Content

M3AAWG issues email authentication advice for security pros

The Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG) has put out a joint call-to-action with Google and Verizon for the security industry to take more proactive measures to authenticate and secure their sending domains and email addresses by deploying email authentication at scale.

Preventing rampant phishing during the COVID-19 period should be a top priority for domain owners, the group said in a statement posted earlier this week. M3AAWG said the COVID-19 pandemic has provided “air cover” and new lures for bad threat actors to take advantage of the collective anxiety, fear and social isolation people around the world face while meeting stay-at-home orders.  

“The need for the widespread adoption of email authentication cannot be understated,” said Len Shneyder, co-chair of the Election Security Working Group at M3AAWG and vice president of industry relations at Twilio. “We want companies to use strong authentication to protect all businesses at a time when there’s been an uptick in malicious email campaigns, but also that brands like the WHO and CDC can’t be exploited by the bad threat actors in these campaigns.”

Shneyder said M3AAWG and its more than 200 members strongly encourage domain owners that operate email programs to adhere to the following:

  • Publish Sender Policy Framework (SPF) records with at least ~all, or -all if the domain does not send email.
  • Sign all mail with aligned DomainKeys Identified Mail. DKIM is an email authentication method designed to detect forged sender addresses in emails (email spoofing), a technique often used in phishing and email spam.
  • Publish Domain-based Message Authentication, Reporting and Conformance (DMARC) policies for organizational domains — even non-sending ones — at enforcement: using at least p=quarantine, although p=reject is preferable, across the entire domain and all subdomains without exception.

During this time of pandemic, M3AAWG said it’s more essential than ever that malicious actors can’t impersonate trusted sources of information or assistance, contending that taking advantage of the full suite of email authentication protocols is the best way for a sender to establish and affirm identity when sending email. By creating barriers to impersonation, a sender’s identity becomes more trusted and harder to forge, thereby restoring trust because the sender is who they claim to be.

“The protocols have been around for many years, but now’s the time for people to start using them more actively,” Shneyder said.

Shneyder said M3AAWG recognizes that implementing email authentication can be challenging and time consuming for many organizations. For companies that send their own email, consult with the company’s developers and operations personnel on the best way to deploying email authentication and move to enforcement. If the organization’s email gets sent by a third party, work with their technical teams as they may have ready, out of the box tools to get the job done.

Related

DevSecOps Scanning Challenges & Tips

There are many ways to do DevSecOps, and each organization — each security team, even — uses a different approach. Questions such as how many environments you have and the frequency of deployment of those environments are important in understanding how to integrate a security scanner into your DevSecOps machinery. The ultimate goal is speed […]

It Should Be ‘Cybersecurity Culture Month’

It’s Cybersecurity Awareness Month, but security awareness is about much more than just dedicating a month to a few activities. Security awareness is a journey, requiring motivation along the way. And culture. Especially culture.That’s the point Proofpoint Cybersecurity Evangelist Brian Reed drove home in a recent appearance on Business Security Weekly.“If your security awareness program […]

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.