Email has been around a long time. It dates all the way back to 1971 when a researcher named Ray Tomlinson built the first networked email system in the world. He’s even the person responsible for the use of the @ symbol in email addresses that’s become so familiar to us all.
It’s an old technology, and it isn’t without its problems. And one of the biggest is the fact that the core email protocols that make global messaging possible have no real security measures baked into them. 
And that has made email vulnerable in several ways. The most well-known effect of the problem is spam, which reached near-epidemic proportions before email providers found ways to get it under control.
And spam isn’t just an annoyance. It’s a vehicle for malware attacks, phishing attempts, and identity theft. So it’s something we all have to worry about. And you’re not powerless to stop it. Anyone that operates an email server has some options to make their email infrastructure more secure.
And to help, we’ve created this overview of the three major email security protocols in use today. We’ll cover what they are, how they work, and most importantly, how to use them to make your email more secure. Let’s dive in.
An Introduction to Email Security Standards
As a response to the rise of spam around the world, technology companies and email providers designed some ways for email servers to tell if messages are authentic or not. And they’re all open standards that any email server operator can use. One of them helps identify emails as having come from an authorized sender. The second helps verify that the content of a message hasn’t been altered in transit. And the third ties them together into a unified reporting and message delivery policy. The protocols are:
- SPF – Sender Policy Framework
- DKIM – DomainKeys Identified Mail
- DMARC – Domain-based Message Authentication, Reporting and Conformance
All three standards work together to help email servers remain secure and to prevent third parties from spoofing addresses, executing man-in-the-middle attacks, or otherwise sending unauthorized messages from a particular domain. Here’s a little bit about how each one works.
Sender Policy Framework
Sender Policy Framework (SPF) is an email authentication system that uses a DNS text record to let other email servers know who’s authorized to send mail for a given domain. When it’s in use, the receiving email server will examine each incoming message’s return path information (data listing the servers that sent and relayed the message). It will check to see if the server that sent the message is authorized for its named domain by checking it against the sending domain’s DNS records.
If the message is from an authorized server, it’s sent through to the recipient’s mailbox. If not, it may be flagged as spam or deleted outright, depending on how the receiving server is configured to handle it. Adding a Sender Policy Framework record to your domain’s DNS zone file is the first step in letting others know that messages you’ve sent are really from you, and aren’t an attempt to spoof your address.
DomainKeys Identified Mail
DomainKeys Identified Mail (DKIM) offers an additional layer of defense for your email. It also involves the addition of a custom DNS text record to a sender’s domain. But in this case, the record contains the public half of an encryption key pair. The private half of the pair is used by the domain’s email server to sign all messages as they go out for delivery.
The receiving email server is then able to use the public/private key pair to verify that a given message hasn’t been altered in transit. It also helps to verify that the message came from the server it claims it did. In other words, it serves as a shield that protects email from any attempted man-in-the-middle attacks or other forgery attempts.
Domain-based Message Authentication, Reporting and Conformance
Last but not least is Domain-based Message Authentication, Reporting and Conformance (DMARC). It’s a system that unifies SPF and DKIM into a single email authentication and reporting system. And it does so with another DNS text record that tells the world to expect emails from a domain to pass both authentication checks. It also lets receiving email servers know what to do with messages that don’t.
A domain’s DMARC record can instruct a receiving email server to pass, quarantine, or delete emails based on whether it passes authentication. That gives senders the ability to all but eliminate the possibility of anyone receiving messages that claim to be from them but aren’t. And, the system includes a reporting function that can give senders insight into any mail delivery issues should they arise.
A Hardened Email Infrastructure
With the three email security protocols listed here in place, the possibility of spam and other email-related fraud is greatly reduced. That’s good for the reputations of senders as well as the security of the global email infrastructure. And it’s possible to get all three set up as a part of a single email security hardening service – making the process as simple as it can be.
So the bottom line is that email security isn’t a given. It’s up to email server operators and domain owners everywhere to set up the right protections. And now that you know what they are, the next steps are obvious, and they’re up to you.