Email is one of the most successful communications media ever invented, and its reach continues to grow. Almost 300 billion emails are sent worldwide every day, and the number of worldwide users continues to grow at a rate of 3% per year. By 2020 there will be 4 billion active users of email — more than half the planet’s population — according to the Radicati Group, which tracks email usage worldwide.
Unfortunately, email is unprepared for today’s threats, because it was designed nearly 40 years ago when its eventual global reach and security challenges were unimaginable. Decades of work by the email industry has largely contained spam, but phishing and email-based malware remain enormous threats, with email involved in over 90% of all cyberattacks, according to various estimates. Email vulnerabilities have even played a disruptive role in elections, such as in the 2016 hack of the Democratic National Committee’s email (done via spear phishing email) and in 2018 attacks on Florida election officials.
That’s why email insiders are busy developing standards aimed at addressing email’s most glaring weakness: that anyone can send email as anyone else. This lack of a strong sender identity model has created an epidemic of spoofing that doesn’t exist through other messaging applications that have strong sender identity controls. In other words, when you get a Facebook message, a WhatsApp message, or a Twitter DM, you can be fairly sure of who the sender actually is. But there are no such assurances in email, and that’s why there are 6.4 billion spoofed emails sent every day, according to a research report from Valimail.
With stronger sender identity protections in place, we can eliminate these fakes. Email will be more trustworthy and better able to support advanced capabilities. And that’s exactly what a variety of standards groups are focusing on. The gold standard for strong sender identity in email is DMARC, and the standards shaping the future of email are increasingly requiring it. Here are some of the new email standards improving sender identity and security for the entire ecosystem.
Domain-based Message Authentication, Reporting & Conformance has been an unofficial but widely accepted standard since 2015. It provides a way for domain owners to control which senders are allowed to send email using their domain. DMARC is accepted and enforced by about 80% of the world’s email inboxes, has been growing exponentially among domain owners, and the Internet Engineering Task Force (IETF) is working to make it an official standard. It’s too soon to know exactly what the next version of DMARC will include but it’s safe to say that it is fast becoming part of basic security best practices, along with firewalls and SSL/TLS encryption on websites.
Brand Indicators for Message Identification is a way for brands to specify images that appear alongside the authenticated email messages they send. Once their domains are authenticated with DMARC (with an enforcement policy), they gain the ability to display logos with their messages in place of the default avatars most inboxes show. Verizon Media is already running a pilot of BIMI in Yahoo Mail, and Google plans to run its own pilot in 2020. BIMI’s offer of brand impressions is a big incentive for marketers, which will drive many organizations to deploy DMARC in order to reap that benefit — and wider usage of DMARC will mean more trustworthy email overall for everyone.
AMP for Email
AMP is a framework for accelerating web page load times. AMP for Email creates the possibility of building interactive applications in AMP that live right inside the inbox — no need for users to click out to a separate web page. It includes provisions for authenticating senders and encrypting data in transit, which should alleviate security concerns, while opening up a wide range of possibilities for email-based application design.
Schema.org for Email
Schema.org is a collaborative, decentralized project creating data '"schemas" for different types of structured data, such as informational listings for people, places, and businesses; calendar events; audio and video objects; books; and even recipes. These lightweight metadata frameworks create a common baseline for applications to ingest and use this data. In email, Schema.org-encoded data can simplify integrations: For instance, if you get an order confirmation from a retailer, a Schema.org-formatted email could contain dynamically updated information on its shipping progress.
STARTTLS and MTA-STS
STARTTLS is an email security protocol that enables email clients and servers to exchange data in encrypted form, using TLS (Transport Layer Security) or SSL (Secure Sockets Layer) if they are available. This is akin to HTTPS for web pages: It ensures that messages are encrypted in transit. MTA Strict Transport Security (MTA-STS) is a related standard that takes this a step further, and can require authentication checks and encryption for connections between mail servers, which helps prevent any unencrypted data from being transmitted and thwarts man-in-the-middle attacks. In combination with DMARC, which assures the sender’s identity is legitimate, these two protocols further improve security for the "hidden plumbing" that makes email work.
As these standards gain acceptance, with strong and widely deployed sender identity, email will become more interactive and more secure for all users. Already a vital communications channel for more than half the planet, it will evolve into an even more engaging, ubiquitous platform for B2B and B2C communications, and many of the problems we currently face with phishing and BEC will fade away.
That won’t be easy. It will take a lot of effort by many different organizations and individuals. But the groundwork has been laid, and the benefits will be immense, so there is every reason to think that email is going to continue improving – and growing. Email isn’t going away. It’s only going to empower richer experiences and get bigger and better through the process.
Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "5 Pieces of GDPR Advice for Teams Without Privacy Compliance Staff."