Making Authentication the Core of Email Security

The Zero Trust model is founded on a simple concept, "trust no one and nothing." In practical terms, organizations that adopt the Zero Trust model put policies in place to verify everyone and everything, regardless of whether they are internal or external.

Though the Zero Trust approach has been around for more than a decade, it hasn't seen widespread adoption until very recently. Zero Trust has picked up steam and modernized many aspects of IT security. For example, while traditional VPNs certainly still provide fundamental protections when remotely connecting from a home to a corporate network, Zero Trust networks have taken telecommuter security to the next level.

Similarly, the Zero Trust concept has transformed email security. Legacy email security solutions only focus on traditional attacks, such as spam or questionable content within a message body. A Zero Trust approach to email security, on the other hand, gives organizations the extra layer of protection required to defend against even the most complex email-borne threats, such as phishing, social engineering, and business email compromise (BEC) attacks. 

Email-based threats have evolved beyond simple spam messages to highly sophisticated email impersonation attacks, including lookalike domains, display name spoofing, unauthorized owned domains, and social engineering. 

These attacks utilize impersonation techniques to trick the end-user into thinking the sender and message are legitimate, usually posing as another employee, a business partner, or a brand they know and trust. The goal is to get employees to transfer money, download malware or divulge sensitive information. 

Taking a Zero Trust approach to email can help organizations defend against email impersonation attacks by focusing primarily on authentication, ensuring that emails entering the corporate environment or landing in end users' inboxes are from legitimate individuals, brands, and domains. 

The most effective way they can do this is to implement security policies that ensure no email is trusted and delivered unless it passes several authentication protocols, including:

SPF – Sender Policy Framework (SPF) records allow a domain owner to specify which hostnames and IP addresses can send emails on behalf of the domain. 

DKIM – DomainKeys Identified Mail (DKIM) lets domain owners apply a secure digital signature to emails. 

DMARC – Domain-based Message Authentication, Reporting & Conformance (DMARC) policies can prevent anyone except specifically authorized senders from sending mail using an organization's domain. It stops malicious actors from sending phishing emails and domain spoofing impersonation attempts that appear to come from trusted brands.

To use DMARC, organizations also must have SPF and DKIM protocols. DMARC allows companies to set policies that rely on SPF and DKIM to tell email recipients' servers what to do when they receive fake emails that spoof a domain. Those options are to report emails but take no action, move them to a spam folder (quarantine), or reject them altogether. Finally, for organizations looking to deploy DMARC, numerous resources are available to help them get started. 

In addition to authenticating email senders, it's also essential to apply Zero Trust principles to email users. They, too, must be authenticated, and Multi-factor Authentication (MFA) is one of the most common and effective ways to accomplish this. 

Michael Markulec

technology executive, cyber-security guru, politician, rugby player, deadhead, brewer, former army officer, crossfitter, and hard-drinking calypso poet.