5-7 minute read.

email security information

Running or managing a business? If yes, then it’s almost inconceivable that you wouldn’t have received an email giving fair warning of imminent (February 1st 2024) email security changes to be implemented by Google and Yahoo, from at least one of the following groups:

  • Email or hosting providers
  • Mass emailer providers (like Mailchimp, Campaign Monitor)
  • Accounting Systems (like Sage, or Xero)
  • CRM systems
  • Property portals (like Rightmove – if you operate in the property sector)
  • … and no doubt many more.

It’s potentially easy to delete these emails, we already receive so many that state “You MUST do the following NOW…”, but this one is a little different.

So what’s it all about?

This is what Google stated:
https://blog.google/products/gmail/gmail-security-authentication-spam-protection/ 

This is Yahoo’s statement:

https://blog.postmaster.yahooinc.com/post/730172167494483968/more-secure-less-spam

In essence, Google and Yahoo are attempting to protect their users from receiving spam, by better implementation of the following:

  1. Checking for properly authenticated emails
  2. Ensuring there’s an option to unsubscribe from mass-emails
  3. Stipulating that an email account has a very low (<0.3%) reported spam threshold.

I doubt they’ll ever achieve “spam zero”, but it’s a worthy mission, especially when considered against the backdrop of online fraud and phishing worth many, many £millions each year.

So let’s break these down…

Spam Threshold

If you’re building your own email lists from actual genuine customers, clients or properly solicited prospects and have asked permission to retain and use their email data and continue to email them with relevant added-value content, you’ll be fine.

Unsubscribe Mechanism

We’ve all heard enough about GDPR regulations in recent years to know that our marketing emails (especially) must include an unsubscribe mechanism, so this really is simple enough to include.

Properly authenticated emails

Simply ensure the domain you use to send emails has the correct DKIM, DMARC and SPF DNS records in place.

And that’s it, you’re all set!

Oh, you don’t know what that means? Or where to start?

Frankly, if like 99% of actual human beings you’re not really sure what DNS records are all about, where/how to edit them and which details to add, then you’re best bet by far is to approach your IT support or marketing agency and let them get on with it. These changes should take no more than 15 minutes or so to implement in most circumstances, so you’re unlikely to incur a big bill.

If, like some of our clients, you have a healthy curiosity in the technology that enables your business to function, the following glossary relating to domains, DNS and email security may be of interest!

Domain & Email Security Glossary of Terms

Domain

A domain is a human-readable address that is used to identify and locate resources on the internet. In simpler terms, it’s the web address you type into a browser to visit a specific website instead of remembering complex IP addresses (a series of numbers). For example it’s much easier to remember www.bbc.co.uk than 212.58.235.1.

DNS

The Domain Name System acts like a phonebook for the internet, translating human-readable domain names into IP addresses. When you type a domain into your browser, your browser will perform a DNS lookup and receive an IP address of the relevant webserver back. It takes mere milliseconds for this process to complete.

DKIM

When you send an email, there’s a risk that it could be altered or forged during transit, leading to potential phishing or other malicious activities. DKIM (Domain Keys Identified Mail) helps address this issue by acting like a digital signature for your emails. When you send an email, DKIM adds a unique signature to it based on the content of the email.

This signature is like a ‘wax seal’ that verifies the email’s authenticity that it truly has come from the domain it purports to have come from and hasn’t been altered during transmission.

So how does it all work?

  • Digital Signatures:
    • DKIM involves the use of asymmetric cryptography (Google it!) which utilises a pair of public and private keys.
    • The sender’s email server generates a unique digital signature using its private key for each outgoing email. This signature is based on specific parts of the email, including headers and body.
  • Public Key Publication:
    • The public key corresponding to the private key used for signing is published in a DKIM DNS TXT record for the sender’s domain.
    • This DNS record acts as a reference for email receivers to obtain the public key necessary for verifying the digital signatures on incoming emails.
  • Authentication Process:
    • When an email is received, the recipient’s email server retrieves the DKIM DNS record from the sender’s domain using DNS queries.
    • The public key obtained is used to decrypt the digital signature attached to the email, revealing a “hash value”.
  • Verification:
    • The recipient’s email server then recalculates the hash value of specific parts of the received email using its own algorithm.
    • If the recalculated hash matches the decrypted hash from the digital signature, the email is considered authentic and hasn’t been tampered with in transit.

SPF

An SPF (Sender Policy Framework) DNS record is like a note in the internet’s phonebook that says, “These are the official servers allowed to send emails on behalf of my domain.” When someone receives an email claiming to be from your domain, their email system checks this SPF record to confirm if it’s from an authorised server. This helps reduce the chances of fraudulent emails pretending to be from your domain, enhancing email security and trustworthiness.

Here’s an example:

v=spf1 ip4:48.313.349.321 include:thirdpartydomain.com ~all

This record states that the sender server must have an IP address of 48.313.349.321 OR be sent from thirdpartydomain.com. Potentally you could have several different IP addresses or domain listed here.

DMARC

a DMARC (Domain-based Message Authentication, Reporting, and Conformance) DNS record is like a set of instructions in the internet’s phonebook that tells email receivers what to do if they get an email claiming to be from your domain. It helps ensure that only legitimate emails from your domain are delivered, reducing the risk of phishing attacks.

Additionally, DMARC provides reporting mechanisms, allowing you to receive feedback on email authentication results, helping you monitor and improve your email security position.

DMARC does this via a number of elements, including:

  • Authentication Protocols:
    • DMARC builds upon existing email authentication protocols, primarily SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail).
    • SPF verifies that the sending mail server is authorised to send emails on behalf of a particular domain – see above!
    • DKIM uses cryptographic signatures to confirm the authenticity of the email and its source – see above!
  • Policy Framework:
    • The DMARC DNS record specifies policies regarding how receivers should handle emails that claim to be from a specific domain.
    • It allows the domain owner to set policies indicating what actions should be taken for emails that fail SPF and/or DKIM checks. Actions may include quarantining, marking as spam, or outright rejecting the email.
  • Reporting Mechanism:
    • DMARC provides a reporting mechanism for domains to receive feedback on the results of email authentication checks.
    • These reports include information on emails that pass or fail authentication, helping domain owners identify potential issues and malicious activities.
  • Alignment Checks:
    • DMARC introduces the concept of alignment checks to ensure that the domains used in SPF and DKIM align with the “From” header domain.
    • This alignment enhances the robustness of email authentication by verifying that the authorised domains match the domains as presented to the email recipients.

Here’s an example of a DMARC record that I made earlier:

_dmarc.www.bbc.co.uk

v=DMARC1; p=none; rua=mailto:[email protected];

ARC

This is much less commonly used, is fairly new, but for the sake of completion it’s included here.

ARC is a way of ensuring that important information about the path an email took is not lost as it travels through different servers. It helps maintain the integrity of email authentication across multiple servers, especially when emails are forwarded or go through mailing lists.

ARC introduces specific headers within an email to store authentication information from each of the intermediary stages, such as an auto-forwarder. It uses cryptographic sealing to ensure that the added headers are trustworthy and have not been tampered with during the forwarding process. Each intermediary server signs its authentication results, and these signatures are verified by subsequent servers in the email delivery chain. Email receivers can use the information in the ARC headers to assess the authenticity of the email’s journey and to verify that it hasn’t been altered in an unauthorised manner.

To be clear, ARC is not the same as end-to-end email encryption (like a WhatsApp message), it’s purely encrypting the email authentication itself, not the content of the email.

BIMI

BIMI (Brand Indicators for Message Identification) is a standard that allows organisations to display their brand logos next to authenticated emails. You’ll notice this in your email software, such as Gmail, Apple or Yahoo Mail. The BIMI DNS record is part of the authentication process and helps email recipients verify the legitimacy of an email’s sender.

In simpler terms, it’s not a security protocol in itself, but the added “comfort” of receiving an email that includes the logo in your inbox (BEFORE you open the email), is a sign that the email is genuine. The image below shows a Gmail inbox on a mobile phone, with Dropbox having implemented their BIMI logo, thus:

Here’s an example BIMI record:

v=BIMI1;l=https://images.domain.com/folder-name/bimi-logo-filename.svg;a=https://images.domain.com/folder-name/certificate-filename.pem

This example is comprised of three parts:

  1. v=BIMI1 – this indicates that it is a BIMI record.
  2. l=https://images.domain.com/folder-name/bimi-logo-filename.svg – this is a link to your logo’s image.
  3. a=https://images.domain.com/folder-name/certificate-filename.pem – this is a link to a Verified Mark Certificate (VMC).

This last part is optional, but it is highly recommended, as some email recipient servers (Gmail) will specifically require it.

Any bad news?

Ultimately, you’ll probably need to buy a VMC. And you’re going to be looking at around £1200. Per year. That’s quite a lot of money by SME standards, but, could well help getting your emails noticed and more importantly, actually read.

BIMI will ONLY work if you already have DMARC in place, so there’s a little extra work there.

Oh, and as of January 2024 Microsoft (Outlook, Office 365) doesn’t support it. That means that unless you’re emailing private individuals (as opposed to people at business email addresses), they’re far less likely to see the fruits of your expensive hard labours. For now, at least. Microsoft are likely to adopt this at some point though.

Yahoo, for now, don’t require a VMC, but only support BIMI if “We see sufficient reputation and engagement for the sending email address”; this is somewhat vague, but is likely to refer (at least in part) to the ‘domain authority’ of the sending domain.

Domain authority

In plain English, domain authority is a measure of how trustworthy and influential a website is on the internet. It’s like a credibility score for a website. The higher the domain authority, the more likely it is that the website is reliable and provides valuable information.

Several factors contribute to domain authority, including the quality and quantity of content, the number of other reputable websites linking to it, and how well the website is perceived by search engines. Think of it as a reputation gauge for websites – a higher domain authority suggests that the site is likely to have good content and be a reliable source within its niche.

Search engines often use domain authority as one of the factors to determine how high a website should rank in search results. So, a website with higher domain authority is more likely to appear near the top when you search for something online. It’s a way of quickly gauging the credibility and influence of a website in the vast landscape of the internet.

Useful?

Why not get in touch with us now and discuss what we can to do for you…