Building Trust 6 August 2014

2014 Email Integrity Audit

Best Practices to Enhance Trust & Fight Malicious & Deceptive Email

Executive Summary

Since 2004, OTA has been working on the development of best practices and standards to enhance the integrity of the email channel. While email continues to flourish as a vibrant medium to engage and connect consumers worldwide, fraudulent actors and cybercriminals continually utilize email for malicious purposes. With the advent of interest-based advertising, markets have the ability to increase the precision and relevance to reach consumers. Unfortunately cybercriminals are doing the same and leveraging email’s open structure for illicit purposes.

Targeted email-based spear phishing campaigns are an ongoing threat to consumers worldwide. Phishing compromises unsuspecting consumers and business users, driving identity theft, ransomware, account takeovers and data breach incidents. Left unabated, these threats run a significant risk of undermining the trust and confidence in email.

The Email Integrity Audit is a companion to the 2014 Online Trust Audit and Honor Roll report released in June 2014. This Audit provides an in depth review of email security best practices, focusing on the best practices necessary to help detect and to block spoofed and forged email.

This Audit tracks the adoption of three critical email authentication standards; Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM) and Domain-based Message Authentication, Reporting & Conformance (DMARC). The Audit also includes Transport Layer Security (TLS) a recommended best practice to enhance the privacy of email communications while in transit from one user to another.

By implementing email authentication, organizations can help protect their brands and consumers from receiving spoofed and forged email. Building on the SPF and DKIM protocols, DMARC adds a policy assertion providing receiving parties (e.g., ISPs and corporate network email administrators) with indications on how to handle messages which fail authentication. Equally as important, DMARC provides a reporting mechanism back to the brand / domain owner about both their authentication practices and about email sent by unauthorized third parties.

It is widely accepted that when organizations implement SPF, DKIM and DMARC across all of their outbound email streams they achieve three major benefits:

  1. Increased protection from consumers receiving malicious and fraudulent email
  2. Improved brand reputation protection
  3. Enhanced deliverability of legitimate email into users’ inboxes

There has been growth in the deployment of email authentication in all industry sectors, yet major and systemic issues remain. The failure to apply authentication standards comprehensively risks placing consumers and employees in harm’s way. This is often the result of companies authenticating only selected sub-domains and failing to authenticate their top level domain which is the domain most often abused. The inconsistent use of authentication is like reinforcing and locking the front door to your house, while leaving your side door or garage doors wide open.

In addition to the implementation of these standards, brand owners should monitor both existing and new domain registrations for look-a-like domains and brand-jacking. Proactive defensive domain registrations are a critical step in protecting a brand by reducing the availability of look-a-like domains. Such domains can be used for socially engineered exploits including spear phishing and other nefarious purposes and can be easily mistaken by the user resulting in their device and online credentials being compromised.

Related articles

Building Trust 31 August 2020

Policy Toolkit on IoT Security and Privacy

The Policy Toolkit on IoT Security and Privacy is a practical resource for policymakers and regulators to strengthen the...

Building Trust 1 November 2019

Security Factsheet: Keeping Your Workplace Safe Online

For many of us the Internet is a staple in our day-to-day lives – especially at our jobs. But...

Building Trust 1 November 2019

Security Factsheet: Why Should Municipalities Make Network and Data Security a Priority?

Communities can minimize risk by being intentional about how and by whom networks and devices are used. These are...