Changes in Attitudes Toward Email Security
Modern email has been around since the early 1980s; unfortunately, attitudes towards email authentication haven’t grown with the times, even though it is such a mission-critical application. dmarcian marketing editor Vaughn Talbert sat down with Sales Director Tim Chase for a Q&A about Tim’s deep, broad experience in the email sector.
What changes have you seen in email security?
I started working in the email sector in 1998 at Sendmail, which was the open-source protocol for email, when they decided to become a commercial enterprise for their message transfer agent. In the early 2000s, a think tank of email pioneers began working and meeting regularly to address phishing and email fraud.
SPF came out in 2002 and was a big step, followed by DKIM in 2004. The big goal of SPF and DKIM was to create an open-source protocol to stop phishing that could be readily put into place. Unfortunately, many companies are very slow to adopt DKIM and don’t really have correct authentication protocols in place for SPF or DKIM.
While it was nice to have SPF and DKIM in place as a security measure to stop phishing, a disadvantage was the lack of reporting mechanisms. Then in 2012, DMARC was released as the reporting mechanism for SPF and DKIM and allowed senders to receive information from the likes of Google and Yahoo.
How has email changed?
Originally, email was for government and educational institutions. The whole ecosystem has completely evolved from its original form. The concept of marketing emails or sharing files was not considered when the original protocols were devised. A big difference today is that third-party companies are sending email on behalf of domains, whether it’s human resources documents or contracts. Unfortunately, having email service providers sending email under your brand and your domain opens the door to spoofing.
So today, we are trying to create a system in DMARC to close the loop. DMARC takes the benefits of what SPF and DKIM are providing and gives visibility to who is using your email domain. The goal is to secure your posture on how people are using your brand, your domain, and to have the ability to stop this abuse.
Is email relatively slow to evolve?
Yes, email is a funny thing. Even though it’s one of the pillars of the Internet along with DNS and BIND and APACHE, email was always considered free. There wasn’t a lot of pressure from the executives to stress the importance of email. The mentality of many executives, and business in general, is that email should always work and that it has always been free. People take it for granted that email is a constant, like plumbing or electricity; but when it does break, it is a major problem that affects mission-critical applications and revenue.
Then around 2010, search ranking came into play and took a big chunk of revenue dollars away from email. However, people have discovered that email is still a top platform for driving revenue and customer retention, so it feels like attitudes are beginning to shift.
Do you see attitudes toward email domain security changing?
The problem with email is that it can be difficult to justify the return on investment. It boils down to a couple of different decision-makers at a company. There are people in the deliverability space that are worried about getting their marketing emails to the inbox of their customers. And then there’s the security component—people who are wanting to protect their brand. There tends to be these two separate camps with different agendas; many times, they really don’t reach consensus. DMARC addresses both of these concerns; however, I don’t think email as an industry has done an effective job of stating what the return on investment is for having domain security in place.
It can be tricky to place a value on domain security because it’s more like insurance. When a hurricane is coming, you are thankful that your beach house is insured, even though a hurricane is a relatively rare event. But it is still a big threat with devastating consequences. Business email compromise (BEC) is like that; when it happens, it’s too late. There may be thousands of emails traveling on your brand every day; unfortunately, one BEC phishing email sent to an executive at a high-level company could land them in the Wall Street Journal. The company’s stock could tumble and cause quite an embarrassment because it didn’t have domain protection in place.
What do you see in the near-future for email domain security?
Education is key. Email has kind of a long-tail approach to it, and you have to be patient. Educating people is what is going to push change. With email, DMARC deployment is still at the tip of the iceberg. While there are more vendors that offer DMARC solutions today, there’s probably a good 80-plus percent of domains that remain unprotected.
There’s a vast opportunity to affect change within the email ecosystem. At dmarcian, we contribute thought-leadership and do our best to make DMARC accessible to all, from individuals and nonprofits to large enterprises, email senders, and service providers. And there are global nonprofits like Global Cyber Alliance that we work with to help educate from a non-profit perspective. Though we need more overall awareness and for governments to get behind it, it’s exciting and there’s a big opportunity for us all at hand here.
Want to continue the conversation? Head over to the dmarcian Forum.