Email Security 101: Getting the basics right

Email Security 101

EMAIL SECURITY 101

This article delves into getting the basics of email security correct in your organisation.

So, let's start with the basics and grounding in terminology!

Email basics

The original basis of Internet email uses the SMTP protocol, which stands for Simple Mail Transfer Protocol. This protocol has no features for authentication, validation, or non-repudiation, so since its inception, email spoofing, the act of forging a sender address, has been widely used.

Over the years, many competing email authentication proposals have been developed to combat this.  The three most widely recognised and adopted authentication methods are:

  • SPF - Sender Policy Framework.  With an SPF record in place, your systems can verify that a mail server is authorised to send email for a specific domain.  Note that this is only for your domain or subdomains you own and control.
  • DMARC - Domain Message Authentication Reporting & Conformance.  It is designed to allow email domain owners to protect their domain from unauthorised use, commonly known as email spoofing.
  • DKIM - Domain Keys Identified Mail is an email authentication method designed to detect forged sender addresses in email.  DKIM is an Internet standard defined in RFC6376 and was created in September 2011.

SPF and DMARC are configured and set up as part of your organisation's Internet infrastructure,   specifically a service called DNS, which stands for Domain Name System.  DNS is a core part of how the Internet operates and, in simple terms, maps human-readable names to Internet numbers.  As an example, "www.cyooda.com" maps to  "172.66.40.173".    There are specific TXT record entries in your organisation's DNS Servers that specify your "SPF", "DKIM"  and "DMARC" policies.

You can then configure an overarching policy on top of these policies that takes action on the outcome of SPF, DMARC, and DKIM results in the mail flow.  Depending on who your email service is with (Gmail, M365, etc.) and if you have an additional email security gateway such as Mimecast or Proofpoint will dictate where and how this is configured.  This can be confusing and open to misconfiguration.

Comments about SPF, DMARC, and DKIM

Although these three protocols have broader adoption than they did, they are only sometimes configured correctly or at all.  In early 2024, Gmail and Yahoo introduced more stringent validation for bulk email senders and strictly enforced DKIM policies for anyone sending to a Gmail mailbox.

Types of Phishing Emails

BEC - Business Email Compromise, a general term that encapsulates the act of the criminal going about their tradecraft for illicit means.  This is typically for financial gain and involves taking over or interception of an email to divert funds to the attacker.

Phishing is sending an email spoofed or otherwise with a lure that persuades the recipient to take action, e.g., clicking on a link or opening an attachment.

Spear Phishing - A targeted phishing email sent to a specific set of users.

Whaling - A targeted email sent directly to the head of the organisation or C-level executives with the intent of fraud, manipulation, or other nefarious reasons.  The name Whale was coined to indicate the size of the intent.

Top 3 common misconfigurations and errors with email security

SPF 

  • Multiple SPF records for the same domain when you are only allowed one.
  • Missing spaces and spaces where they don't belong
  • Invalid IP addresses

DMARC

  • Multiple DMARC TXT records 
  • Quotes around the DMARC record
  • Invalid email address URLs

DKIM

  • Multiple DKIM TXT records
  • RSA Keys shorter than 1024 Bits
  • Invalid characters

Policies 

Most organisations are concerned about legitimate business emails being prevented from delivery and are often over cautious in how they then implement email security policies.

So, there is often a trade-off between the security settings and the business's needs. This results in degraded email security policies that still allow emails to be delivered to important people in the business (CEO, CIO, CFO, etc.) at the expense of conducting more rigorous validation of the email being delivered.

Some organisations choose to move emails that fail SPF, DMARC, DKIM, or a combination of all 3 to a "quarantine folder."  They then allow the recipient to review those emails and decide whether to release them. Some choose to allow delivery but mark the email with a warning indicating it has arrived from an external source and should be treated with suspicion.

Outside of the general authentication type policies that make up SPF, DMARC, and DKIM, organisations should look to implement policies for:

  • Encrypting emails that contain sensitive information or are being transacted between two or more parties where sensitivity is a concern.
  • All email attachments should be inspected for malicious intent (e.g., Malware)
  • MFA - Multi Factor Authentication should be enforced when accessing email remotely.

Auditing

Most organisations, large or small, need to pay more attention to auditing email activities in their business.  In smaller organisations, this doesn't happen at all.  It's essential to audit and alert in as near real time as possible to identify threats such as:

  • Unlikely travel, for example, where a user has signed in from more than one location in a space of 10 minutes (e.g., Lagos, Brisbane). This situation should be looked into immediately as it is an indicator that the person's account has been potentially compromised.
  • Multiple failed login attempts followed by a successful attempt to a user account could indicate a password brute-force attempt.
  • Changes to inbox rules on a person's mailbox should be regularly reviewed to identify suspicious intent, such as moving specific emails to obscure folders and marking them as read.

Audit logs should be retained for at least 90 days, but ideally 12 months. The average attacker will spend up to 57 days inside an organisation before pivoting to attack.

User Education

While most enterprise organisations have adopted annual security awareness training and phishing simulation exercises in the midmarket, there is still much to be done in this space.

Despite all the technical controls, criminals will always find a way to deliver their emails successfully. Therefore, your users are your last line of defence, and training them on the key "red flags" to watch out for is imperative.

Leave a Comment