How Secure is Your Email?
Everyone uses email. While not everyone is a robust or compulsive user, nearly everybody has an account. They communicate with peers and clients and vendors via desktop and mobile device, and stuff their missives with links and attachments and more. There are also a variety of platforms. While Google’s Gmail is hugely popular, many businesses use the suite of services offered by Microsoft 365. There is still a sizeable population of Yahoo users, and we continue to come across legacy accounts.
Netscape, anyone?
When we work with a client, we often help them set up and maintain their email service, tying it to their domain. People put a lot more trust into an account coming from ‘@-businessname-dot-com’ than ‘crazymechanic-@-gmail-dot-com.’
Back in February, a couple of big providers changed their security requirements for email accounts with multiple members – think your average business or nonprofit with a dozen or more members. This caused some headaches for many of our clients, as folks reported not receiving emails, or getting failures in bulk emails.
I spent some time updating the security settings for all of our Rocket Pop Clients. Here’s what that means and what it entailed:
DKIM (DomainKeys Identified Mail), DMARC (Domain-based Message Authentication, Reporting, and Conformance), and SPF (Sender Policy Framework) records are crucial components of email security infrastructure, playing integral roles in mitigating email fraud, enhancing trustworthiness, and safeguarding organizational reputations.
DKIM employs cryptographic authentication to verify that an email message was sent from an authorized mail server and hasn’t been tampered with during transit. By digitally signing outgoing emails, DKIM provides recipients with assurance regarding the message’s authenticity and integrity, thereby reducing the risk of phishing attacks and email spoofing.
DMARC enables domain owners to specify how email servers should handle messages that fail authentication checks performed by SPF and DKIM. It allows organizations to set policies for dealing with suspicious emails, such as quarantining or rejecting them, thereby preventing unauthorized use of their domains and reducing the likelihood of successful phishing attempts.
SPF records define which mail servers are authorized to send emails on behalf of a particular domain, helping to prevent email spoofing and unauthorized use of domain names in phishing campaigns. By specifying authorized mail servers in SPF records, organizations can enhance email deliverability and protect recipients from fraudulent emails purportedly originating from their domains.
Overall, DKIM, DMARC, and SPF records are essential tools for bolstering email security, reducing the risk of fraud, and maintaining trust in digital communication channels. Implementing and maintaining these records are paramount for organizations seeking to protect their reputations and safeguard sensitive information transmitted via email.
Specific Reason Why An Organization Should Enable Email Security
- Protection against cyber threats: Email security records help detect and prevent phishing attacks, malware distribution, and other cyber threats targeting email systems.
- Compliance requirements: Many industries have regulations mandating the maintenance of email security records to ensure data protection and privacy compliance (e.g., GDPR, HIPAA). This is especially true with businesses that service government contracts.
- Legal evidence: Email security records serve as crucial evidence in legal proceedings, investigations, and audits, providing a trail of communication and actions taken within an organization.
- Incident response: Detailed email security records aid in incident response by facilitating the identification of security breaches, enabling swift action to mitigate damage and prevent future occurrences.
- Accountability and responsibility: Clear email security records establish accountability and responsibility within an organization, helping to track user actions, monitor system activities, and enforce security policies.
- Business continuity: Maintaining robust email security records ensures business continuity by safeguarding critical communication channels, preventing disruptions due to security incidents or data breaches.
- Reputation management: Effective email security records management protects the reputation of an organization by demonstrating commitment to safeguarding sensitive information and maintaining trust with customers, partners, and stakeholders.
- Intellectual property protection: Email security records help protect intellectual property by preventing unauthorized access, disclosure, or theft of proprietary information transmitted via email.
- Employee awareness and training: Analyzing email security records allows organizations to identify areas for employee awareness and training, improving overall cybersecurity hygiene and reducing the risk of security incidents.
What happens if someone doesn’t add DKIM, DMARC and SPF records to DNS settings?
- If someone fails to add DKIM, DMARC, and SPF records to their DNS (Domain Name System) settings, they leave their domain vulnerable to various forms of email-related threats and may encounter several negative consequences:
- Increased susceptibility to phishing attacks: Without DKIM, DMARC, and SPF records, it becomes easier for malicious actors to impersonate the domain in phishing emails. These emails can trick recipients into divulging sensitive information, leading to data breaches, financial losses, and reputational damage.
- Email deliverability issues: Absence of SPF records can result in email deliverability problems, as recipient servers may be more likely to mark emails from the domain as spam or reject them altogether. This can adversely affect communication with clients, partners, and other stakeholders, leading to missed opportunities and diminished trust.
- Brand impersonation and reputation damage: Lack of DMARC records makes it difficult for domain owners to monitor and control unauthorized use of their domain names in phishing and spoofing attacks. As a result, their brand reputation may suffer, leading to loss of customer trust, erosion of brand equity, and potential legal implications.
- Inability to comply with industry regulations: Many industries have regulations mandating the implementation of email authentication mechanisms like DKIM, DMARC, and SPF to protect sensitive information and ensure data privacy. Failure to comply with these regulations may lead to regulatory fines, legal liabilities, and damage to the organization’s credibility.
- Difficulty in diagnosing and resolving email issues: Without proper email authentication records, diagnosing and resolving email delivery problems become more challenging. This can result in prolonged downtime, decreased productivity, and frustration among employees and customers.
- Neglecting to add DKIM, DMARC, and SPF records to DNS settings exposes the domain to a wide range of risks, including phishing attacks, email deliverability issues, brand impersonation, regulatory non-compliance, and operational inefficiencies. Implementing these records is essential for enhancing email security, maintaining brand integrity, and ensuring smooth communication channels.
My Experiences In Enabling Email Security Measures For Our Clients:
Accessibility to two things are required: the domain’s DNS records, and the customer’s email client (for retrieving required DKIM records. We manage domain DNS for most of out clients (we host these sites too), but gaining access to their email client is a different story.
We’ve set up a chunk of our clients on Google Workspace, but that doesn’t mean logging into the admin account is easy. GW has multiple layers of security that makes it difficult to get in and do the work. 2FA via a verified email or phone number is typical. Another common security measure requires the user to confirm a two-digit code sent to the Google app on the admin’s verified mobile device. Sometimes Google gives you the option to choose the 2FA confirmation method, other times not. Occasionally, Google asks for 2FA verification twice. If the account admin email is the client’s address, then I/we have to coordinate a time when both the client and myself are available so I can try to log in to Google Workspace. The 2FA verification times out if not confirmed quickly.
Some of our customers use Microsoft 365 as their email client. Logging in can be just as tricky and the process to retrieve the necessary security records if different, but easy enough. Some client’s prefer not to share their GW or MS 365 login credentials with outside parties (including us!). If this happens, then I email the client step-by-step instructions, with screenshots, on how to retrieve the necessary DKIM security records from their email client. I’m also happy to hop on a Zoom and walk them through the process. Generating the actual records does not take much time. Tracking down the correct admin login info (client’s frequently change passwords) and coordinating with the client to verify 2FA security is what can make this task difficult.
One of our clients is data security firm Hive Systems, and they’ve been a great asset for us in this project. They posted a blog about this subject that you can read here: https://www.hivesystems.com/blog/a-guide-to-increasing-your-email-security-and-deliverability-dmarc