Improving the quality of email messages that end up in a recipient's inbox is hard — scammers, phishers, and other cybercriminals continue to adjust their approaches toward evading email security gateways and other technologies aimed at stopping email-based attacks.
Today, Internet infrastructure company Cloudflare announced an initiative to build email security and verification technology into its service infrastructure, starting with two features. First, the company has simplified the process of adding the layers of email security to a domain, including creating records for Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM). Second, the company has launched a feature to make routing email addresses from corporate-branded inboxes to whatever email infrastructure a business is currently using.
Simplification of email routing and domain-based security features is just the foundation of what Cloudflare intends to build out in the future, says Matthew Prince, CEO of the company.
"In order to build this functionality, we needed to have email that was flowing through our system, and we had to know we could deliver email to all the providers out there, so we needed to build the email routing functionality first," he says. "Our goal is to take features that were either expensive or reserved for large businesses and make them easy to use and make them available for a much larger audience."
The trust and security of email messages continues to be a problem, despite a trio of technologies that are designed to foil fraudsters. Sender Policy Framework (SPF) tells email clients and services from which servers they should expect a particular domain's emails to come, while DKIM allows email messages to be signed, making any changes to the message obvious. Finally, Domain-based Message Authentication, Reporting and Conformance (DMARC) verifies the domain of the email sender — as defined by the "From:" domain name — matches those in SPF records, while also handling polices for authentication failures and reporting issues back to senders.
Yet implementing all three technologies often requires help from a business's infrastructure provider and possibly even a consultant, resulting in less than 10% of companies from most industries actually using the security features. In fact, the standards are so complex and open to interpretation that researchers found that differing implementations led to three classes of attacks, at least one of which affected each of 19 different email clients or providers.
"At a high level, this is a general problem, which is that we build complex systems these days out of components that we get from different parties, and those parties can have inconsistencies in really minor ways that turn out to have security implications," Vern Paxson, a professor at the University of California at Berkeley and one of the researchers working on the issues, said at the time. "It is not anyone being boneheaded or a specification being sloppy so much as the complexity of the systems we build and the components we use, making security both hard and nasty."
Baking it In
The complexity of setting up email security and verifying that it is working is one reason that Cloudflare has decided to integrate the features into its own infrastructure, says CEO Prince. The new services are designed to be easily used to set the SPF and DKIM records up correctly.
"These still remain one of the biggest thorniest problems in email security, [and] we are in a very unique position because of our global network," he says, adding that "this is not new, exciting technology, but old technology that we are making super easy for anyone to be able to use."
The email routing service essentially allows customers that manage their domains through Cloudflare to forward mail messages to specific addresses. Implementing the feature allows the company to scale up its ability to route mail messages while looking for anomalies that could indicate targeted or low-volume spear-phishing attacks.
The second service announced this week will help companies properly set up their SPF, DKIM, and DMARC through its Email Security DNS Wizard, which will allow companies to set up the correct information in their domain records to allow recipients the ability to determine if bad actor is spoofing the domain of that company. Cloudflare plans to roll out the feature to users on its free plan, adding its other tiers in coming weeks.
Currently, about 2.7 million domains had the DMARC record necessary to enforce the chain of delivery on an email message, and about two-thirds of those organizations had set their policy — which determines what happens to messages that appear fraudulent — to "do nothing," according to DMARC.org.
By integrating the technologies into its service, Cloudflare plans to make it easy for companies to implement the email security features and help them spot more pernicious attacks, such as spear-phishing.
"There is still a substantial amount of very targeted attack that are incredibly specific and sophisticated," Cloudflare's Prince says. "I don't think it is reasonable to expect that consumer email services are going to be able to have the solutions to that."