Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

10:00 AM
Seth Blank
Seth Blank
Connect Directly
E-Mail vvv

New Standards Set to Reshape Future of Email Security

Emerging specs and protocols expected to make the simple act of opening an email a less risky proposition

Email is one of the most successful communications media ever invented, and its reach continues to grow. Almost 300 billion emails are sent worldwide every day, and the number of worldwide users continues to grow at a rate of 3% per year. By 2020 there will be 4 billion active users of email — more than half the planet’s population — according to the Radicati Group, which tracks email usage worldwide. 

Unfortunately, email is unprepared for today’s threats, because it was designed nearly 40 years ago when its eventual global reach and security challenges were unimaginable. Decades of work by the email industry has largely contained spam, but phishing and email-based malware remain enormous threats, with email involved in over 90% of all cyberattacks, according to various estimates. Email vulnerabilities have even played a disruptive role in elections, such as in the 2016 hack of the Democratic National Committee’s email (done via spear phishing email) and in 2018 attacks on Florida election officials. 

That’s why email insiders are busy developing standards aimed at addressing email’s most glaring weakness: that anyone can send email as anyone else. This lack of a strong sender identity model has created an epidemic of spoofing that doesn’t exist through other messaging applications that have strong sender identity controls. In other words, when you get a Facebook message, a WhatsApp message, or a Twitter DM, you can be fairly sure of who the sender actually is. But there are no such assurances in email, and that’s why there are 6.4 billion spoofed emails sent every day, according to a research report from Valimail.

With stronger sender identity protections in place, we can eliminate these fakes. Email will be more trustworthy and better able to support advanced capabilities. And that’s exactly what a variety of standards groups are focusing on. The gold standard for strong sender identity in email is DMARC, and the standards shaping the future of email are increasingly requiring it. Here are some of the new email standards improving sender identity and security for the entire ecosystem.

Domain-based Message Authentication, Reporting & Conformance has been an unofficial but widely accepted standard since 2015. It provides a way for domain owners to control which senders are allowed to send email using their domain. DMARC is accepted and enforced by about 80% of the world’s email inboxes, has been growing exponentially among domain owners, and the Internet Engineering Task Force (IETF) is working to make it an official standard. It’s too soon to know exactly what the next version of DMARC will include but it’s safe to say that it is fast becoming part of basic security best practices, along with firewalls and SSL/TLS encryption on websites.

Brand Indicators for Message Identification is a way for brands to specify images that appear alongside the authenticated email messages they send. Once their domains are authenticated with DMARC (with an enforcement policy), they gain the ability to display logos with their messages in place of the default avatars most inboxes show. Verizon Media is already running a pilot of BIMI in Yahoo Mail, and Google plans to run its own pilot in 2020. BIMI’s offer of brand impressions is a big incentive for marketers, which will drive many organizations to deploy DMARC in order to reap that benefit — and wider usage of DMARC will mean more trustworthy email overall for everyone. 

AMP for Email
AMP is a framework for accelerating web page load times. AMP for Email creates the possibility of building interactive applications in AMP that live right inside the inbox — no need for users to click out to a separate web page. It includes provisions for authenticating senders and encrypting data in transit, which should alleviate security concerns, while opening up a wide range of possibilities for email-based application design. 

Schema.org for Email
Schema.org is a collaborative, decentralized project creating data '"schemas" for different types of structured data, such as informational listings for people, places, and businesses; calendar events; audio and video objects; books; and even recipes. These lightweight metadata frameworks create a common baseline for applications to ingest and use this data. In email, Schema.org-encoded data can simplify integrations: For instance, if you get an order confirmation from a retailer, a Schema.org-formatted email could contain dynamically updated information on its shipping progress. 

STARTTLS is an email security protocol that enables email clients and servers to exchange data in encrypted form, using TLS (Transport Layer Security) or SSL (Secure Sockets Layer) if they are available. This is akin to HTTPS for web pages: It ensures that messages are encrypted in transit. MTA Strict Transport Security (MTA-STS) is a related standard that takes this a step further, and can require authentication checks and encryption for connections between mail servers, which helps prevent any unencrypted data from being transmitted and thwarts man-in-the-middle attacks. In combination with DMARC, which assures the sender’s identity is legitimate, these two protocols further improve security for the "hidden plumbing" that makes email work.

As these standards gain acceptance, with strong and widely deployed sender identity, email will become more interactive and more secure for all users. Already a vital communications channel for more than half the planet, it will evolve into an even more engaging, ubiquitous platform for B2B and B2C communications, and many of the problems we currently face with phishing and BEC will fade away. 

That won’t be easy. It will take a lot of effort by many different organizations and individuals. But the groundwork has been laid, and the benefits will be immense, so there is every reason to think that email is going to continue improving – and growing. Email isn’t going away. It’s only going to empower richer experiences and get bigger and better through the process.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "5 Pieces of GDPR Advice for Teams Without Privacy Compliance Staff."

Seth Blank is the chair of the working group developing BIMI, the secretary of the IETF working group developing DMARC, and an active contributor to many email industry groups. He is the director of industry initiatives at Valimail. View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
Exploits Released for As-Yet Unpatched Critical Citrix Flaw
Jai Vijayan, Contributing Writer,  1/13/2020
Microsoft to Officially End Support for Windows 7, Server 2008
Kelly Sheridan, Staff Editor, Dark Reading,  1/13/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-01-18
Westermo MRD-315 1.7.3 and 1.7.4 devices have an information disclosure vulnerability that allows an authenticated remote attacker to retrieve the source code of different functions of the web application via requests that lack certain mandatory parameters. This affects ifaces-diag.asp, system.asp, ...
PUBLISHED: 2020-01-18
A memory usage vulnerability exists in Trend Micro Password Manager 3.8 that could allow an attacker with access and permissions to the victim's memory processes to extract sensitive information.
PUBLISHED: 2020-01-18
A RootCA vulnerability found in Trend Micro Password Manager for Windows and macOS exists where the localhost.key of RootCA.crt might be improperly accessed by an unauthorized party and could be used to create malicious self-signed SSL certificates, allowing an attacker to misdirect a user to phishi...
PUBLISHED: 2020-01-18
An arbitrary code execution vulnerability exists in the Trend Micro Security 2019 (v15) consumer family of products which could allow an attacker to gain elevated privileges and tamper with protected services by disabling or otherwise preventing them to start. An attacker must already have administr...
PUBLISHED: 2020-01-18
A Persistent Arbitrary Code Execution vulnerability exists in the Trend Micro Security 2020 (v160 and 2019 (v15) consumer familiy of products which could potentially allow an attacker the ability to create a malicious program to escalate privileges and attain persistence on a vulnerable system.