Email Security Blog


Vidur Apparao September 26, 2014 DMARC
Fallback Featured Image

By Vidur Apparao, CTO

As a member of the Netscape browser team in the mid-to-late 90’s, I participated on the front lines in the browser wars. I’m not just talking about the competition between Netscape and Microsoft for market share, but the battle between those of us trying to establish the browser as the next-generation application platform and the criminals trying to exploit it for nefarious purposes. At the core of the browser security stack was HTTPS, the protocol that ensures bidirectional encryption of communications and allows a user to validate the identity of the site to which he or she is connecting. It didn’t take long for the use of HTTPS to become common practice for all sensitive web transactions and in the last few years it’s used on many sites for all pages.

Despite the ubiquity and importance of email for transactional and business-critical communication, it’s taking much longer for the equivalent security standards in the email world based on the SMTP protocol to become as prevalent. The use of TLS (or, more correctly, STARTTLS) at the transport level and DMARC-based email authentication at the operational level can plug a significant hole in SMTP that criminals are exploiting on a daily basis. The good news is that usage of both SMTP over TLS and DMARC have finally reached a critical mass of adoption, with large email senders such as Facebook, PayPal and Twitter and email receivers such as Google, Microsoft and Yahoo contributing to the network effect.

If HTTPS secures web transactions by itself, why are both SMTP over TLS and DMARC required for email? With web transactions, the domain of the web server and the domain of the website must be the same. However, with email, multiple servers with different domain identities can send email on behalf of a given email domain. For example, only web servers with the domain identity can serve content for the website But emails from the email domain may legitimately originate from servers hosted by companies like Google (since Acme uses Google Apps for Business), Salesforce and Marketo, each with a different domain identity.

TLS will provide connection-level encryption and validate the identity of the servers involved in an SMTP exchange to each other, preventing wiretapping and man-in-the-middle attacks. But DMARC is necessary in addition to validate that a server can legitimately send messages for the email domain of the message, preventing spoofing attacks. The two used in conjunction can ensure end-to-end security between sending and receiving entities.

It’s been over a decade since the initial browser wars, but the battle to secure email still continues. With SMTP over TLS and DMARC, the tools are in place to win and it looks like they may soon gain the ubiquity of HTTPS.

Agari Blog Image

April 27, 2022 Monica Delyani

5 Big Myths about DMARC, Debunked

With email attacks contributing to billions of lost dollars each year, a growing number of…

Computer Showing Secure Email Server

March 9, 2022 John Wilson

Securing Your Email with DMARC

Understanding the What, How, and Why of DMARC You probably already know this, but it…

Agari Blog Image

May 11, 2021 John Wilson

Office 365 + DMARC: Best Practices for Protecting Your Company & Customers From Phishing Attacks

Gartner includes DMARC, or known by its full name as Domain-based Message Authentication, Reporting &…

Agari Blog Image

May 5, 2021 Michael Paiko

5.8B Malicious Emails Spoofed Domains; 76% of Fortune 500 Still at Risk: DMARC Results from Agari

Global adoption of Domain-based Messaging, Reporting & Conformance (DMARC) topped 10.7 million email domains worldwide…

Agari Blog Image

April 27, 2021 Michael Paiko

What Is SPF and How Does It Work?

We're going to delve into what SPF for email is, how to implement it, the…

mobile image