The past week had some announcements in the email security realm and how email providers are helping to secure the channel for everyone involved. Here are some of the more noteworthy articles and blogs to share on the topic.
Authentication has always been a cornerstone in helping secure email by validating the identity of the sender. To further help validating a sender’s identity for email users, Gmail has started displaying a “sent on behalf of” for all unauthenticated messages sent by a third party, such as an Email Service Provider (ESP) or in some forward-to-a-friend notifications where the From: domain is spoofed, and where the DKIM signing domain is different from the From: domain. This is to help email subscribers identify possible spoofed or phishing messaging more easily. Senders can stop this “via” link by publishing an SPF record or signing with DKIM. Here is the Google support page on the matter. Additionally, Laura Atkins from Word to the Wise has a great write up on the recent changes as well.
In addition to the “sent on behalf of” notifications, Gmail explains that they will also add a warning of “this message may not have been sent by…” where authentication fails for a Gmail.com domain. Spoofing the From: domain is pretty common for social networking site invites and forward-to-a-friend emails. At Return Path, we recommend to not spoof the From: domain and instead use your own, and to authenticate with SPF and DKIM. Senders can include a sender: header as well to pass this check for spoofed From: domains, but then will also have the “sent on behalf of” message displayed in their emails, so again it’s better to use your own.
InformationWeek compares Microsoft’s Office 365 and Google Apps for enterprise email in the cloud and what that means for email security.
92 days later after their massive email breech, Epsilon has created an email security solution by only allowing whitelisted IPs to access their systems.
John Dvorak thinks that email would be more secure, and we’d have better email standards if the USPS jumped in on the email provider bandwagon back in the day. I’ll let you ponder that and come to your own conclusion.
Terry Zink discusses the reason for all security issues, like phishing emails, are due to the very people in the organization. While I agree with his sentiment that user education is important, humans can be easily fooled so additional measures are needed for security, as education alone isn’t enough. Technology like spam filtering and Domain Assurance are more important because of this.
How does your organization help secure the email channel for both enterprise users and subscribers?