The fight to keep email secure is an evolving landscape. In order to combat threat actors and spoofing attempts, new technologies have been created to help identify these malicious emails. As these technologies mature and reach higher adoption rates, Lighthouse reviews them to determine whether they should be incorporated into our strategy. We've noticed that more and more organizations, especially larger organizations such as Google and Microsoft, have embraced additional email authentication platforms to better secure and authenticate messages as legitimate.
In response, we strongly recommend that all clients implement the following technologies to ensure your messages do not get flagged as spam or rejected.
- SPF: Sender Policy Framework is a very common email authentication method. It works by publicly identifying mail servers that are allowed to send using your domain names. Most Lighthouse clients should already be using SPF; however, it is recommended that it be reviewed and configured to be more strict.
- DKIM: DomainKeys Identified Mail is a "Seal of Approval" that uses a digital signature to let the receiving server of an email know that the message was sent by an authorized entity of an email domain.
- DMARC: Domain-based Message Authentication, Reporting, and Conformance allows the creation of policies on what a receiving server should do if a message fails SPF, DKIM, or both. As an additional response, DMARC allows for reporting by a receiving entity back to the senders to indicate how a message was identified and what policy action was taken against the message (allowed, quarantined, or rejected). Combined with DMARC monitoring, a domain owner can see phishing and spoofing attempts and adjust policies accordingly to respond to these threats.
By combining these three technologies, you can increase your deliverability and reduce the number of phishing attempts that end up in your inbox.
However, there are also additional steps you can take to make your inbox even more secure. We highly recommend that you implement these additional security policies found below.
Enable MTA-STS: Normal messages are transported via a protocol called SMTP. By its very nature, SMTP is very insecure. MTA-STS is a published record that encourages messages to connect using an encrypted channel before sending a message. This prevents a message from being intercepted through transmission and can help ensure your messages are safe.
Enable TLS-RPT: TLS-RPT is a reporting mechanism for MTA-STS.
If you are interested in implementing these features, please reach out to the helpdesk at firstname.lastname@example.org to authorize these changes.
A NOTE FOR HARMONY CLIENTS:
For our clients utilizing our Harmony Managed Services, we've already begun the roll-out of DKIM and DMARC Monitoring to you, as well as implementing MTA-STS and TLS-RPT. Over the next few days, our team will be analyzing the results and building policies. You do not need to do anything else.