Email. Over the years, it has become an indispensable collaboration tool for businesses and their day-to-day operations. Love it or hate it, email has become a digital resource everyone uses. Criminals know this and they have figured out how to use it to their advantage. Over time, this has grown from plain garden variety spam to the point where it now includes various types of fraud, malware attacks, attempts to gain credentials via phishing, and much, much more. We’ve all heard the nightmare stories of how Bob in accounting authorized a wire transfer to a vendor for an urgent project that Frank in Product Development needed to

get a new product out the door only to find out that Frank never sent that mail because he retired three weeks ago. Or you’ve gotten the email notifying you that your Netflix payment failed – but on closer inspection, that email isn’t actually from NETFLIX.COM but actually from NETFIIX.COM… but you don’t have an account with them, do you?

So, we know there’s a problem. You say, “Great! What are we supposed to do about it?” In the long run, bad actors will always find new ways to circumvent security measures. So to be truly secure in your email usage, you and everyone else must be eternally vigilant, always on guard looking for that next attempt to compromise your business. Does this mean you should throw your hands in the air and resign yourself to the fact that someone, somewhere is going to click the wrong link or respond to a cleverly crafted email asking for funds? Absolutely not. There are several steps that you can take that will enhance your mail security. Some of these are simple and cost nothing. Others may require more effort or incur additional expenses. All help make your environment more secure. We’ll start with the no-cost, minimal effort to implement the option and work our way up.

Mark What’s Not Yours

One of the simplest ways to help protect yourself from being phished internally is to add some type of banner or other visual notification to emails that come from outside your organization. In an Exchange or Office 365 environment, this is easily accomplished with a transport rule. This provides you with a visual indicator that an email is not coming from your servers. That way when Bob in accounting sees that email from Not-Frank, there will be an indicator that it didn’t come from your servers and maybe Bob will pay attention to the banner and ignore the request.

Verify and Validate What is Yours

The next step is to implement a little something called Domain-based Message Authentication, Reporting, and Conformance (DMARC). If you think of your email system, it is used to send correspondence, marketing surveys, sales campaigns, and other types of messages. It is a big part of your brand reputation. So the last thing that you want is for that reputation to be sullied by senders masquerading under your good name. DMARC is probably the biggest piece of the pie in defending your email reputation and even better, it costs nothing to activate.

From a high level, DMARC allows you to tell a server receiving an email from your domain how to verify that said email is, in fact, from your domain. If it is not, DMARC can request that the email be:

1. Delivered as normal (p=none)

2. Sent to the SPAM or junk mail folder (p=quarantine)

3. Be deleted, never to be seen by the recipient (p=reject)

DMARC does this with a series of public DNS records. The first record to have in place is the Sender Policy Framework (SPF) record which identifies what IP addresses and DNS names can send an email on your domain’s behalf. Of the three record types needed for DMARC, this is the one most likely to already be in place.

Next, you need one or more Domain Keys Identified Mail (DKIM) records. DKIM takes things a step further than SPF and uses a public/private key-pair similar to a Secure Sockets Layer (SSL) certificate. The server signs an email it sends using the private key and the public key sits in a DNS record for the world to see and verify that the emails were indeed sent by a server with the correct public key. Office 365, G-Suite, and most major email applications are DKIM compliant – if your provider is not, ask them to get compliant or find a provider is. For those of you with on-premises exchange servers, there are open source or paid applications that will DKIM sign emails for Exchange.

Last is the DMARC record itself which says what to do with an email that fails validation. During your initial implementation, it is common to leave the policy at the p=none (first) state so you can get a better picture of your email flows and sources. Then as you grow more confident in your DMARC configuration, move it to p=quarantine and finally, to p=reject.

If you are unsure of everything that currently sends an email as you, start simple and enlist help using DMARC Analyzer, DMARCIAN, or EasyDMARC to help identify what sends as you. Put the basic policy in place that does nothing (p=none) and identify anything that might be a legitimate sender that is failing DMARC. Work to get these sending sources compliant. These tools provide more than just insight into what is failing DMARC and why – they identify bad actors attempting to send mail on your behalf (up to and including those pesky guys in marketing who keep sending email campaigns from unauthorized applications) and they will even alert you when this happens. By capturing the forensic data (via an option in the DMARC record settings), these services can also help you identify malicious senders and take appropriate action to stop them.

If you have a complex email environment and are hitting SPF lookup limits or otherwise find yourself having to make constant changes to your records to keep things from failing, break the emails into subdomains with their own SPF, DKIM, and DMARC policies. For instance, you could send marketing emails from @marketing.domain.tld instead of @domain.tld. This makes maintaining your DMARC environment simpler in the long run.

Finally, in the DNS records realm, as a bonus, you can implement Brand Indicators for Message Identification (BIMI). This allows you to insert your logo into your emails, which not only helps ensure that emails from you have a visual indicator but helps build brand recognition as well. Think of it as another layer of identification and a way to stand out from your competition.

Add Defense in Depth

DMARC is great for identifying and securing emails sent as your domain. But what about other threats? Bad links, bad attachments, display name spoofing, or partners that don’t implement DMARC for their domains? This is where we cross the threshold from free to paid services. 3rd party Email Security platforms or add-ons such as the Office 365 Advanced Threat Protection Plan 2 options allow you to protect against links that lead to phishing sites, attachments with zero-day malware and guard against display name spoofing so that someone can’t put up an email with a display name of Big Boss Man (bigboss@criminalorganization.tld) and use it to pretend to be Big Boss Man (bigboss@yourcompany.com). Finally, these offerings also check for lookalike domains for partner organizations, (remember that NETFLIX and NETFIIX example earlier?) help prevent domain spoofing, and failures from organizations that may not have implemented DMARC or may otherwise be at high risk of falsified traffic to your recipients. These options incur additional costs to implement but often pay for themselves with the first instance of prevention.

Train Your User Base

Finally, don’t neglect the human element of email security. Consider investing in email security awareness training such as the offerings by KnowBe4. This trains users to identify and avoid email perils such as malware, credential theft, or phishing attempts. Further, at the organizational level, it helps your IT team identify areas of email security that need to be shored up or worked on.

Nobody can eliminate threats to your organization completely, but by following these basic steps, you can greatly reduce your organization’s vulnerability to most email-borne threat vectors.