Last week saw the release of an email authentication best practices document, intended to better enable organizations to protect themselves and users from email-based attacks.
Released by the Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG), the PDF document is intended to recommend a set of best practices for authenticating email messages using the security protocols Sender Policy Framework (SPF), Domain Keys Identified Mail (DKIM), Domain-based Message Authentication, Reporting & Conformance (DMARC) and Authenticated Received Chain (ARC).
The organization claimed that the trust in email, and whether an email recipient can trust that a message is really from its purported sender, “has continued to vex operators.” Therefore, the document is intended to help the reader find guidance that will not only establish trust in email and protect a domain’s reputation, but should also pass muster with any “no auth, no entry” standard that may develop in the future.
Speaking to Infosecurity, Seth Blank, technical committee co-chair of M3AAWG and VP of standards and new technologies at Valimail, said the issue it is looking to overcome is “a lack of clarity around well-known technical requirements.”
He said as authentication is binary “it is either done properly, or it’s not. This is differentiated from a lot of aspects in email, where rules and recommendations depend upon behavior and intended results.”
This is the reason why the Best Common Practices document is intended to serve as a single resource, where anyone working to implement authentication standards can reference to understand exactly what must be done to meet technical requirements.
Blank said: “No Auth, No Entry is the ecosystem’s goal – to have mail be undeliverable unless the source is definitively known. This doesn’t mean all mail is wanted by the recipient, but rather that all mail must be attributable to a sender; which allows anti-abuse protections to be deployed effectively and consistently.”
He claimed that there is a long way to go until “No Auth, No Entry” is feasible in terms of widespread adoption, which is why providing clarity and guidance on how to get there through best common practice documents is the goal of M3AAWG and member companies.
How much does he see of a “no auth, no entry policy“ being adopted? He admitted it is being seen more and more, such as in mail delivery over IPv6, “but it’s definitely an aspirational goal that will take a substantial amount of time and resources before it’s widely adopted across email.”
“Email authentication prevents exactly one fraud vector: exact domain impersonation”
What sort of uptake of DMARC/ARC/DKIM/SPF protocols is M3AAWG seeing, and does it still get questions on what they are or are people in the industry now generally aware of them? Blank said the email security sector has had a major shift over the past year, which has seen email authentication standards grow in prominence. “They’re certainly far more well known today than they once were,” he said, “but adoption is nowhere near where it needs to be and we’re working to advance their implementation across the email ecosystem.”
He added: “There are quite a few technical and process issues that prevent organizations from easily deploying authentication standards that would better protect their employees and end users. M3AAWG’s mission is to facilitate cooperation around these issues and develop best practices on how to address them.
“One matter we’re addressing head-on at our upcoming 50th General Meeting is distributing DKIM keys. Human error is the number one reason DKIM authentication fails – but why are humans even involved in handling a public key that’s meant for a computer system? We’ll tackle this issue, among many others, at M3AAWG 50 and work to build collaborative solutions to address these industry-wide challenges.”
Finally, the new document states “M3AAWG believes that proper email authentication is a foundational principle for establishing trust in email, and domain-based authentication requires it,” and what it is proposing is “suffice” for now and the future. Infosecurity asked if there is a stage beyond sufficient, where businesses will have email authentication that is beyond sufficient. Or with the considerations of the human factor, changing technologies and threats, is sufficient the best we can hope for?
“Email authentication prevents exactly one fraud vector: exact domain impersonation,” Blank said. “If cyber-criminals can use an end user’s full email address, they’d have access to your entire personal network, giving them the ability to defraud the people who trust you. This is why executive compromise and phishing are such damaging problems.”
He said that even with strong authentication, there are ways to unknowingly allow others to authenticate as you, or for your authentication to get mixed with others via shared services. “M3AAWG is actively bringing professionals from across domains to discuss these crucial issues and work collaboratively towards solutions.”