Do not go gentle into that new normal

Originally published on the SparkPost Blog...

At SparkPost’s recent Insight user conference, Steve Jones, executive director ofDMARC.org, didn’t hold back. He began his talk on email authentication by bluntly observing that “spam and phishing are the new normal.” I sucked in my breath. Steve’s comment felt like a punch to the gut. I felt like I wanted to defend the honor of email. Yeah, bad guys—sometimes really bad guys—are out there, I thought to myself, but it’s the exception, not the rule! But I knew he was right. I settled down and nodded my head, knowing that Steve’s perspective squared with the experiences of people who manage the front-lines of defense at ISPs and corporate email hosts, as well as the findings of email industry organizations like M3AAWG.

**From the M3AAWG Email Metrics Report 2014 #16

Steve noted that 28 billion spam messages are sent every day. By some estimates,phishing is a $3.7-million annual cost for the average enterprise. And for publicly-traded companies, a disclosure of phishing leads to a loss of stock value of $411 million or more. As Steve put it, costs like these are fraudulent email’s “hit to reputation and brand, made tangible. And there’s no bottom to what bad actors will do to get your money.”

So, spam and phishing really are the new normal. Companies must incorporate a security posture that takes into account email as a major attack vector that’s exploitable through phishing, malware, and socially engineered content designed to defraud recipients of sensitive information and to steal credentials that grant access to systems.

And this new normal is why Steve’s organization does its work. DMARC, or “Domain-based Message Authentication, Reporting & Conformance,” is a technical specification that builds on earlier SPF and DKIM email authentication mechanisms. In his talk at Insight, Steve presented an overview of the current landscape of email authentication, including why DMARC is important, how it works, and recent developments.

ISPs are moving to an authentication-only world. So should you.

The biggest consumer mailbox providers prefer authenticated email. But that preference may be changing to a mandate. In 2015, Yahoo took the plunge and published a “p=Reject” DMARC record. By doing so, Yahoo essentially told receivers, “if you can’t verify an email came from Yahoo, throw it away. No exceptions.” There are reports that Google may take a similar step for Gmail in 2016.

There have been issues with this “strict” posture—in some cases, legitimate email has suffered because of this spam counter-measure. But, I remind you that false positives are nothing new. It’s frankly just a cost of doing business for senders (and a much smaller cost than those that result from successful phishing attacks). Legitimate senders long have been operating in the shadow of compromised hosts, spam, phishing and other abusive digital communications, and incurring short-term inconveniences to stem that tide is worth the effort. Truth be told, what disturbs me more is the fact that everyone hasn’t yet adopted SPF, DKIM and DMARC as a means of combating spam and protecting their own reputations!

It’s time to splice email authentication into corporate DNA.

The watch guards of enterprise security (especially CISOs) often talk about a company’s “security posture,” the plan and cultural shift that a business puts into place to protect its employees, customers, intellectual property, and systems from attack, both cyber and physical. We’re likely all familiar with defenses like firewalls, multi-factor authentication mechanisms, access and password policies, and more.

But what about email? It’s the lifeblood of every company doing business on the internet today. But at too many businesses, email security is limited to spam filters or malware scans. Those are fine front-line tools to help protect against brute force bad guys, but they do little for phishing (and spear-phishing) attacks.

The simple power of email is its ability to connect people and businesses the world over. But the simplicity and ubiquity that makes email the Internet’s “connective tissue” also allows the spread of viruses, fraud, phishing, and compromises to accelerate to pandemic speed as they move from one email box to another.

Every company that works with customer data, financials, or has a broad national or global presence is nothing short of a flame in the night that draws all sorts of malicious attacks. In the digital marketing industry, ESPs, marketing automation companies, anyone who purports to be a marketing system of record… are just some of the inevitable targets for phishing attacks.

Adopting email authentication standards like DMARC (and transport layer encryption standards such as STARTTLS) will go a long, long way to improving your digital messaging security posture. What are you waiting for? Do it.

Learn more.

Ready to learn more about DMARC and email authentication? Here are a few resources to get going.

• DMARC.org
• How DMARC Is Saving Email, a great ebook written by our deliverability team
• The Validator, the free, all-in-one DKIM validation, SPF checker, and DMARC validator app from SparkPost
• Understanding SPF and DKIM In Sixth Grade English
• Twitter’s Email Privacy Report, powered by SparkPost

Cheers!
-L

@LenShneyder
VP of Industry Relations
SparkPost