Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

10:00 AM
Seth Blank
Seth Blank
Connect Directly
E-Mail vvv

New Standards Set to Reshape Future of Email Security

Emerging specs and protocols expected to make the simple act of opening an email a less risky proposition

Email is one of the most successful communications media ever invented, and its reach continues to grow. Almost 300 billion emails are sent worldwide every day, and the number of worldwide users continues to grow at a rate of 3% per year. By 2020 there will be 4 billion active users of email — more than half the planet’s population — according to the Radicati Group, which tracks email usage worldwide. 

Unfortunately, email is unprepared for today’s threats, because it was designed nearly 40 years ago when its eventual global reach and security challenges were unimaginable. Decades of work by the email industry has largely contained spam, but phishing and email-based malware remain enormous threats, with email involved in over 90% of all cyberattacks, according to various estimates. Email vulnerabilities have even played a disruptive role in elections, such as in the 2016 hack of the Democratic National Committee’s email (done via spear phishing email) and in 2018 attacks on Florida election officials. 

That’s why email insiders are busy developing standards aimed at addressing email’s most glaring weakness: that anyone can send email as anyone else. This lack of a strong sender identity model has created an epidemic of spoofing that doesn’t exist through other messaging applications that have strong sender identity controls. In other words, when you get a Facebook message, a WhatsApp message, or a Twitter DM, you can be fairly sure of who the sender actually is. But there are no such assurances in email, and that’s why there are 6.4 billion spoofed emails sent every day, according to a research report from Valimail.

With stronger sender identity protections in place, we can eliminate these fakes. Email will be more trustworthy and better able to support advanced capabilities. And that’s exactly what a variety of standards groups are focusing on. The gold standard for strong sender identity in email is DMARC, and the standards shaping the future of email are increasingly requiring it. Here are some of the new email standards improving sender identity and security for the entire ecosystem.

Domain-based Message Authentication, Reporting & Conformance has been an unofficial but widely accepted standard since 2015. It provides a way for domain owners to control which senders are allowed to send email using their domain. DMARC is accepted and enforced by about 80% of the world’s email inboxes, has been growing exponentially among domain owners, and the Internet Engineering Task Force (IETF) is working to make it an official standard. It’s too soon to know exactly what the next version of DMARC will include but it’s safe to say that it is fast becoming part of basic security best practices, along with firewalls and SSL/TLS encryption on websites.

Brand Indicators for Message Identification is a way for brands to specify images that appear alongside the authenticated email messages they send. Once their domains are authenticated with DMARC (with an enforcement policy), they gain the ability to display logos with their messages in place of the default avatars most inboxes show. Verizon Media is already running a pilot of BIMI in Yahoo Mail, and Google plans to run its own pilot in 2020. BIMI’s offer of brand impressions is a big incentive for marketers, which will drive many organizations to deploy DMARC in order to reap that benefit — and wider usage of DMARC will mean more trustworthy email overall for everyone. 

AMP for Email
AMP is a framework for accelerating web page load times. AMP for Email creates the possibility of building interactive applications in AMP that live right inside the inbox — no need for users to click out to a separate web page. It includes provisions for authenticating senders and encrypting data in transit, which should alleviate security concerns, while opening up a wide range of possibilities for email-based application design. 

Schema.org for Email
Schema.org is a collaborative, decentralized project creating data '"schemas" for different types of structured data, such as informational listings for people, places, and businesses; calendar events; audio and video objects; books; and even recipes. These lightweight metadata frameworks create a common baseline for applications to ingest and use this data. In email, Schema.org-encoded data can simplify integrations: For instance, if you get an order confirmation from a retailer, a Schema.org-formatted email could contain dynamically updated information on its shipping progress. 

STARTTLS is an email security protocol that enables email clients and servers to exchange data in encrypted form, using TLS (Transport Layer Security) or SSL (Secure Sockets Layer) if they are available. This is akin to HTTPS for web pages: It ensures that messages are encrypted in transit. MTA Strict Transport Security (MTA-STS) is a related standard that takes this a step further, and can require authentication checks and encryption for connections between mail servers, which helps prevent any unencrypted data from being transmitted and thwarts man-in-the-middle attacks. In combination with DMARC, which assures the sender’s identity is legitimate, these two protocols further improve security for the "hidden plumbing" that makes email work.

As these standards gain acceptance, with strong and widely deployed sender identity, email will become more interactive and more secure for all users. Already a vital communications channel for more than half the planet, it will evolve into an even more engaging, ubiquitous platform for B2B and B2C communications, and many of the problems we currently face with phishing and BEC will fade away. 

That won’t be easy. It will take a lot of effort by many different organizations and individuals. But the groundwork has been laid, and the benefits will be immense, so there is every reason to think that email is going to continue improving – and growing. Email isn’t going away. It’s only going to empower richer experiences and get bigger and better through the process.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "5 Pieces of GDPR Advice for Teams Without Privacy Compliance Staff."

Seth Blank is the chair of the working group developing BIMI, the secretary of the IETF working group developing DMARC, and an active contributor to many email industry groups. He is the director of industry initiatives at Valimail. View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
What the FedEx Logo Taught Me About Cybersecurity
Matt Shea, Head of Federal @ MixMode,  6/4/2021
A View From Inside a Deception
Sara Peters, Senior Editor at Dark Reading,  6/2/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-13
The package studio-42/elfinder before 2.1.58 are vulnerable to Remote Code Execution (RCE) via execution of PHP code in a .phar file. NOTE: This only applies if the server parses .phar files as PHP.
PUBLISHED: 2021-06-12
Receita Federal IRPF 2021 1.7 allows a man-in-the-middle attack against the update feature.
PUBLISHED: 2021-06-12
In Apache PDFBox, a carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.
PUBLISHED: 2021-06-12
In Apache PDFBox, a carefully crafted PDF file can trigger an infinite loop while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.
PUBLISHED: 2021-06-12
It was discovered that read_file() in apport/hookutils.py would follow symbolic links or open FIFOs. When this function is used by the openjdk-16 package apport hooks, it could expose private data to other local users.