Email security encompasses various practices, technologies, and protocols to protect email accounts, communications, and data from unauthorized access, loss, or compromise. It is important to remember that email security is not just about protecting the organisation against attacks using the incoming email vector, but also what the organisation does to protect its own reputation and playing its part in ensuring authenticated delivery of emails to customers and other businesses.
Key elements include:
SPF (Sender Policy Framework): This protocol allows the owner of a domain to specify which mail servers are permitted to send email on behalf of that domain. It helps prevent email spoofing. DKIM (DomainKeys Identified Mail): This protocol adds a digital signature to the header of an email message, allowing the receiving server to verify that the email has not been altered in transit and is indeed from the specified domain. DMARC (Domain-based Message Authentication, Reporting & Conformance): This protocol builds on SPF and DKIM, allowing domain owners to publish a policy that specifies how an email receiver should handle emails that fail SPF or DKIM checks. It also provides a mechanism for the receiver to report back to the sender about emails that pass and fail these checks.
Transport Layer Security (TLS): Encrypts the email message during transmission from the sender to the receiver, ensuring that the content cannot be intercepted and read by unauthorized parties. End-to-End Encryption: Encrypts the email content itself, so only the intended recipient can decrypt and read the message.
Email Filtering: Uses machine learning and heuristic analysis to detect and block phishing emails. User Training: Educates users on how to recognize phishing attempts and handle suspicious emails. Anti-Spam Solutions: Filters that detect and quarantine spam emails, reducing the risk of malicious content reaching the user's inbox.
Scanning incoming and outgoing emails for malware, including viruses, ransomware, and spyware, to prevent infections and data breaches.
Strong password policies and multi-factor authentication (MFA) to secure email accounts against unauthorized access.
Storing copies of emails to ensure data is not lost and can be recovered in case of accidental deletion or data breaches.
DMARC is a crucial component of email security, specifically addressing email authentication and providing a framework for email policy and reporting.
By implementing DMARC, organizations can:
Specify Policies: Define how receiving mail servers should handle emails that fail SPF or DKIM checks (e.g., reject, quarantine, or none). Improve Email Deliverability: Ensures that legitimate emails are properly authenticated, reducing the chances of them being marked as spam. Gain Visibility: Provides detailed reports on how emails sent from the domain are being processed by receiving servers, including data on failed authentication attempts. Prevent Spoofing: Reduces the risk of domain spoofing by ensuring that only authorized servers can send emails on behalf of the domain.
By integrating DMARC with SPF and DKIM, organizations create a robust email authentication framework that significantly enhances the security and trustworthiness of their email communications.
Why Google Insists on Emails Passing SPF and DKIM Authentication: Google, like many other email service providers, places a high emphasis on emails passing SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) authentication for several reasons:
Preventing Spoofing: SPF and DKIM help prevent email spoofing, where attackers send emails that appear to come from a trusted domain. By ensuring that only authorized servers can send emails on behalf of a domain (SPF) and verifying that the email content has not been altered (DKIM), Google can reduce the risk of phishing and other malicious activities. Reducing Phishing Attacks: Authentication protocols help identify and block phishing emails, protecting users from scams that could lead to financial loss or data breaches.
Email deliverability refers to the ability of an email to successfully reach the recipient's inbox without being marked as spam or bounced back. Ensuring high email deliverability is crucial for effective communication, especially in marketing and business correspondence.
Ensuring Legitimate Emails Reach the Inbox: Emails that pass SPF and DKIM checks are more likely to be considered legitimate and thus less likely to be marked as spam. This helps ensure that important communications reach their intended recipients. Building Sender Reputation: Consistently passing SPF and DKIM checks helps senders build a positive reputation, which can improve deliverability rates over time.
User Experience: By filtering out spoofed and phishing emails, Google can provide a safer and more reliable email experience for its users. Brand Protection: Enforcing these protocols helps protect the reputation of legitimate businesses and organizations by ensuring that their domains are not used for malicious purposes.
Industry Standards: SPF and DKIM are widely recognized and adopted standards in the email industry. By enforcing these protocols, Google aligns with best practices and industry standards for email security. Regulatory Compliance: Ensuring email authentication can help organizations comply with various regulatory requirements related to data protection and cybersecurity.
Definition: SPF allows domain owners to specify which mail servers are authorized to send email on behalf of their domain. Mechanism: When an email is received, the recipient's mail server checks the SPF record published in the DNS of the sender's domain. If the sending server's IP address is listed, the email passes the SPF check.
Definition: DKIM adds a digital signature to the header of an email message, which can be verified by the recipient's server. Mechanism: The sending server generates a unique cryptographic signature for each outgoing email and includes it in the email header. The recipient's server retrieves the public key from the sender's DNS records to verify the signature and ensure the email has not been altered.
By insisting on emails passing SPF and DKIM authentication, Google aims to enhance the overall security and reliability of email communications. This helps protect users from various email-based threats, ensures better deliverability of legitimate emails, and maintains a trustworthy email ecosystem.
ARC, which stands for Authenticated Received Chain, is a security protocol used in email deliverability to verify the authenticity of email messages as they pass through various intermediaries, such as forwarding services.
It helps ensure that forwarded emails retain their authentication results, making it easier to detect and block spoofed or malicious emails. Here’s a breakdown of its components and functions:
ARC-Seal: This header contains a cryptographic signature that verifies the authenticity of the ARC chain. ARC-Message-Signature: This header records the authentication results for the message at each hop. ARC-Authentication-Results: This header contains the authentication results that have been recorded by each intermediary.
Preserving Authentication: When an email passes through an intermediary, such as a forwarding service, ARC ensures that the original authentication results are preserved. This prevents legitimate emails from failing authentication checks when they arrive at their final destination. Chain of Trust: ARC builds a chain of trust by appending authentication results and signatures at each hop, allowing the final recipient to verify the entire path the email took. Improving Deliverability: By maintaining authentication results, ARC helps improve the deliverability of legitimate emails, reducing the likelihood of them being marked as spam.
Forwarding Services: Many email users forward their emails from one account to another. Without ARC, forwarded emails can fail SPF and DKIM checks, leading to delivery issues. Security: ARC helps detect and block phishing and spoofing attacks by maintaining a trusted chain of authentication results. Reputation: Email services can better evaluate the reputation of senders and intermediaries, improving overall email security and deliverability.
In summary, ARC plays a crucial role in maintaining the integrity and authenticity of email messages, especially when they pass through multiple intermediaries, enhancing both security and deliverability in the email ecosystem.
ARC (Authenticated Received Chain) leverages SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) as part of its process to maintain the authenticity and integrity of email messages. Here's how ARC interacts with these two authentication methods:
SPF Check: When an email is received, the recipient's mail server performs an SPF check to verify that the sending server is authorized to send emails on behalf of the domain. Recording Results: ARC captures the result of the SPF check performed by each intermediary server and includes this information in the ARC-Authentication-Results header. Preservation: When the email is forwarded, the next server can use the recorded SPF result from the ARC headers to understand that the original sender passed SPF, even though the forwarding server might not be listed in the SPF record.
DKIM Signing: The sending server signs the email with a DKIM signature, which includes a cryptographic hash of the email content and headers. DKIM Check: When the email is received, the recipient's mail server verifies the DKIM signature to ensure that the email has not been altered in transit and that it was sent by a server authorized by the domain owner. Recording Results: ARC captures the result of the DKIM check and includes this information in the ARC-Authentication-Results header. Preservation: As the email is forwarded, the ARC headers maintain the DKIM verification results, allowing subsequent servers to see that the original email passed DKIM authentication.
Capturing Authentication Results: At each hop (intermediary server), ARC captures the results of the SPF and DKIM checks and records them in the ARC-Authentication-Results header. Creating a Chain of Trust: Each intermediary adds its own ARC-Seal header, which includes a cryptographic signature of the ARC headers so far. This chain of signatures helps the final recipient verify the entire path the email took, ensuring that none of the recorded authentication results were tampered with. Validation by Final Recipient: When the email reaches its final destination, the recipient's mail server can use the ARC-Authentication-Results headers to verify the original SPF and DKIM results, even if the email was forwarded through multiple intermediaries. This helps maintain the authenticity of the email and prevents false positives in spam filtering.
Forwarded Emails: ARC ensures that emails forwarded through various servers retain their authentication results, improving deliverability and reducing the chances of legitimate emails being marked as spam. Security: By maintaining a verifiable chain of trust, ARC helps detect and block phishing and spoofing attacks. Integrity: The ARC protocol ensures that the integrity of authentication results is preserved throughout the email's journey.
In summary, ARC uses SPF and DKIM results to build a trusted chain of authentication that is preserved across multiple hops, ensuring that forwarded emails maintain their authenticity and improving overall email security and deliverability.
ARC (Authenticated Received Chain) and DMARC (Domain-based Message Authentication, Reporting, and Conformance) are complementary technologies that work together to improve email authentication and deliverability. Here's how ARC relates to DMARC:
DMARC is an email authentication protocol that builds on SPF and DKIM to provide a way for domain owners to:
Specify: How unauthenticated emails should be handled (reject, quarantine, or none). Report: Receive feedback on authentication results and policy enforcement.
Forwarding Issues: One common problem with DMARC enforcement is that emails forwarded through intermediate servers (like mailing lists or forwarders) can fail SPF or DKIM checks at the final destination. This happens because the intermediate servers might alter the email in ways that cause DKIM to break or because they might not be listed in the SPF records. ARC's Role: ARC helps mitigate this problem by preserving the authentication results of the original sender. It does this by recording and sealing the authentication results at each hop, ensuring that the final recipient can see the original SPF and DKIM results, even if the email was modified during forwarding.
Intermediaries and Complex Flows: DMARC requires both SPF and DKIM to pass or align for emails to be considered authenticated. In complex email flows involving multiple intermediaries, this can be challenging. ARC's Role: ARC allows each intermediary to add its own seal and record the authentication results. This chain of trust ensures that the final recipient can verify the authenticity of the email, including its path through intermediaries, which is particularly useful when enforcing a strict DMARC policy.
DMARC Reports: Domain owners receive aggregate reports on the authentication status of their emails and forensic reports on failed authentication attempts. ARC's Contribution: By maintaining a detailed record of the email’s path and authentication results, ARC can provide more context in DMARC reports. This helps domain owners understand where and why emails might be failing authentication, especially in scenarios involving forwarding.
Strict DMARC Policies: Implementing a strict DMARC policy (reject or quarantine) without ARC can result in legitimate emails being incorrectly marked as spam or rejected due to forwarding issues. ARC's Role: By preserving the authentication chain, ARC ensures that these legitimate emails pass DMARC checks at the final destination, improving overall deliverability.
Preservation of Authentication Results: ARC preserves the SPF and DKIM results through intermediate hops, ensuring that the final recipient can verify the original authentication results. Chain of Trust: ARC builds a chain of trust through intermediate servers, which helps the final recipient validate the email’s path and integrity. Complementing DMARC: ARC helps address some of the limitations of DMARC, particularly with forwarding, by maintaining a verifiable record of authentication results, thereby improving the reliability of DMARC enforcement.
In essence, ARC enhances the effectiveness of DMARC by addressing challenges related to email forwarding and complex mail flows, ensuring that legitimate emails are correctly authenticated and delivered.
ITM has partnered with Sendmarc.com to bring you world-class email deliverability and compliance services.
Within a maximum of 90 days, we can ensure that all illegitimate emails sent using your domain are rejected, and only real, authenticated emails with your brand name reach an inbox.
If you are having problems with your email deliverability to Google and other email recipients, then you need to speak to us urgently.
Or Get-A-Quote
Get the latest updates in your email box automatically.
Your nickname:
Email address:
Subscribe
Get a Quote
Get a FREE SEO Audit