Big changes loom on the horizon for the world of email. Gmail and Yahoo recently announced they will be advancing ‘protections for safer, less spammy inboxes’, with a gradual enforcement beginning in February 2024 (as effective dates are updated by both Google and Yahoo, we will update this blog). With these two titans of the email market taking the lead, it’s likely their position will become a de facto standard and other mail providers will follow suit. To avoid business disruptions and loss of business partner trust, organizations should now be assessing their messaging infrastructure to ensure they meet the baseline requirements imposed by Google and Yahoo. The change requires organizations to:
- Authenticate your email by configuring SPF and DKIM to ensure message authentication, and utilizing a DMARC policy
- Enable easy unsubscribe
- Only send wanted emails
In this blog, we will be discussing the first bullet, focusing on SPF, DKIM, and DMARC configuration and policy setting.
History
To understand the changes and the impact this will have, we need to understand the history of SMTP, the protocol on which email is based.
The original SMTP protocol only supported unauthenticated unencrypted ASCII text communications. The lack of encryption and authentication made SMTP susceptible to trivial man-in-the-middle attacks, spoofing, spamming, and requiring any binary data to be encoded to readable text before transmission. Due to absence of a proper authentication mechanism, by design, every SMTP server was an open mail relay (an open relay is a mail server that allows any other mail server to send mail through it without requiring authentication or authorization).
The dangers of unauthenticated emails are well known. In 1998 over 50% of mail servers were open relays while today it is less than 1%. Most email providers now blacklist open relays and require at least one form of authentication (SPF), which makes the basic SMTP without authentication impractical for general use on the Internet.
The Problem
Email represents a large attack surface area. Phishing, and its variants (spear phishing, whaling, smishing, etc.) are all on the rise because it is cheap, quick, effective. In the past, attackers made heavy use of “drive-by” attacks, then vendors started shipping systems with more secure baseline configurations, which made “drive-by” attacks less effective.
Attackers then upped their game leading to a class of malfeasants known as “Advanced Persistent Threats” (APT’s). APTs differ from previous threats, they have a clearly defined objective specific to each target and are often state actors or hacking groups. They have time and resources to build novel messaging attacks and maintain a level of active control in the cyber battlefield. APTs adjust their methods in real time to overcome organizational defenses.
APTs have responded to better protection capabilities with novel attacks which attempt to exploit misplaced trust. The cyber industry has responded to APTs’ novel techniques with the adoption of Zero-Trust Architectures (ZTA). ZTA is an evolving set of cybersecurity paradigms that move defenses from static, network-based perimeters to focus on users, assets, and resources. A ZTA assumes there is no implicit trust granted to any entity (human or machine) and bestows trust (Authorization), only after it can be determined “that the entity and its identifier are genuine” (Authentication). With ZTA, human and machine authentication and authorization are discrete functions performed before a session to an enterprise resource is established.
ZTA In a Messaging Environment
Technologies to reduce spam have been in existence for many years and what Google and Yahoo announced are not new features. In fact, in simple environments, it’s possible to make the changes needed to ensure mail flow without incurring additional hard costs (software/hardware). What’s “new” is that Google and Yahoo will be enforcing those configurations by blocking all emails to any Yahoo-hosted or Google-hosted mailbox, when the sending organization has not implemented these protections. The enhanced trust is based on the configuration of the sending and receiving organization’s messaging infrastructures, not the legitimacy of individual messages. Organizations that do not implement these anti-spam techniques may experience service disruptions as these mail providers will reject all emails from non-conforming domains.
DNS and Email Authentication
Email Authentication is inextricably linked to DNS. That’s because the original SMTP protocol was not designed for security. When the need to secure email became critically clear, the industry responded by backfitting security mechanisms into DNS using special authentication record types: SPF, DKIM, and DMARC.
The changes announced by Google and Yahoo require implementation and enforcement of messaging hygiene affecting DNS records which will provide at least three lines of defense:
|
Method: |
Protects: |
Action Needed: |
|
SPF |
The sending/receiving mail servers |
Add email domain to SPF record |
|
DKIM |
The sending/receiving mail clients |
Ensure DKIM records are valid |
|
DMARC |
Brand, reputation, and responsive actions |
Ensure DMARC policy is valid |
*see glossary for extended definitions and relevant details
Avoid the Pitfalls
Addressing these new changes is achievable for any organization, as long as a well thought out approach is taken. Please remember to avoid these pitfalls:
- Don't wait to start, time is of the essence! Immediately begin to:
- Inventory affected domains
- Inventory affected email authentication records
- Inventory affected third party senders
- Inventory current Time to Live (TTL) values
- Determine strategy for implementation
- Determine strategy for operationalizing
- Consult with experts if you are at risk of business disruption due to missing the deadline
How K logix Helps
To ensure you are aligned with the new Google and Yahoo regulations, and prepared for future changes, K logix can provide a hygiene check-up, based on priority order that reviews domain inventory, inventory of third-party senders, as well as ensuring validation and/or set up of SPF, DKIM and DMARC. Our team can set up DMARC mailboxes and procure DMARC monitoring services to establish email authentication policies. Our white glove services are customizable based on your specific requirements and maturity.
Our team has also put together technical educational presentations to review any in-depth questions your team might have as well as help establish your next steps. Just reach out to us and we will coordinate the best way we may address your needs.
Glossary
SPF – Sender Policy Framework publishes a record to DNS with a list of servers (IP addresses) which are authorized to relay messages for a specific domain. SPF allows an organization to “whitelist” a set of IP addresses from which an organization’s emails may be sent. Before a receiving server accepts a message, a reverse lookup is done via DNS to verify the IP address is on the approved senders list. SPF is server-to-server authentication (not end-to-end). Because it’s a DNS reverse lookup (PTR), it relies on the return path of the message transport layer. SPF configurations have been partially enforced by receiving mail servers for many years now, but implementing DKIM and DMARC with SPF requires changes to the existing SPF record.
DKIM – Like SPF, Domain Keys Identified Mail publishes a record to DNS used for authentication. In the case of DKIM, the message itself is hashed using the domain’s public key, which is found in the DNS DKIM record. This hash ensures to the receiving mail server, that the message was not altered in transit, and more importantly, the message was sent from an email client of an authorized user of that domain. DKIM, while a best practice, has not been required until now. Previously configuring DKIM has been an optional best practice. the announcement from Google & Yahoo now require DKIM to be implemented along with DMARC for monitoring and reporting.
DMARC - “Domain-based Message Authentication, Reporting & Conformance” is an authentication technique that complements SPF and DKIM. DMARC tells the receiving mail server when SPF and/or DKIM authentication fails. In simple cases, it may be a simple block or rejection, or if the failures are low volume, administrators will likely ignore it. But mail administrators should be aware if their brand is under reputational attack such as spoofing or phishing. A large volume spike of failed authentications in the “Reporting and Conformance” report is DMARC’s way of letting the domain owner know their brand is under spoofing attack. In such cases, the domain owner may want to send a legal “cease and desist” letter or request a takedown service notify the ISP from which that attacks are taking place. Larger organizations with multiple brand (domain) names, will want to take advantage of a DMARC monitoring and response service to proactively protect their brands and reputations. Google and Yahoo want domain owners to proactively monitor and respond to spoofers imitating their domains. Previously configuring DMARC has been an optional best practice. The announcement from Google & Yahoo require DKIM to be implemented along with DMARC for monitoring and reporting.
Subscribe
Stay up to date with cyber security trends and more