Identity Focus

Email security solutions

Email is a widely used internet service, supported by an infrastructure of email servers and clients. Servers use SMTP (TCP port 25) for message transfer, while clients access messages via POP3 (TCP port 110) or IMAP (TCP port 143). Email systems adhere to the X.400 standard, with Sendmail and Exchange being popular SMTP servers for Unix and Microsoft systems, respectively. Properly configuring strong authentication for SMTP servers is critical to avoid becoming an open relay, which spammers exploit to send mass emails. Open relays are being phased out in favor of closed or authenticated relays, but attackers increasingly hijack legitimate accounts through social engineering and credential-based attacks.

Another option to consider for corporate email is a Software-as-a-Service (SaaS) email solution. Examples of cloud-based or hosted email platforms include Gmail (via Google Workspace) and Outlook/Exchange Online. SaaS email allows organizations to benefit from the robust security measures and management expertise of leading email service providers such as Exchange Online Protection in O365 . Advantages of SaaS email include high availability, a distributed architecture, ease of access, standardized configurations, and independence from physical location. However, potential drawbacks of hosted email solutions include issues such as block listing, rate limiting, and limitations with apps or add-ons.

To address email security effectively, it is essential to first define its objectives. Email security aims to achieve the following goals:

  • Restrict access to messages to ensure they are only accessible to intended recipients (privacy and confidentiality).
  • Maintain the integrity of messages.
  • Authenticate and verify the source of messages.
  • Provide nonrepudiation.
  • Confirm the delivery of messages.
  • Classify sensitive content within or attached to messages.

Understand Email Security Issues

The first step in implementing email security is identifying the vulnerabilities inherent to email communication. Standard email protocols, such as SMTP, POP, and IMAP, lack native encryption. As a result, messages are transmitted in their original form, often as plaintext, making them susceptible to interception and eavesdropping.

Email is a common vector for distributing viruses, worms, Trojan horses, malicious macros, and other harmful code. Features such as support for various scripting languages, auto-download, and auto-execute capabilities have turned hyperlinks in email content and attachments into significant security threats. Many email clients now natively support HTML and JavaScript, which may be automatically rendered when a message is accessed.

Email also lacks robust mechanisms for verifying the authenticity of the sender. Spoofing email source addresses is a straightforward process, even for inexperienced attackers. Email headers can be manipulated at the point of origin or during transit. Additionally, attackers can bypass normal delivery mechanisms by connecting directly to an email server’s SMTP port to deliver messages.

There are no inherent integrity checks in email protocols to ensure that a message remains unaltered during transmission. Moreover, email itself can serve as an attack tool. For example, sending a high volume of messages to a single inbox or SMTP server—a technique known as mail-bombing—can result in a denial-of-service (DoS) attack. This attack can overwhelm storage capacity or processing resources, rendering the system unable to deliver legitimate messages.

Email Security Solutions

Secure Multipurpose Internet Mail Extensions (S/MIME) – S/MIME is a widely used email security standard that ensures authentication and confidentiality through public key encryption, digital envelopes, and digital signatures. Authentication is achieved using X.509 digital certificates issued by trusted third-party Certificate Authorities (CAs). Privacy is maintained through encryption compliant with Public Key Cryptography Standard (PKCS).

S/MIME supports two types of messages: signed messages and enveloped messages. Signed messages ensure integrity, authenticate the sender, and provide nonrepudiation. Enveloped messages offer recipient authentication and ensure confidentiality.

Microsoft Purview Message Encryption is a direct competitor to S/MIME and offers several advantages:

  • Policy-Based Encryption: It is an admin-configured service that automatically applies encryption to messages sent to recipients both inside and outside the organization. This contrasts with S/MIME, which requires users to manually decide whether to encrypt individual messages (below screen shot from KeyTalk Configure S/MIME for Outlook for Windows)

  • Simplified Infrastructure: Built on Azure Rights Management (Azure RMS), it operates as an online service without relying on a public key infrastructure. In comparison, S/MIME requires a certificate and a certificate publishing infrastructure.
  • Enhanced Features: Microsoft Purview Message Encryption allows for additional customization, such as branding messages with your organization’s logo and style.

Pretty Good Privacy (PGP) – PGP is a peer-to-peer email system that employs public-private key encryption along with various algorithms to secure files and email communications. While not an official standard, PGP is an independently developed tool with strong grassroots support on the internet. This widespread adoption has effectively elevated its proprietary certificates to the status of a de facto standard.

DomainKeys Identified Mail (DKIM) – is a method for verifying that legitimate emails are sent by an organization by authenticating the domain name identity. For more information. DKIM attaches a digital signature to an email, which allows the receiving server to verify the sender’s authenticity by checking the sender’s public key published in the DNS.

Domain Message Authentication Reporting and Conformance (DMARC) – is an email authentication protocol that uses DNS to protect against business email compromise (BEC), phishing, and other email scams. It allows email servers to determine the validity of a received message by following the DNS-based instructions. If a message is deemed invalid, it can be discarded, quarantined, or still delivered based on the specified policy. n simple terms, it tells email providers how to handle messages that claim to come from your domain but fail authentication checks (like SPF and DKIM). For example, if someone tries to send a fake email pretending to be from your company, DMARC can ensure that those messages are flagged or rejected. It also provides reports, so you can see who is sending emails on behalf of your domain and whether they pass the checks. This helps you protect your brand and reduce the chances of your domain being misused.

Sender Policy Framework (SPF) – is a method organizations can use to protect against spam and email spoofing by configuring their SMTP servers. SPF works by verifying that incoming messages are sent from a host authorized by the domain owner of the sender’s email address. For instance, if you receive an email from mark.nugget@abccorps.com, SPF checks with the administrators of smtp.abccorps.com to confirm that mark.nugget is authorized to send emails through their system before the message is accepted and delivered to the recipient’s inbox.

Example of SPF, DKIM & DMARC

The example below illustrates an Office 365 setup with Exchange Online that has NOT yet been configured with DKIM or DMARC. If you use the Microsoft Online Email Routing Address (MOERA) domain for email, the Sender Policy Framework (SPF) TXT record is already preconfigured by Microsoft, as they own the onmicrosoft.com domain and manage its DNS records. However, if you use a custom domain for email, you will need to create or update the SPF record manually.

Below only shows SPF default configuration (no custom domain). TLS is used as you can see below, Exchange Online servers consistently encrypt communications between other Exchange Online servers within Microsoft’s data centers using TLS 1.2. When sending a message to a recipient within your organization, Exchange Online automatically delivers it over an encrypted connection using TLS. Additionally, emails sent to other Exchange Online customers are transmitted over encrypted connections using TLS, secured with Forward Secrecy for enhanced protection. https://learn.microsoft.com/en-us/purview/exchange-online-uses-tls-to-secure-email-connections

A test domain was created “onelearndns.com” With SPF, DKIM & DMARC DNS entries. You can now see the following in the original message settings in the receiving email account (gmail) from the test outlook account associated with the test domain.

You can also view the SPF, DKIM and DMARC records through mxtoolbox.com. (below DMARC records for the test domain)