Email security has been on my mind since I started at VTS, after all, many attacks on an organization start with Phishing. Putting aside Security Awareness or Phishing training for employees, I was looking for technical solutions to protect my organization. This post is about my experience and what I wound up doing related to Email Authentication.

There are already existing articles and recommendations on some best practice things you can do; I won’t reproduce those. One article that stood out to me was:

http://blog.trailofbits.com/2015/07/07/how-to-harden-your-google-apps/

However, this article is limited to Google Apps, but there is a lot more to Email security than just your email provider.

The Problem:

Email configuration can be complex and confusing because there are strict technical and security rules dictating how email is sent. This is accomplished through DNS, so it can make email configuration somewhat difficult or scary, even moreso if you are doing this for the first time like me.

I was worried that if I made changes to email configuration and made an error, it would have a negative impact and perhaps even stop emails being sent or received. Further, full ramifications of DNS changes may not be apparent immediately, compounding the difficulty. The expertise required and nature of these changes made us hesitant to make any changes, even after hours of research.

Direct Issues to solve:

We’ve been having some of our emails or email campaigns be sent to our Customers’ spam folders (or blocked) due to our lax email configuration.

We’ve seen email spoofs and phishing attacks against our high value targets due to our lax email configuration.

Email Authentication can help with these issues.

What you say?

Email Authentication (or authorization) simply means actively allowing our Service Providers to send email on our behalf. For example, Marketo might send emails coming from Info@vts.com even though Marketo doesn’t own the VTS.com domain.

Email authentication also means blocking emails that an unauthorized person tries to send on our behalf; spammers or phishers pretending to be VTS.com and sending email that appears to come from VTS.com.

Here are the basics of the Email Authentication protocols.

SPF, Sender Policy Framework: SPF checks that incoming mail comes from a domain authorized to send emails on the domain’s behalf by checking DNS for an allowed list of IP addresses.

DKIM, DomainKeys Identified Mail: DKIM allows the receiver to check that an email claimed to have come from a specific domain was indeed authorized by the owner of that domain. It does this by checking the DNS for a digital signature using public keys in DNS.

DMARC, Domain-based Message Authentication, Reporting & Conformance: DMARC is built on top of SPF and DKIM, allowing the administrator to decide how to handle emails that fail SPF or DKIM authentication. From a high level, if an email message fails DMARC, the administrator can 1) allow the message anyway 2) send the message to spam 3) block the message completely.

To complicate things further, SPF has a rule that a receiving mail server should not perform any more than ten DNS lookups as part of the evaluation. This is important when you have multiple providers sending emails on your behalf . This is compounded because sometimes a single record contains multiple lookups, each counting towards the ten.

Email Delivery:

If we don’t use Email Authentication, our emails and email campaigns may be marked as spam since there is no way to verify these emails actually came from us. A company with strict email rules might drop any incoming email that is unauthenticated.

With Email Authentication turned on, our email deliverability to clients and prospects will improve. This means marketing campaigns are more likely to hit the their Inbox instead of being marked as Spam.

Spam and Phishing:

Without Email Authentication enabled, a hacker can very easily spoof email. In the classic example they send an email to our CEO that appears to be coming from Finance (or vice versa), saying “Hey Boss CEO, Please pay this bill to the below account real quick.” The email will appear to come from FinanceGuy@vts.com, but in reality comes from RandomAccount@somewhereelse.com. With a well crafted email, it is not always obvious when an email is fake if you don’t look at the raw email message. We can’t expect this from our executives.

Email Authentication will completely stop these messages from being delivered and will cut back on spam to the entire organization. And yes, we have seen well crafted email “spoofs” and phishing attacks against our high value targets.

Enter Valimail:

I spent a lot of time (many hours) doing research on how to enable Email Authentication. I had an idea of what to do, but I was not very confident. I was afraid to make a change that could negatively affect our emails. After all, if I break our email, it would have a huge impact on our business. Simply put, I did not feel confident in my expertise.

I turned to a company that could help us with Email Authentication, Valimail. Valimail is basically Email-Authentication-as-a-Service SaaS solution. Valimail ties into your DNS to handle SPF and DKIM making Email Authentication easy for their customers. Valimail’s offering will also work around some of the nuances, for example the aforementioned SPF ten lookup limitations. An important thing to know is Valimail ties into your email delivery infrastructure; they cannot see email contents.

Valimail was a big help in that they have existing relationships with many vendors that will be sending email on your company’s behalf. Valimail was able to click a few buttons to set up DKIM and SPF setup on our domain.

As it turn out, some of our SaaS providers use the same email sending providers. For example, you may not use SendGrid directly, but two of your service providers may use them under the hood. This means those two service providers will conflict with one another. If I was doing the setup myself, I doubt I would have been able to realize what was going on, let alone fix it. Valimail was able to resolve these conflicts or create workarounds quickly since they have relationships with many vendors and email sending providers (SendGrid, Mailgun, etc.)

My experience with Valimail has been great. Their team is a group of subject matter experts on email authentication (it’s their business!), very quick to respond to any of my (many) questions, and pro-actively check in with me on a regular basis. After working with Valimail, I was able to move our organization’s Email Authentication policy from “Do Nothing” to “Quarantine” within a quarter.

In closing:

I strongly recommend you set up Email Authentication for your domain(s). If you have the confidence and resources to do this internally, make it your goal to move into quarantine or blocking mode in 2017. If you don’t have the resources or knowhow to accomplish this on your own, check out some experts who can help you.

More on Security at VTS

Building VTS Blog

How to think about Security: Year 1 Retro

My Blog