Authenticating the World’s Email

Readers of this column have come to recognize my incessant on-and-on about the need for improvements in global email security infrastructure. I’ve argued repeatedly that the full adoption of DMARC, in particular, would represent a major advance in this regard. I was therefore pleased to see the US Federal Government finally mandate DMARC (and HTTPS) for civilian agencies in 2018, following the UK’s similar directive in 2016. Good job, Feds.

Now, for your little test: I want you to take a moment and be honest: Do you really understand what DMARC is all about? Would you be able to get up to a white board and explain the security standard and its implications for your colleagues? My suspicion is that most of you probably could not. In fact, I’ll bet that more than half the people reading this article would not be able to expand the acronym. (Go ahead and jump over to Wikipedia to look it up. I’ll wait.)

And so, I had the great pleasure to spend some quality time this past month on two separate occasions digging into the fine technical work being done at ValiMail. Founded in 2015, the company is focused on not just the modest (ahem) goal of automating DMARC deployment and monitoring for email security, but also eventually targeting the more awesome task of authenticating the world’s communications. But first things first . . .

I asked company founder and CEO Alex García-Tobar to share his strategy for driving his DMARC-based solutions for business customers, and he was enthusiastic in his response. “First, we believe the timing is finally right,” he explained. “It took a long time for the standard to take-off, but now that the United States Government has mandated this security approach for agencies, there is no question in our minds that businesses will decide to follow.”

The ValiMail team spent time re-introducing me with the technical details of DMARC and its underlying SPF and DKIM components. They recounted for me the benefits of how email recipients can use the standard to determine whether an inbound message aligns with specific information about the actual sender. This is how, for example, a recipient can determine if that email from backstreets.com really came from the Boss’s official email provider.

I asked Dylan Tweney, who heads up Communications, how they intended to support customers. “Since roughly 70% of all current DMARC deployments have not been fully realized,” he said, “we believe the market is now ready for email authentication as a service.” He went on to explain how such an end-to-end managed DMARC solution addresses the more frustrating and confusing aspects of dealing with SFP lookup limits, rotating DKIM keys, and so on.

We spent some time discussing the threats addressed by email authentication, and the list was impressive. “Fraudulent use of email, including phishing attacks, is really the most intense exploit addressed in our solution,” García-Tobar explained. “The ValiMail solution literally shuts down phishing attacks using spoofed domains as a means for targeting an enterprise or government organization.”

The value proposition emphasized by the ValiMail team with respect to email authentication is automation. The team provided great evidence that without full automation of DMARC, SPF, and DKIM, the ability to move customers to full enforcement – with the requisite quarantine or rejection of suspect email – is severely limited. This theme certainly met with my own experience of trying to push the DMARC standard across different industry sectors.

As you might guess, the ValiMail was pleased with the Department of Homeland Security’s recent directive that all government agencies implement DMARC in early 2018, with the goal of enforcing policy by early 2019. To support this mandate, the company is now offering ValiGov, which fully automates the required activities for federal agencies, which will increase the chances that all requirements will be met by the target dates.

Now, everyone knows that determined fraudsters can certainly still navigate around email authentication by using cousin domains and similar exploits – so DMARC is far from a perfect control. But every security expert agrees that email authentication is a great step forward, one that should be mandated not only for government, but for all businesses of every size in every sector.

Give the ValiMail team a call to learn more about their fine solution offering. And as usual, please let me know what you learned.