology can completely stop phishing emails, but a well-trained and experienced employee will spot them most of the time. Combine this position with DMARC, DKIM and SPF and you will be as safe as possible.

Likewise, proper workforce training will educate the employees who handle the company’s money on the various tricks used by BEC scammers. (You can also require multiple employees to approve large money transfers.) Ideally, employees should participate in dynamic scenarios that simulate common BEC scams.

“Many [employees] are not capable of using email and therefore the ability to recognize fraudulent email is zero,” an education information security officer told SC Media. “The good news is that most of these users simply delete all emails.

You want to know more ? Read the full email security research report: ATTACKERS ON HIGH GROUND AS ORGANIZATIONS STRUGGLE WITH EMAIL SECURITY


Comments are closed.