Your Email Resource.
All Items
Everything published on Email Manual
Brands must do more to protect their subscribers from phishing.
May 11th
According to the OTA (Online Trust Alliance) organisations must do more to protect their email subscribers from being victims of phishing scams.
Phishing scams are emails sent by a spammer which mimics a well known brand in order to get the subscriber to disclose usernames and passwords or other personal information. For instance every one of us has received an email claiming to be from our banks. Most of these are easy to spot and consequently easy to ignore but some are not. Spammers will often put in considerable effort, registering similar domains to the genuine brand, putting many hours into the site design containing the genuine brands logos etc which often makes them indistinguishable to the average internet user.
The online trust alliance released a report last month claiming that 56% of .gov Web sites and 45% of leading e-commerce sites are not taking appropriate e-mail and domain security measures.
The report measured 25 government domains, as well as the top 300 online retailers as measured by sales volume during a 10 day period last month.
Analysis was done against the DNS records of the US government and ecommerce sites which shows whether the organisation uses SPF, Domain keys or its slightly younger sister, DKIM and found that a huge percentage of these domains had not adopted one of these email authentication technologies which allows spam filters to pickup on phishing emails/spam and either block or quarantine them.
Whilst big brands and government organisations continue to fail to adopt these sorts of technologies there will always be successful phishing scams. If large organisations like these started to adopt these technologies, spam filters could become more aggressive against domains that don’t authenticate correctly which will apply pressure for smaller brands and individual companies to follow suit which would dramatically help reduce the amount of phishing and spam emails sent across the globe.
A Gartner survey of 5,000 adults in the US estimated that 24.4 million Americans have been duped by a phishing e-mail in 2006. If the larger organisations did their bit in helping IT departments block these sorts of emails it would undoubtedly save the economy millions of pounds which are lost to fraudsters every year.
Email Manual Recommendations:
- Implement SPF on your domain, initally with softfail, then switch to hardfail once you have gained confidence.
- Implement Domain Keys/DKIM on outbound email.
- Block inbound email which hardfails SPF checks.
- Block inbound email which is not Domain key/DKIM signed where the policy record for the domain indicates all mail should be signed.
Goodmail Adopts DKIM: Widening the range of supported MTA’s
May 11th
Daniel Dreymann the co-founder of Goodmail, the company whose product range includes CertifiedEmail recently wrote on his personal blog that Goodmail are to adopt the use of DKIM as an authentication method rather than relying on a standard which goodmail themselves had designed and implemented involving RSA key pairs and SHA-1.
Daniel said:
“It was a relatively simple matter for us to substitute DKIM for our original authentication layer. The authentication layer was, and still is, a rather prosaic component of CertifiedEmail. The other security components, the “secret sauce” that made CertifiedEmail the best and the only secure email certification system, remain in place. DKIM-based CertifiedEmail is as secure as the original specification of CertifiedEmail.”
The benefit to marketers and IT staff here is that rather than having to run and maintain specialised MTA’s from vendors like Port25, Strongmail, Message systems and Socketlabs nearly all off the shelf mail servers will support DKIM signing on outbound messages. This allows organisations to use CertifiedEmail from Goodmail on your outbound corporate email as well as emails you send through your ESP (Email Service Provider).
If you wish to read more about this news please see the full press release here.
