The foundational protocols for making email more secure and less of a threat have been in place for almost a decade, yet they remain mostly unused, poorly implemented and largely ineffective. A recent report from Sendlayer shows just how much of a problem that is.

We all know that email is terribly insecure. If we get distracted, we can easily click on a piece of malware or get connected to a phishing site that will steal our credentials.

All it takes is a single user to be convinced that a malevolent missive is legitimate. And that single misplaced message can cause a world of hurt, beginning with a ransomware attack, or heaps of money transferred to a criminal’s bank account, or an upload of private documents across Wikileaks and the dark web.

Protocols and more protocols

Before diving into the report, here’s some background. More than 10 years ago, a variety of organizations got together to set in place the first secure email protocol, called Sender Policy Framework or SPF, which was proposed back in 1996. The idea was to restrict who can send emails from an organization’s domain, and it was initially designed to stop domain spoofing.

But that wasn’t enough, and a second standard called DomainKeys Identified Mail or DKIM was created to ensure that the content of emails remains trusted and hasn’t been tampered with or compromised. The two of them were updated with a 2014 standard, but both needed more structure.

Thus there’s yet a third protocol called Domain-based Message Authentication Reporting and Conformance or DMARC, which created a consistent set of email security policies to link the sender’s domain name in an email message with what is shown in the “From:” address. Although that one was never formally adopted as a standard, an independent working group called DMARC.org has been trying to move it along this process.

Once all this went down, several leading email vendors got busy trying to put this all together. Fastmail Pty. Ltd. posted its plans and highlighted some of its implementation issues in a 2016 blog post that has held up over time. LinkedIn has a slightly less technical blog from 2018 that discusses some of the issues. Alphabet Inc.’s Google and Microsoft Corp. also began their implementations of these protocols.

One of the interesting things about internet protocols is that it’s possible to examine who is using them and who isn’t. The DMARC working group reports that more than 5.5 million records have been published as of June 2022, the most recent report it has. That sounds like a lot of domains, but a closer look shows that two-thirds of them haven’t implemented any DMARC policies across their email infrastructures, a percentage that has remained fairly consistent across the past several years.

That brings us to the Sendlayer report, which looked at more than 187,000 domains  to determine DMARC’s status. The report shows a spotty implementation record as well. This is true for U.S. government-based domains, despite an edict from Homeland Security that mandated DMARC usage back in 2018.

So what accounts for the holdup? First, implementing these protocols — including yet a fourth one called Brand Indicators for Message Identification or BIMI, which brings visible brand logos in inboxes — is devilishly difficult. When I tried to implement them across my own domains, I needed professional help from Valimail to put this all together properly, plus several months of trial and error to get everything right.

There are other email security providers that have similar solutions and consulting practices, such as Proofpoint Inc., Agari Inc., Cloudflare Inc. and Barracuda Networks Inc., which is great but still hasn’t gotten much traction, and solving the security problem often involves several stakeholders across an enterprise to coordinate their responses.

Speaking of Barracuda, it recently admitted that a vulnerability in its Email Security Gateway appliance allowed a hacker inside its network for unauthorized access last October. The intrusion was finally spotted a few weeks ago and was patched, but some customer data was stolen.

How to do it right

Having four different protocols means there’s a lot of stuff to get under control, and finding the darker corners of how email is consumed across an entire information technology infrastructure is a job for Sherlock Holmes. Take my own situation. Even with a company size of one, I had some issues.

For example, I run a few subdomains and was sloppy about how I implemented my email being sent from a mailing list. You need to implement all of the protocols across all subdomains, and for everything that communicates via email. I use WordPress as my blogging server, which sends email notifications of various kinds and from different plug-ins. If there are routers or servers or applications that send email alerts, they will need to be checked to ensure they can support this protocol stew.

For larger companies, finding these hidden email apps will take some effort. As Proofpoint’s Craig Temple wrote last fall, the DMARC process is a journey, not a destination. And organizations can experience a lot of turbulence along the way.

Earlier this year, Cloudflare posted on its blog how to pull this off using its tools. It’s a good place to start to understand the complexities, even if not employing its solution. There are also validation tools from DKIMValidator, Redsift and Proofpoint that can help check to see if things have been done correctly.

“DMARC is a great step toward protecting your brand,” says Temple. “But keep in mind that maintaining and expanding your email protection is equally important.”

The upshot: Those implementing the protocols need to make sure they get top management buy-in and don’t underestimate the amount of time to complete the project.

Image: geralt/Pixabay