- Anti-spam filtering can no longer be considered a reliable tool for protecting your e-mail infrastructure and/or your users from the many threats that use e-mail as their primary insertion vector. Smart IT professionals have come to realize it is impossible to determine intent from content. As we move into the 2nd decade of the 21st century, security on the Internet in general, and for e-mail specifically, must become personalized. We can no longer afford to count on the ability, or lack thereof, of a filter to guess what is good/safe and what is not. The next era for e-mail security will be ruled by systems that provide and promote Sender Address Verification and Authentication.
- Domain forgery must be stopped; and we have the tools at our disposal to make this happen. The time has come, once and for all, for IT professionals to embrace and deploy BOTH Sender Policy Framework (SPF — www.openspf.org) and Domain Keys Identified Mail (DKIM — www.dkim.org).
- While its true that “cloud computing” is well on its way to becoming the “2009 Buzzword of the Year,” the time has come for IT professionals to seriously consider moving the major security components of their e-mail infrastructure onto their own private islands within the greater computing cloud. Processes like anti-spam, anti-virus, anti-threat, compliance, data leakage prevention, and managed file transfer can be addressed more effectively and more efficiently before any data ever reaches the threshold of your private network.
- In a difficult economy like we have today, e-mail is a more important tool than ever. E-mail is the ultimate asynchronous communication tool and is critical as a cost effective means for individuals to communicate over long (and short) distances. In both the medium and long terms, IT professionals must continue to strengthen their e-mail infrastructures. Now is not the time for cost cutting with respect to e-mail.
- Early this month Google announced their newest project: Wave (wave.google.com/help/wave/about.html). While it is too early to tell if this new project/protocol will have any real impact in the near term, looking forward 18 – 36 months, this is something upon which IT professionals should keep close watch. If Google is even remotely successfully, and who would bet against Google, this new and open protocol has the potential to completely change the way people communicate on the Internet through the merging of e-mail, instant messaging (IM), and real-time collaboration.
Check out my opinion piece, published 10 April 2009, in SC Magazine’s print edition and on-line…
SC Magazine (http://www.scmagazineus.com/Protect-your-email-domain/article/130481/)
Protect your email domain
Tal Golan, founder and CTO, Sendio – 10 April 2009
Of all the struggles associated with securing email, one of the most basic is the identification and prevention of domain name forgery. Email has become an essential tool for business, however, there is absolutely no security layer required when an email message is sent and/or received.
Two promising technologies have been developed to protect against domain name forgery. Unfortunately, both have been lumped into the “anti-spam” category. While preventing some email spam is a minor side effect of these technologies, this mis‑characterization appears to have limited the widespread adoption of these technologies.
Sender Policy Framework (SPF) is designed to empower domain owners to limit the ability of their domains to be forged within email addresses. SPF records are published via DNS and provides owners a means to specify which mail sources are legitimate for their domain.
Domain Keys Identified Mail (DKIM) is a cryptographic domain authentication protocol developed to protect against domain forgery within email addresses. DKIM is the merger of two similar concepts from Yahoo! and Cisco.
Here’s the catch… Both SPF and DKIM require domain owners to take responsibility for themselves. In this day and age, any business or organization that relies on email as a trusted channel of communication owes it to themselves and their customers/partners to implement SPF and DKIM for each of their domains as soon as possible. While some consider this to be a “chicken and the egg” proposition, it’s clear that now is the time for responsible internet citizens to step up and embrace these important technologies.
One of the biggest problems with e-mail is the complete lack of an inherent security model. Like the telephone, most people have come to take e-mail for granted; expecting that it simply works. Most e-mail users do not know how easy it is to forge almost every aspect of an e-mail message. We have all received spam that, when viewed in our e-mail client (Outlook, Entourage, Gmail, etc.) appears to have been sent to us, from us. How can this happen?
There is a common misconception amongst many in the e-mail security space that anti-fraud technologies like Sender Policy Framework (SPF), SenderID and Domain Keys Identified Mail (DKIM) are part and parcel anti-spam technologies. While it is true that anti-fraud/anti-forgery technologies have a nice side-effect of preventing some spam, this is not their main goal. In addition, by lumping these imporant technologies in as simply anti-spam misses the point and tends to dimish the importance of these technologies.
Protecting your domain from e-mail forgery is up to you; the owner of the domain. Does your domain publish a Sender Policy Framwork (SPF) record (http://www.openspf.org/)? If not, why? What are you waiting for? Is your inbound e-mail checked to see if the sender’s domain publishes a SPF record? If not, why? After all, if the sender’s domain administrator has elected to take domain forgery seriously, you should as well. Finally, are you recognizing DKIM (http://www.dkim.org/) signatures for inbound e-mail and is your e-mail server signing outbound e-mail?
In case you are wondering… Google, eBay, Yahoo, Cisco, and many other large companies are now on the DKIM bandwagon.
Cloud Computing, e-mail | tgolan, 1 Jul 09 | 
Comments (0) 