Email Security Blog


Vidur Apparao September 26, 2014 DMARC
Fallback Featured Image

By Vidur Apparao, CTO

As a member of the Netscape browser team in the mid-to-late 90’s, I participated on the front lines in the browser wars. I’m not just talking about the competition between Netscape and Microsoft for market share, but the battle between those of us trying to establish the browser as the next-generation application platform and the criminals trying to exploit it for nefarious purposes. At the core of the browser security stack was HTTPS, the protocol that ensures bidirectional encryption of communications and allows a user to validate the identity of the site to which he or she is connecting. It didn’t take long for the use of HTTPS to become common practice for all sensitive web transactions and in the last few years it’s used on many sites for all pages.

Despite the ubiquity and importance of email for transactional and business-critical communication, it’s taking much longer for the equivalent security standards in the email world based on the SMTP protocol to become as prevalent. The use of TLS (or, more correctly, STARTTLS) at the transport level and DMARC-based email authentication at the operational level can plug a significant hole in SMTP that criminals are exploiting on a daily basis. The good news is that usage of both SMTP over TLS and DMARC have finally reached a critical mass of adoption, with large email senders such as Facebook, PayPal and Twitter and email receivers such as Google, Microsoft and Yahoo contributing to the network effect.

If HTTPS secures web transactions by itself, why are both SMTP over TLS and DMARC required for email? With web transactions, the domain of the web server and the domain of the website must be the same. However, with email, multiple servers with different domain identities can send email on behalf of a given email domain. For example, only web servers with the domain identity can serve content for the website But emails from the email domain may legitimately originate from servers hosted by companies like Google (since Acme uses Google Apps for Business), Salesforce and Marketo, each with a different domain identity.

TLS will provide connection-level encryption and validate the identity of the servers involved in an SMTP exchange to each other, preventing wiretapping and man-in-the-middle attacks. But DMARC is necessary in addition to validate that a server can legitimately send messages for the email domain of the message, preventing spoofing attacks. The two used in conjunction can ensure end-to-end security between sending and receiving entities.

It’s been over a decade since the initial browser wars, but the battle to secure email still continues. With SMTP over TLS and DMARC, the tools are in place to win and it looks like they may soon gain the ubiquity of HTTPS.

Leave a Reply

Your email will not be published. All fields are required.

Agari Blog Image

April 17, 2019 Fareed Bukhari

The Time is Now: Underscoring the Importance of DMARC for State and Local Governments

Scammers know that impersonating a trusted government agency is an extremely effective way to trick…

Agari Blog Image

February 26, 2019 Armen Najarian

Retail Trails Other Sectors in Adopting DMARC for Phishing Prevention

Recent research by the Agari Cyber Intelligence Division finds that the retail industry is dead…

Person Looking at DMARC Protected Email

February 19, 2019 Fareed Bukhari

DMARC Adoption Up, But 85% of Fortune 500 Remains Vulnerable to Brand Hijacking

Adoption of Domain-based Message Authentication, Reporting, and Conformance (DMARC) has seen modest growth in recent…

Agari Blog Image

October 16, 2018 Fareed Bukhari

One Year Later: Federal Mandate for Email Authentication Huge Success

Responding to BOD 18-01, agencies rally to complete the fastest sector-wide adoption of DMARC One…

Agari Blog Image

October 16, 2018 Patrick Peterson

DMARC: A 12-Month Triumph for DHS—and the Nation

Today is the deadline set by the Department of Homeland Security for all executive branch…

mobile image