When it comes to sending emails, security is everything but straightforward. As one of the oldest systems that are still widely used across the Internet, email fundamentally lacks any kind of consideration for security or privacy.
Over the years, there have been many solutions proposed and deployed to address this shortcoming, most of which are transparent to end users.Red Sift’s OnDMARC assists with setting up the three core technologies widely used to “add” security to email: SPF, DKIM, and DMARC. These technologies work hand-in-hand to protect both the company and their customers from phishing and malicious email.
Technical solutions, however, are never enough.
In the age of the cloud, as we are, it is increasingly difficult to keep a secure email server in one’s basement or even datacenter. Not only is it often prohibitively expensive to run such a crucial service internally, staying on top of critical updates without compromising the availability of email requires a dedicated team.
Even then, there are a number of great products out there that are loved by development, marketing, and commercial teams for their ease of use and distinctive features. Instead of flat-out banning cloud services, it is useful to consider what real threats they pose to our company. We need to develop an intuition as to where things may go wrong, and how they will affect operations when they do.
Risk assessment
When we start using cloud services for business functions, whether it be the CRM, mailing lists, or as part of company software, we have to realise that we’re delegating some trust to a provider. We pay them to do “the right thing”, not only to run a reliable but also a secure product.
Managing this trust can be tricky, so understanding exactly how things will go wrong when they do is essential. Trust does not have to be a yes or no question. I am often happy using SaaS I do not consider trustworthy at all. With the knowledge that they serve a specific purpose for a short period of time, and once they betray me my sensitive information is still inaccessible to them, I will feel safe.
On the flipside, there are occasions where only the best of the best will do, like my personal email. Gmail and Outlook 365 are the biggest providers, and they will generally do a very good job in keeping their users secure, even against nation-state actors.
But what about privacy? What about company secrets? Realistically, a “big” provider is often more secure just by virtue of being big. A compromise of a centralised provider could be catastrophic globally, therefore they will afford employing the best security personnel and practices they need. In contrast, a company whose main focus is different from email will put less significance on their email security. Indeed, the scale of a compromise in their case is going to be smaller. A company is going to be an easy target if the easiest way in is through a provider who did not consider security spendings important.
For example, impersonating a company and sending phishing emails to people through abusing SendGrid will be much harder than by compromising a smaller vendor. Google is going to need to protect more users than Switzerland-based privacy-focused alternatives, and they will do a more diligent job as a corollary.
Measure twice, trust once
Evaluating trustworthiness of a service provider is difficult. There are a few angles that we need to look at and make our own decision.
- Is it the vendor’s core product? If a service provider’s core product is not the one we’re going to use, chances are they pay less attention to it. A small marketing agency running a mail server is not specialised in providing a marketing mailing list. Their focus is providing marketing communications and strategy on behalf of their customers. While seemingly the latter includes the former, in reality, managing a mailing list is a fundamentally technical task while marketing activities are, well, they aren’t.
- The number of customers. Big providers tend to be more reliable just by virtue of being big. Email sending services like MailChimp and SendGrid are software companies with a narrow focus. They solve one problem well, and because many people put faith in them running their infrastructure well, they need to live up to that trust.
- Reputation. The reputation of a company through recommendations or press weighs a lot. While anecdotal evidence should always be taken with a pinch of salt, there are a lot of ways for a company to demonstrate their worth. Good documentation and support are usually a positive sign about a vendor staying on top of their product.
- User experience. Consistent and good user experience often means things are in good hands. If there are reports about an unreliable service, it is best to stay away. User experience doesn’t just mean a flashy website and ease of use, but also stability and reliability. When we start to see constant outages, it’s time to start asking questions and evaluating alternatives.
- Pace of change. Regular updates can be a good sign. If, however, the upgrades bring instability, that’s quite possibly a sign of some failure in testing. A few products, on the other hand, don’t require continuous development. Slack has not changed their UI in what seems like forever, and it still works.
Eggs in many baskets, in baskets, in baskets…
Of course, besides analysing products for their security, it’s worth looking at the impact of their potential breach. After all, even the seemingly safest product has a non-zero chance of failing, and it’s worth considering what happens when they do.
As a general rule of thumb, using a small number of providers to handle different tasks is a good idea. For instance, consider the scenario when we have multiple providers sending emails from company.com, and an employee in sales gets phished, allowing the attackers to take control of the CRM. Until the breach is detected, they can impersonate the company to our customers. However, after noticing a breach, the CRM can be distrusted as an email sender for company.com using DMARC without any disruption to other business functions.
For a low profile domain, we might choose to go with a less trustworthy provider, and its impact should be small enough to “not care”. For the crown jewels, only the best of the best will do.
There’s a balance how much we should diversify the services that take care of the online persona, and that balance may be hard to find or, indeed, maintain. But diversification in general is a good thing. Assuming a correct setup of SPF, DKIM, and DMARC, we can always rely on limiting the scope of a breach.
Email security is complex, but it does not have to be scary. By assessing the products we use and how they fit into the infrastructure, security-related decisions become manageable.
Most importantly, cloud SaaS products almost always offer fine-grained controls over the amount of information we share with them and the actions they are allowed to perform on behalf of the company’s online persona. We should not be afraid to tinker with them, and stay conservative about what options we select.
Last, but not least, solutions such as OnDMARC and OnInbox can help companies understand their email security profile better, and offer advice to remediate configuration issues.
Peter has been software engineering for over 15 years, with a special interest in privacy and security-related projects. His sweet spot is at building new products, and he previously led product development at Cyberlytic. Having started his own, failed, venture-funded startup, and worked with large enterprises, he has developed a paranoia that is often surprising, but never unreasonable.