[By John Anderson, Enterprise Information Security Manager, Lands’End]
Securing electronic messaging services, particularly when utilizing third-party services, is crucial for maintaining the integrity and security of your communications. Limiting who can send on your behalf is crucial to maintaining email reputation, security, and governance, ensuring that your communications are trusted by others while preventing unauthorized senders from spoofing your identity and ruining your reputation.
Industry recommendations are to limit outbound messages from your official sending domain to a single relay point. This can be provided by a specially configured secured email relay solution or a third-party messaging security solution, such as Microsoft, Mimecast, Proofpoint et al. It is essential that all third-party messaging partners relay messages through your configured secured email relay to present a single point of reference that can now have DKIM, SPF, DMARC, and other messaging standards (BIMI) applied uniformly. This will improve your overall reputation in the public messaging industry and allow you to track and remediate any potential issues.
There are multiple security, process, and business integrity reasons why you should not add Third Party Partners to your SPF records. These include but are not limited to the following:
- Managing multiple partners within your SPF records requires constant attention and risks missing removals or changes in the business direction.
- SPF record may become too large and cause lookup failures with impact delivery rates.
- Third-Party partners can inadvertently send messages out with your domain signature that are not authorized or related to your business.
- You are unable to verify what messages were sent by the third party and to whom. This may lead to a Bad Reputation score as a spammer sending unsolicited messages.
- Third-Party partners may suffer a breach, and this now becomes your breach.
- You may lose customers’ confidence and have reduced opening rates for your messages.
Here are some best practices to ensure correct DKIM, SPF, DMARC, and overall security standards:
- “Choose a Reputable Proxy Service Provider”: Ensure that the third-party proxy service provider you choose has a good reputation for security and reliability. Look for providers with a history of maintaining high standards of security compliance.
- “Implement DKIM, SPF, and DMARC”: These are essential email authentication protocols for preventing email spoofing and phishing attacks.
- “DKIM (DomainKeys Identified Mail)”: Sign outgoing messages with digital signatures to verify the sender’s domain.
- “SPF (Sender Policy Framework)”: Define which IP addresses are allowed to send emails on behalf of your domain.
- “DMARC (Domain-based Message Authentication, Reporting, and Conformance)”: Specifies how your domain’s emails should be handled if they fail authentication checks.
- “BIMI (Brand Indicators for Message Identification)”: BIMI adds a verified sender logo that appears next to your message in the inbox.
- “Configure DNS Records”: Ensure that your DNS records are correctly configured to support DKIM, SPF, and DMARC. The DNS records should include the necessary public keys, SPF records, and DMARC policies.
- “Monitor Email Traffic”: Regularly monitor your email traffic to detect any anomalies or suspicious activities. This includes monitoring for failed authentication attempts, unusual message volumes, and unexpected changes in email patterns.
- “Enforce TLS Encryption”: Require Transport Layer Security (TLS) encryption for all incoming and outgoing emails. This ensures that emails are transmitted securely over the internet and are protected from eavesdropping and interception.
- “Implement Multi-factor Authentication (MFA)”: Require users to authenticate using multiple factors such as passwords, biometrics, or security tokens. This adds an extra layer of security to prevent unauthorized access to email accounts.
- “Regular Security Audits and Penetration Testing”: Conduct regular security audits and penetration testing to identify and address any vulnerabilities in your email infrastructure. This helps ensure that your systems are up to date with the latest security patches and configurations.
- “Employee Training and Awareness”: Educate employees about email security best practices, including how to recognize phishing attempts and other email-based threats. Regular training sessions and awareness programs can help prevent security incidents caused by human error.
- “Review Proxy Service Agreements”: Thoroughly review the service agreements with your proxy service provider to ensure that they comply with your organization’s security requirements and standards. Pay attention to clauses related to data privacy, security, and compliance.
- “Stay Informed About Emerging Threats”: Keep up to date with the latest developments in email security threats and best practices. Subscribe to security newsletters, participate in industry forums, and collaborate with other organizations to share information about emerging threats and vulnerabilities.
By following these best practices, you can enhance the security of your electronic messaging services when using third-party proxy services and ensure compliance with DKIM, SPF, DMARC, BIMI, and other security standards.
