News

The peculiar case of the 50-year-old internet service

| In SMX Blog |
3 (3)

DMARC and the legacy of email

Email has been around for so long that it’s easy to underestimate its power – and threat. That’s certainly the impression you get at an OWASP conference. This is a meeting of highly accomplished security professionals who come together to share insight and information, with the goal of making the internet a safer place. In recent years, the focus has understandably been on exciting technological advancements, which meant email – as old as it is still relevant – continues to be overlooked.

That changed this year. SMX security expert Richard Gray spoke at the conference, outlining the often-ignored history of email and what that means for cybersecurity today.

Designed for openness

Over 50 years ago, Ray Tomlinson sent the first electronic message between two computer systems.

“Test messages are entirely forgettable and I have, therefore, forgotten them,” he told the New York Times in 2005.  

That message in 1971 was the beginning. It was email’s openness and simplicity that made it so usable – and with computers so rare and the modern internet in the distant future, security simply wasn’t a priority. The relatively tiny network was mostly made up of the few, usually government, organisations that could afford millions of dollars for a mainframe.

Jon Postel was the author of the Simple Mail Transfer Protocol (SMTP) still used today. His principle: “Be conservative in what you send, be liberal in what you accept.”

In today’s highly networked digital landscape, this ‘robustness principle’ still has appeal and makes sense at face value. However, when you think through the security implications in any depth, the ideas become questionable.

“The focus was on interoperability and ensuring that these new computer systems could communicate with one another, rather than locking down access,” explains Richard.

With expanded networks and more available hardware, email was no longer confined to academic and research communities. Businesses began to adopt it.

“This shift towards commercial use of email is really where the security problems started to emerge,” explains Richard. “Suddenly, there was a motivation for bad actors to exploit the openness of the email system for their own gain.”

The limitations of SPF and DKIM

As email became more widely adopted in the business world, engineers raced to patch the security risks inherent to the SMTP protocol. Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) aimed to address some of its vulnerabilities.

These early solutions had their limitations. With SPF, a domain publishes a list of IP addresses authorised to send emails on its behalf. Recipient mail servers can then verify email sender information against these records. This is intended to prevent spoofing, but unfortunately malicious actors can still forge the “from header” address that message recipients see. SPF also has significant problems when messages are forwarded from one system to another.

DKIM uses cryptographic signatures to verify the integrity of the email message. The domain owner generates a key pair, publishing the public key in the DNS and using the private key to generate a unique signature for every email. The recipient mail server uses the public key in DNS to verify the signature, thus proving that the message did originate from the sender. Like SPF, it’s clever but not foolproof.

DMARC: email’s biggest advancement since the @ symbol

DMARC is the practical security solution email has been waiting for. It works by tying together SPF and DKIM to enforce authentication alignment – a Swiss cheese approach with each layer of protection covering the gaps of the other. DMARC requires that the ‘from’ header domain be covered by either SPF or DKIM to ensure the sender’s identity is properly authenticated.

Once deployed, DMARC can deal with suspicious mail in one of three ways:

  • Report only – lets all emails through but reports authentication status to the domain owner.
  • Quarantine – holds email back for users to review.
  • Reject – prevents emails from reaching inboxes.

While ideally all DMARC records would be set to p=reject, each mode has value. Report mode can inform domain owners of email authentication failures for their domain. Email authentication failures originate from legitimate mail sources for which SPF and DKIM have been misconfigured or not configured at all, and from unauthorized mail sources seeking to impersonate the domain. Reporting mode is a useful stepping stone to the more secure enforcing modes of quarantine or reject.

The benefits of DMARC

DMARC is highly effective in protecting users against spoofed emails, making for a safer internet ecosystem. For domain owners, it also helps protect supply chain, digital trust and brand reputation, while deterring attackers – by leading the cybersecurity pack, it shows you’re not an easy target.

Perhaps most importantly, DMARC is a critical linchpin in holistic cybersecurity. It protects the wider cyber community against email-based threats while its always-on tracking delivers real-time oversight of threats facing each domain.

Adoption and enforcement lagging

Because DMARC helps secure businesses indirectly, its value is less obvious and adoption has been slow and patchy.

According to our research, 62% of messages are covered by DMARC, but only 32% of domains have implemented the protocol. This tells us that the big players have moved to DMARC, with a long tail of smaller organisations yet to make the switch.

This is supported by results from our recent DMARC survey. This reviewed the DMARC status of larger organisations, along with a broader market snapshot from SMX’s customers and the domains that send to them. We manage over a million inboxes across Australia and New Zealand, which receive emails from multinational conglomerates to sole traders. While deployment stats are improving, more than half of SMX’s customers and the domains sending remain without enforced DMARC.

Deployment figures are much better for larger organisations, but 50% of NZ’s top 100 companies and about 75% of ASX-listed companies are still unprotected by an enforced DMARC record.

The reasons for these low figures are complex, but certainly, a lack of awareness plays a role. Many assume that rolling out Microsoft 365 or similar ticks the box of email security, forgetting that email is, and always has been an inherently open technology. While email is very much part of today’s modern digital landscape, it’s ancient technology, developed for a different world. DMARC is the upgrade it so desperately needs.

Lead the cybersecurity pack 

While most organisations continue their slow progress, DMARC deployment and protections represent a significant advantage to those ready to leapfrog straight to enforcement mode. It’s the key to protecting your brand, improving your email security and contributing to an overall safer internet.

Start by implementing DMARC in reporting mode to get a view of how your domain is being used for internet email – both legitimate and illegitimate uses. Then configure SPF and DKIM for your legitimate mail sources – your email service providers will be able to provide information on how to do this for their respective services. We recommend regular validation of your SPF, DKIM, and DMARC DNS records using tools like MX Toolbox – these highlight any configuration problems that might impact deliverability once you enforce DMARC records.

With SPF and DKIM in place, you can move to a DMARC enforcing policy. Whether you take a smaller step with p=quarantine or go straight to p=reject, you should continue to monitor your DMARC reports. This helps you understand what attacks your domain is facing and take appropriate action. Smaller, simpler businesses can get this sorted with the help of an IT person, but larger and more complex organisations may require specialised support to ensure mail deliverability.

Our Domain Protection Service (DPS) does just that. It combines specialist expertise, a tested process and best-in-class technology to get you to enforcement within six weeks – get in touch to find out more.