Yes and No. Email is a highly valuable tool that has evolved to be more secure, but there are still ways to exploit email for nefarious purposes. Email users should be careful with how they use email and the emails they respond to. Let’s look at email security in more detail.
A Little History
Electronic mail originated on the early experimental Arpanet, the precursor to the Internet. At that point, all the interconnected servers were within high-security facilities. Since the security was on the outside, researchers did not consider protocol security; everything was sent in clear text – HTTP for browsing documents, FTP for sharing data files, and SMTP for electronic communications. When the Arpanet opened up to universities and then to businesses and private users, those same protocols were still transmitting data and passwords in clear text. Unfortunately, clear text communications are susceptible to man-in-the-middle attacks – corrupted computers or routers between the two computers in communication.
The early Internet was not secure, so new technologies were developed to improve security:
- HTTPS to secure online transactions involving credit cards
- SFTP to secure file transfers (now replace by HTTPS in many cases)
- TLS to encrypt email communications between email servers
With the adoption of TLS, Transport Layer Security, email was secured from potential man-in-the-middle attacks. However, there are other ways to exploit email.
There were other technologies that attempted to “secure” email communications, all had various degrees of success, but none of them have really gone mainstream.
- PGP, or Pretty Good Privacy, used a Public-Private encryption key system to encrypt and decrypt email. Email was completely secure in transit, and from administrators, but unfortunately, PGP was bulky to use. TLS solved the problem of securing communication between servers without the user needing to do anything.
- “Secure” Email Servers are web servers where communication could be secured behind a password protected web login. It was not really email but a way to communicate in an email-like fashion. You often see these secure communications websites with Legal and Medical professions, but they suffer from bulky interfaces and the inconvenience of going somewhere other than your normal email applications to view the communication.
- Sender Verification Services respond to an unsolicited email with an email demanding the sender verify their identity. The goal here is to reduce the potential for spam and phishing attempts by creating a hurdle for senders to jump. The inbox provider then only passes on “verified” email to the user. This technique essentially removes any automated email, including newsletters, as marketing teams are unable to monitor the verification email. The downside is that a legitimate sender may not register so you miss important email.
The Threat of Spam and Phishing
Email is the #1 preferred method for perpetrating online scams. The marginal cost of sending an email is negligible and the rewards for a successful scam can be thousands or millions of dollars. According to Cisco, approximately 84% of all email is spam, much of which is phishing scams and much also escaping spam filters. By that measure, email is not “secure”.
Improving email security is not a single technology or vendor but involves changing business processes, adopting new standards and continuously adapting to the ever-evolving landscape of email scams. Some recommendations:
- Stop hosting your own email – Inbox providers like Gmail, Office365, Yahoo!, etc. have dedicated teams to managing and blocking spam and phishing. Most businesses would benefit by leveraging these external experts and outsourcing email inbox services.
- Turn on 2-factor authentication – Securing email communication, both sending and receiving, means securing access to email accounts. 2-Factor Authentication helps make email more secure.
- Invest in Spam and Phishing Awareness Training – Email scams exploit human weakness through social engineering to gain access to your email, bank accounts and secure data. Training your team to recognize these scams will improve your email security.
- Leverage DMARC and supporting technologies – SPF, DKIM, DMARC and BIMI work hand-in-hand to 1) declare who can send email on behalf of a domain, 2) digitally sign email from that domain, 3) report compliance to the sending domain, and 4) apply a corporate logo to compliant email. When a domain leverages these technologies, it is secured against being used in spam and phishing attempts and gives the recipients peace-of-mind that the email is genuine.
To maintain the highest levels of email deliverability using DMARC, businesses like yours need a proven Email Delivery management system like MxToolbox Delivery Center. Delivery Center provides you with valuable insight into your email delivery posture and the ongoing maintenance necessary to maintain peak performance:
- Manage SPF, DKIM, and DMARC (and BIMI) to improve compliance and reduce the threat of fraud and phishing using your domain.
- Review daily volume and SPF, DKIM, and DMARC compliance rates to ensure the best email deliverability.
- Implement Feedback Loops to gain unique information on how your recipients view your emails and when they mark you as spam.
- Gradually move your DMARC policy to Reject to enable better inbox placement opportunities.
- Manage the on-going requirements of maintaining high levels of email deliverability
On-Premise Email Security Best Practices
If your company strategy requires on-premise email management, then there are some best practices you can adopt:
- Use Inbound Email filtering gateways – Out of the box inbound filtering either software or hardware will block most threats using threat detection algorithms. Basic gateways block blacklisted senders. More advanced options allow you to write your own acceptance policies.
- Create Advanced Acceptance Policies – Your business is unique. Threats come in many forms. Maybe you want to filter all incoming image files or executables or maybe eliminate objectionable terms associated with risks. Sophisticated algorithms might help protect your business.
- Accept only DMARC compliant email – One great idea that Google has pioneered is prioritizing DMARC compliant email. If you do the same, you dramatically reduce the potential for fraud and phishing emails making it to your users.
- Setup Outbound Email filters – You do not want to become a source of spam, so setting up filters to control outbound email will reduce the risk of being blacklisted or of sending spam emails within your network.
- Setup Advanced Outbound Policies – Advanced policies could include forcing the legal team to encrypt all outbound email or prevent emailing large files, executables, etc. Leveraging advanced policies will help make using email more secure.
- Setup DMARC for all outbound email sources – Adopting DMARC for all your outbound email sources will help you protect your sending reputation and reduce the risk of your domain names being used in spam.
- Invest in Spam and Phishing Awareness Training – As mentioned above, when employees are trained to recognize spam and phishing attempts, they are less likely to click on dubious links in spam and phishing attempts or click on and install malware.
While email was not initially designed with security in mind, new technologies are improving the security posture of email. Adopting these as they arise makes your business more secure and protects your users, clients and partners.