Summary:
Companies can easily implement some improved security standards in their email servers in order to increase the usefulness of email to their customers, vendors and stakeholders.
Looking through my email inbox in Microsoft Outlook this morning I went looked over several emails that I have received from companies of various sizes and noticed that only about half used the digital signing mechanism “DKIM” in their email messages while all used at least the “SPF” system. Seeing this was easy because we have implemented an Office 365 add on called Message Header Analyzer which quickly displays and analyzes email headers directly within my inbox. According to a recent article in eWeek[i], widespread adoption of email authentication standards including sender protection framework (SPF), DomainKeys Identified Mail (DKIM), and Sender Policy Framework (SPF) has been slow in the United States. According to Patrick Peterson, “Federal adoption of DMARC has reached 47 percent, while Fortune 500 adoption remains at only 33 percent.” Why are the adoption rates so low, and why does this matter? Perhaps some even more important questions are, why does my company need to understand and implement these standards?
Although we cannot answer why the adoption rates of these email standards are so low, we can explain what these standards are and why they are very important for companies to understand and implement. From a high level, the reason the standards are important for companies of all sizes is that they help them to be sure that their email messages are actually received by the people to whom they are sent. Makes sense, right? So, why hasn’t every company in the United States moved ahead with the changes on their email servers necessary to implement these important authentication standards? Perhaps there is a misunderstanding by small and medium sized companies regarding the complexity or the difficulty in implemented them. In fact, companies can quickly implement these email standards and greatly improve the usefulness of their email transmission to their customers, vendors and stakeholders.
What is SPF, SKIM, and DMARC?
SPF, or sender policy framework, is technical standard which is designed to identify forged sender address in an email message. It does this through the use of a text record in the email header along with a corresponding entry in the DNS server for the domain. The SPF record identifies each and every server address (either a fully qualified domain name or IP address) that is allowed to send email from that domain. DKIM, or DomainKeys Identified Mail, is a standard that provides for the digital signing of email messages by inserting a public key into the mail header while validating the public key again a corresponding private key residing on the DNS server for the domain. In this way the sending email server digitally signs the email message to prove the validity of the sender. Finally, DMARC, or
Domain-based Message Authentication Reporting and Conformance, is a standard that works alongside DKIM through a text record “policy” on the DNS entry for the domain. The Wikipedia article on DMARC says is well. “A DMARC policy allows a sender’s domain to indicate that their emails are protected by SPF and/or DKIM, and tells a receiver what to do if neither of those authentication methods passes – such as to reject the message or quarantine it. The policy can also specify how an email receiver can report back to the sender’s domain about messages that pass and/or fail.”[ii]Although all of this may sound complicated, implemented the standards is actually very simple, especially for those companies using enterprise email system like Office 365 or Google G Suite. In fact, all three could be implemented in a period of about two hours or less, and without any outside technical expertise required.
Case in Point:
I recently became involved with one of our customers who was using one of our company’s email utilities to send emails from their ABBYY FlexiCapture system. They opened a support ticket stating that their customers were complaining about either not receiving the email messages that they were expecting or that the messages went into their spam folders. Although email delivery forensics is a complicated science, I began by having their email robot fire off some emails to me for examination so that I could examine the headers. Not surprisingly for an email domain that was experiencing poor deliver rates, the mail headers showed that neither SPF or DKIM had been implemented. Also, the same email subject text was used in each of the email messages, something which is viewed by SPAM filters are bad. These three facts together almost guaranteed poor email delivery rates, and this was what they were experiencing. I worked with them to implement SPF and DKIM, along with a DMARC policy, and finally to have them generate a unique subject field record for every email. In about two hours of work we solved their email delivery problem. Bottom Line:Once the basic email authentication standards were put in place along with commonsense sender protocols to reduce false positive in the spam filters the email delivery issues were solved.
Moving Forward with SPF, DKIM, and DMARC
Just before I wrote this article I received a copy of an email message send from a large (25,000 employees), international company sent to our CRM system’s support email inbox. I was curious about whether a message from a company this large would utilize these important email standards. The email header quickly revealed that they used only the SPF system and not DKIM (or the related DMARC policy). Why? It’s hard to tell. Perhaps it was because of some limitations in their legacy systems, or some misunderstanding as the complexity of implementing the standards. Regardless of the reason, our email server still received the message and produced the desired rule of opening a support ticket to resolve their issue. But, what if the email message had gotten hung up in a SPAM quarantine, or worse, rejected by our email server as a possible spoofed message? How would this have impacted our service level agreement with them, and whose fault would it have been for the delay?
How User Friendly Consulting Can Help
We understand these email standards very well and can help you implement them and evaluate the results very quickly. We can especially help small and medium sized companies who self-administer their Office 365 system. Please reach out to us. We would be glad to offer advise or help you with some short term consulting.
[i] https://www.eweek.com/security/dmarc-email-security-adoption-grows-in-u.s.-government cited 20 May, 2019.
[ii] https://en.wikipedia.org/wiki/DMARC cited 20 May, 2019.