Email is the number one attack vector in the world for hackers and other bad actors.
Email is also the number one tool used for legitimate communication to and from clients and vendors. There are more solutions for protecting email than any other. We can’t say it’s not complicated, and we can’t say there aren’t ongoing costs. What we CAN say, is that we can help you through the process of deciding what tools to deploy, how to deploy them and how to manage them ongoing. Ongoing, it’s the most important thing to understand about email security. There is no such thing as “set it and forget it”. It requires constant care and feeding.
How do we help you protect your email? Here is our approach. Regardless of your company’s size, business sector or revenue; there are some email security basics everyone needs to follow. Let’s start with what’s built into DNS.
SPF (Sender Policy Framework)
This tells the world what servers are allowed to send email as you. There are many different settings available to allow the flexibility you need for any business requirement. Setting it incorrectly allows anyone to send email as you. Ongoing monitoring of the record is important because unauthorized changes are an IOC (Indicator of Compromise).
DKIM (DomainKeys Identified Mail)
This is a cryptographic method of “signing” your emails. It’s very much like sending a Certified Letter from the post office. This DOES NOT encrypt your email contents. DKIM uses the same private and public key pair technology that is at the root of all modern encryption. Your email server has the private key and the public key is posted in your DNS. Using this method other servers can confirm that email was sent by you or someone authorized by you. Managing your private keys, who and what entities have them and changing them periodically is important to ensure the integrity of your domain.
DMARC (Domain-based Message Authentication, Reporting and Conformance)
This is the method used to provide enforcement and reporting to SPF and DKIM. It provides a system that other email servers can use to report bad email from your domain according to rules and conditions you can set. This is a powerful tool that requires monitoring and remediation steps to be taken dependent on the type of reports received from other servers.
Those are the basics. That is where everyone should begin.
It is very important to note that not all email servers follow these rules. While SPF is widely accepted and adopted, DKIM and DMARC are not as prevalent. In part because DMARC usually has a cost associated with it in the form of software licensing or monthly subscriptions, but also because it requires ongoing monitoring, and it generates remediation work.
The next steps for email vary depending on what laws and compliance controls you must follow for your business.
The most common requirements we will help you evaluate are government and state level privacy laws like GDPR and CCPA, security compliance regulations for healthcare and financial like HIPAA and PCI-DSS, cyber insurance requirements from underwriters like Chubb and Travelers and of course we must consider the company’s own security policy.
Once we have completed the process of gap analysis compared against the compiled requirements and agreed on a plan of action with set milestones, we start looking at the solutions. These solutions will include combinations of the following technologies:
We know there is A LOT to consider. Email ain’t what it used to be! Call us, we can help make sense of it all.