Email is the lifeblood of businesses all over the world. It’s so essential that it sometimes seems more like an essential utility service like electricity or water, rather than part of an organisation’s IT infrastructure.
Being an essential part of business infrastructure, also makes email vulnerable from the perspective of cybersecurity. Many recent cyberattacks, such as the WannaCry ransomware attack, have demonstrated that email systems are the easiest route into your business for cybercriminals. All it takes is a single employee — and don’t forget, that employee could be anyone from a brand-new joiner, to the CEO — to fall victim to a social engineering scam, click on an infected link or download a malicious attachment, and your entire operation could potentially grind to a halt.
Ultimately, we’re dealing with a question of trust. How do you know that an email is really from a trusted party? How do you know that it’s really from your bank, or your business partner? How do you know that someone logging into the email system is really an authorised member of staff?
This is where authentication comes in. At the most fundamental level, authentication works on a whitelisting system. That is, it checks a set of presented credentials — which might be individual people, applications, or services, and only allows them to proceed with whatever access or service has been requested once those credentials have been verified.
Check Before Use
This concept has its roots in the credit card industry. The industry introduced digital verification of identity using electronic card readers at point-of-sale terminals, which enable the retailer to check in real time, whether a particular payment card is legitimate, and has sufficient funds to cover the transaction, before payment is taken. So, both the card and its potential use is authenticated before the transaction can proceed.
Of course, the digital era and in particular the rise of the Web and cloud computing has enabled authentication to massively branch out from these financial services roots, with authentication services used across a huge range of online services and applications. Unified login products are now available, giving organisations a single centralised means of authenticating and managing how individuals log into their systems.
But what about email? In contrast to what you might think, email is not authenticated automatically — which means those basic questions of trust outlined above are not guaranteed.
Do I know the sender of this email? Is it really the person who I think it is?
These are the questions that we need to ask ourselves every time that we receive an email. We need to be certain that the sender of the email is actually the person who has supposedly sent it. This is now possible through DMARC, a protocol that detects and prevents email spoofing and enables organisations to essentially build a whitelist of verified, legitimate email senders. In effect his means that it prevents anyone from impersonating your email domain, making it impossible for hackers to send fake emails to your clients; it also blocks malicious emails from your inbox. In brief, DMARC works by verifying if an email was sent from an authorised IP address, and also if the email has been signed by the same domain it was sent from, or from a domain that is authorised to send on behalf of that domain. These two factors are combined to authenticate emails, and to set rules about how receiving servers should treat mails if they fail the authentication checks.
So if DMARC delivers such effective protection against phishing scams and malicious emails, why don’t email providers offer it as a standard service? The simple answer is that they can’t. DMARC configuration is the responsibility of the email’s domain owner — not the email provider. There’s no body such as the Payment Card Industry which governs the global card payments networks. The vast majority of businesses have to set up DMARC for themselves to protect their emails.
In the past setting up DMARC would have been a lengthy, costly and frustrating process, as the protocol is complex to implement. However, solutions such as OnDMARC enable firms to set up DMARC and run it on a self-service basis, making its protection much more widely accessible for any size of business.
Why not contact us to find out more, or check the current status of your organization’s email domain, and start increasing your email deliverability by using the tool at www.ondmarc.com?
Have a look at our video below to learn more about how DMARC works or read some of my other blog posts based around email security.