Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

10:00 AM
Seth Blank
Seth Blank
Connect Directly
E-Mail vvv

New Standards Set to Reshape Future of Email Security

Emerging specs and protocols expected to make the simple act of opening an email a less risky proposition

Email is one of the most successful communications media ever invented, and its reach continues to grow. Almost 300 billion emails are sent worldwide every day, and the number of worldwide users continues to grow at a rate of 3% per year. By 2020 there will be 4 billion active users of email — more than half the planet’s population — according to the Radicati Group, which tracks email usage worldwide. 

Unfortunately, email is unprepared for today’s threats, because it was designed nearly 40 years ago when its eventual global reach and security challenges were unimaginable. Decades of work by the email industry has largely contained spam, but phishing and email-based malware remain enormous threats, with email involved in over 90% of all cyberattacks, according to various estimates. Email vulnerabilities have even played a disruptive role in elections, such as in the 2016 hack of the Democratic National Committee’s email (done via spear phishing email) and in 2018 attacks on Florida election officials. 

That’s why email insiders are busy developing standards aimed at addressing email’s most glaring weakness: that anyone can send email as anyone else. This lack of a strong sender identity model has created an epidemic of spoofing that doesn’t exist through other messaging applications that have strong sender identity controls. In other words, when you get a Facebook message, a WhatsApp message, or a Twitter DM, you can be fairly sure of who the sender actually is. But there are no such assurances in email, and that’s why there are 6.4 billion spoofed emails sent every day, according to a research report from Valimail.

With stronger sender identity protections in place, we can eliminate these fakes. Email will be more trustworthy and better able to support advanced capabilities. And that’s exactly what a variety of standards groups are focusing on. The gold standard for strong sender identity in email is DMARC, and the standards shaping the future of email are increasingly requiring it. Here are some of the new email standards improving sender identity and security for the entire ecosystem.

Domain-based Message Authentication, Reporting & Conformance has been an unofficial but widely accepted standard since 2015. It provides a way for domain owners to control which senders are allowed to send email using their domain. DMARC is accepted and enforced by about 80% of the world’s email inboxes, has been growing exponentially among domain owners, and the Internet Engineering Task Force (IETF) is working to make it an official standard. It’s too soon to know exactly what the next version of DMARC will include but it’s safe to say that it is fast becoming part of basic security best practices, along with firewalls and SSL/TLS encryption on websites.

Brand Indicators for Message Identification is a way for brands to specify images that appear alongside the authenticated email messages they send. Once their domains are authenticated with DMARC (with an enforcement policy), they gain the ability to display logos with their messages in place of the default avatars most inboxes show. Verizon Media is already running a pilot of BIMI in Yahoo Mail, and Google plans to run its own pilot in 2020. BIMI’s offer of brand impressions is a big incentive for marketers, which will drive many organizations to deploy DMARC in order to reap that benefit — and wider usage of DMARC will mean more trustworthy email overall for everyone. 

AMP for Email
AMP is a framework for accelerating web page load times. AMP for Email creates the possibility of building interactive applications in AMP that live right inside the inbox — no need for users to click out to a separate web page. It includes provisions for authenticating senders and encrypting data in transit, which should alleviate security concerns, while opening up a wide range of possibilities for email-based application design. 

Schema.org for Email
Schema.org is a collaborative, decentralized project creating data '"schemas" for different types of structured data, such as informational listings for people, places, and businesses; calendar events; audio and video objects; books; and even recipes. These lightweight metadata frameworks create a common baseline for applications to ingest and use this data. In email, Schema.org-encoded data can simplify integrations: For instance, if you get an order confirmation from a retailer, a Schema.org-formatted email could contain dynamically updated information on its shipping progress. 

STARTTLS is an email security protocol that enables email clients and servers to exchange data in encrypted form, using TLS (Transport Layer Security) or SSL (Secure Sockets Layer) if they are available. This is akin to HTTPS for web pages: It ensures that messages are encrypted in transit. MTA Strict Transport Security (MTA-STS) is a related standard that takes this a step further, and can require authentication checks and encryption for connections between mail servers, which helps prevent any unencrypted data from being transmitted and thwarts man-in-the-middle attacks. In combination with DMARC, which assures the sender’s identity is legitimate, these two protocols further improve security for the "hidden plumbing" that makes email work.

As these standards gain acceptance, with strong and widely deployed sender identity, email will become more interactive and more secure for all users. Already a vital communications channel for more than half the planet, it will evolve into an even more engaging, ubiquitous platform for B2B and B2C communications, and many of the problems we currently face with phishing and BEC will fade away. 

That won’t be easy. It will take a lot of effort by many different organizations and individuals. But the groundwork has been laid, and the benefits will be immense, so there is every reason to think that email is going to continue improving – and growing. Email isn’t going away. It’s only going to empower richer experiences and get bigger and better through the process.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "5 Pieces of GDPR Advice for Teams Without Privacy Compliance Staff."

Seth Blank is the chair of the working group developing BIMI, the secretary of the IETF working group developing DMARC, and an active contributor to many email industry groups. He is the director of industry initiatives at Valimail. View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/21/2020
Cybersecurity Bounces Back, but Talent Still Absent
Simone Petrella, Chief Executive Officer, CyberVista,  9/16/2020
Meet the Computer Scientist Who Helped Push for Paper Ballots
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/16/2020
Register for Dark Reading Newsletters
White Papers
Latest Comment: Exactly
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-09-22
In mainwindow.cpp in Shotcut before 20.09.13, the upgrade check misuses TLS because of setPeerVerifyMode(QSslSocket::VerifyNone). A man-in-the-middle attacker could offer a spoofed download resource.
PUBLISHED: 2020-09-22
Telestream Tektronix Medius before 10.7.5 and Sentry before 10.7.5 have a SQL injection vulnerability allowing an unauthenticated attacker to dump database contents via the page parameter in a page=login request to index.php (aka the server login page).
PUBLISHED: 2020-09-22
All versions of package cabot are vulnerable to Cross-site Scripting (XSS) via the Endpoint column.
PUBLISHED: 2020-09-21
Inappropriate implementation in permissions in Google Chrome prior to 85.0.4183.83 allowed a remote attacker to spoof the contents of a permission dialog via a crafted HTML page.
PUBLISHED: 2020-09-21
Inappropriate implementation in Omnibox in Google Chrome on iOS prior to 85.0.4183.83 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page.