Improve email security and delivery with email authentication

by Bojan Ordev, Director & Principal

Dog in disguise
"Dog in disguise" by Braydon Anderson on Unsplash

Why is email authentication important?

In today's digital age, email is a critical communication channel for businesses. It plays a vital part in our daily operations, whether we are sending important updates to team members and clients, discussing deals with business partners, or making payments.

The widespread use of email has also made it a prime target for malicious use such as impersonation, spoofing, and phishing. This is where email authentication can help.

Email authentication can also improve delivery, and it's highly likely that email providers will follow Gmail's lead and require a minimum baseline for bulk senders.

Starting February 1, 2024, senders who send more than 5,000 messages per day to Gmail accounts must meet the requirements in this section.

  • Set up SPF and DKIM email authentication for your domain.
  • Set up DMARC email authentication for your sending domain. Your DMARC enforcement policy can be set to none.
  • For direct mail, the domain in the sender's From: header must be aligned with either the SPF domain or the DKIM domain. This is required to pass DMARC alignment.

What is email authentication?

Email authentication (also known as email validation) is a collection of protocols that work to verify the legitimacy of the sender, their association with the domain, and the integrity of the email.

The following three protocols are in widespread use today and are critical to email security. While the protocols can be used independently, they should be used together to protect against common threats.

Sender Policy Framework (SPF)

SPF allows domain owners to specify which email servers are authorised to send on their behalf and is considered baseline by many businesses and email providers.

SPF only validates the domain of the sender (also known as the envelope from) which is different from the From: address that the user sees when reading the email. For this reason, SPF should not be used in isolation, and should be paired with DMARC to ensure alignment between the two.

DomainKeys Identified Mail (DKIM)

DKIM authenticates senders and protects email integrity by signing (parts of) the email with a cryptographic signature. The signed contents and signature can subsequently be used to validate that the email hasn't been tampered with, either in transit or via offline mechanisms after delivery.

DKIM sees the lowest uptake of the three protocols and requires additional setup and maintenance as the signing keys need to be securely managed and rotated.

Just like SPF, DKIM should not be used in isolation as you can't guarantee that each email should have been signed to begin with.

Domain-based Message Authentication, Reporting and Conformance (DMARC)

DMARC extends SPF and DKIM by solving for some of their key shortcomings. It verifies that at least one of the above authentication methods passes, allows you to specify policy on how to handle emails that fail authentication, and provides reporting capability for observability.

DMARC also solves the envelope from vs From: address issue by ensuring alignment between the two and can improve email delivery through redundancy when used with both SPF and DKIM (as only one needs to pass).

For these reasons, DMARC should be considered baseline when implementing a comprehensive email security strategy.

Considerations

While it can be easy to get started with email authentication, the following considerations will set you on the right path for a safe and secure setup.

  • Misconfiguration. Misconfigured SPF, DKIM, and DMARC records can result in delivery issues and false positives. Common examples include multiple or malformed records, errors in syntax, using weak signing keys, and too many DNS lookups (beyond 10).

  • Supporting infrastructure. Email authentication is built on top of the Domain Name System (DNS) which is used by email servers to authenticate email. Ensure that your DNS service is secure and resilient to protect your business and improve delivery.

  • Neglecting regular reviews. As your environment evolves, it's important to review regularly and keep authentication records up to date. Neglecting these updates can broaden the overall attack surface of your business as legacy senders, servers, and third parties may still be authenticated.

  • Overlooking subdomains and parked domains. Failing to implement email authentication on subdomains and parked/non-email enabled domains can leave gaps in your posture and allow threat actors to take advantage. Parked domains require special treatment and should be secured using naked SPF, expired DKIM, and strict DMARC records. You should also consider implementing a null MX record to allow these emails to fail fast and notify senders sooner.

  • Email authentication is not a silver bullet. Email authentication and reporting relies on downstream email servers to honour your polices, which may not always be applied due to their own misconfigurations, policies, or security issues.

  • Train your team. Email authentication should be part of a broader cyber security strategy. Invest in training and educating your team and clients to bolster your defence against email-based threats, and consider additional security controls covering device security, attachment and link safety, encryption, regular backups, and a battle tested incident response plan, just to name a few.

  • Test changes and review reporting. Ensure that you validate changes in your environment and stay on top of regular reporting. New initiatives and changes to existing policy may impact email delivery and business operations. For example, GitLab suffered a major service outage earlier this year where the impact could have been minimised, and the incident resolved sooner, had the team been receiving the backup failure notifications:

    "While notifications are enabled for any cronjobs that error, these notifications are sent by email. For GitLab.com we use DMARC. Unfortunately DMARC was not enabled for the cronjob emails, resulting in them being rejected by the receiver. This means we were never aware of the backups failing, until it was too late."

In conclusion

Email authentication is a key pillar of modern cyber security. By implementing SPF, DKIM, and DMARC you can protect your business while also ensuring that legitimate emails reach their destination.

Stay vigilant, be informed, and make email authentication an integral part of your cyber security strategy!

Ready for the upcoming Gmail changes? Need a hand setting up email authentication? Get in touch with us at hello@extentlabs.com for a free, no-obligation chat.

Tell us about your project

Get in touch for a free, no obligation chat.