Brief Best Practices for Email Security
Email has quickly become the preferred, as well as most efficient, way of transmitting written information across the office or across the globe. Ensuring the security and legitimacy of email continues to be a challenge, however. Emails can have selected components spoofed: from the content of the message appearing to come from an internal sender or a message may appear legitimate but is, in fact, sent by a fraudulent domain to get a user to reveal their password on a suspicious site.
According to Microsoft, “As of March 2018, only 9% of domains of companies in the Fortune 500 publish strong email authentication policies.” There are many countermeasures that can be deployed to enhance an organization’s security posture for email security and deliverability. This blog post will touch on a few of these methods and is by no means comprehensive. Your organization’s needs may differ from what is described below. For a unique assessment of your business’ approach to your email security setup and your organization’s overall security posture, please reach out to BizzSecure using the chat box in the bottom right-hand corner of your screen.
One method is to create (or update), your organization’s SPF record. SPF is the domain’s Sender Policy Framework and it is a small bit of text that is updated with your external DNS provider. SPF helps to ensure that your domain’s email is not spoofed. Effectively, the SPF record is visible to every computer system in the world and says, “You can trust that the emails sent from this domain are valid only if they originated from this handful of IP addresses.” If a message is sent to someone attempting to spoof the business’ domain and it came from an IP address outside of the ranges specified, receiving email systems have high confidence that it should be marked as spam or junk mail.
Setting up DKIM (DomainKeys Identified Mail) requires a bit more effort, but it is by no means strenuous. If your business is on a platform such as Office 365, you will publish two CNAME records with your external DNS provider, wait 24-48 hours for Office 365 to recognize these changes and then enable DKIM signing for your domain. DKIM is effectively a digital signature that will hitch a ride on every email that is sent from your domain. It is another great method for remote systems to verify if the message was really sent from your organization. DMARC (Domain-based Message Authentication, Reporting, and Conformance) is another easy way to ensure that remote mail systems accept legitimate messages sent by your organization. DMARC requires a quick setup with a record placed at your external DNS provider and you need only to monitor reports that may come through. One note of caution: The application of SPF, DKIM, and DMARC changes must be thoughtfully applied, especially if your organization sends email from other third-party sources such as CRM systems or even scan-to-email systems at the office.
There are other countermeasures that can be applied internally to help your organization receive legitimate mail, but that is another topic for another time. In the meanwhile, should your organization want to exceed the paltry percentages established by the Fortune 500, listed above, reach out to BizzSecure and we can help achieve improved email security for your organization!