What are "Email Security" risks?

What email related risks KYND flags in our data and how you can use these to improve your email security

Email is one of the most significant points of attack for threat actors. Email impersonation fraud tactics such as spoofing, business email compromise or CEO fraud are one of the most frequently reported cyber fraud losses.

However, there are standard protections available which should be implemented by every organisation to reduce this threat. These standard protections are known as an SPF, DMARC and DKIM.

Any organisation that has not put the standard email protections in place is at high risk of having these addresses spoofed or impersonated to defraud its employees, customers, partners and suppliers.

About those protections:

SPF

SPF stands for Sender Policy Framework. It’s an email authentication technique that is used against email spoofing. An SPF record allows a domain owner to publish a list of the domains or IP addresses that should be trusted to send emails for a domain in a DNS TXT record. 

If a domain or IP that is not in the published record attempts to send an email - it will not pass the SPF security check, indicating that it may be a fraudulent or spoofed email. It will then be treated in accordance with a defined DMARC policy.

DMARC

DMARC stands for Domain-based Message Authentication, Reporting and Conformance. It’s an email authentication and reporting policy protocol designed to protect your company’s email domain from being used for email spoofing, phishing scams and other cyber-crimes.

DMARC empowers SPF by stating a clear policy which should be applied to incoming email. This allows admins to assess whether an incoming email matches what they know about the sender, and what to do with an email that doesn't match as expected. Any emails that do not pass the assessment can be quarantined for review, or rejected outright, preventing them from potentially reaching user inboxes.

DKIM

DKIM stands for DomainKeys Identified Mail. It is an email protocol to authenticate emails to prevent spoofing or phishing. It acts like a digital signature - verifying the authenticity of the mail being sent, and confirming that the content was not interfered with in transit.

It works by a public key stored in your DNS record. When someone receives an email purporting to be from you, they use this public key to confirm whether the hashed key in your email header is authentic, and that the email is legitimate an unchanged.

DKIM empowers other email protocols like SPF and DMARC by preventing threat actors from impersonating your organisation’s email domains.

How KYND ranks email security risks

We categorise email risks in the following ways:

RED

There was no record associated to this domain, or the policy entered is invalid in some way. You should review the risk and check it is configured correctly

AMBER

For SPF this means you have a soft fail in place, and for DMARC this will mean you have opted to quarantine. For DKIM this will mean we have not found a DKIM record, but the domain may not be being used for email. These are medium strength protocols, and completely legitimate, however they do require you to review regularly that they are behaving appropriately. You should also align them with email security that you may have working beyond the perimeter.

GREEN

You have opted in to the strongest degree of protocol, with a hard fail for SPF and reject for DMARC. For DKIM this means you have a DKIM signature in place. This is the most restrictive level of protocol. Depending on the other email security solutions that may be operation beyond the perimeter, you may want to reduce the strictness to test what is being rejected.