In today’s business world, everybody has an email — sometimes more than one. It’s a critical business service, and email system configuration is a key part of making sure email can meet your business needs.
Email system configuration is required in order to ensure availability, manage capacity, tune performance and block malicious content from getting to users. Proper email configuration also ensures users have access to the latest features and capabilities, in a safe and secure manner.
There are dozens of features now that are considered part of the email solution, including calendaring, message encryption for sending confidential information, signing messages, and much more.
But without an understanding of the complexity behind the mail system and without properly configuring those features, they either won’t be available to users, or worse, they could be misconfigured and open up holes in your security.
Why is Secure Email Configuration Important?
Security against phishing attacks is the foremost reason for properly configuring email. Phishing attempts and delivering malicious content to users’ inboxes are the most utilized mechanisms for infiltrating an organization. The first line of defense against these attacks is appropriate email configuration.
However, email configuration is important both in terms of security and getting the most out of your email service. These include enabling and managing advanced capabilities, providing encryption capability, reducing spam, managing capacity and retention, and preventing email hijacking or misuse.
For example, many email systems now offer a public scheduling capability. Organizations may want to enable this feature in a limited capacity for sales or other public facing employees, but not for all employees.
Further, proper configuration is critical to ensure sensitive internal calendar information is not exposed to the public. Calendars could include subjects or notes about confidential topics including intellectual property, customers, or mergers and acquisitions. Leakage of this information could be very damaging to a business.
What Kind of Email Configurations Are There, and How Are They Used?
There are too many email configurations out there to cover in a single article. Here are a handful of the most common configuration settings, which are both vendor agnostic and crucial to secure operations.
With that, get ready for some alphabet soup.
DomainKeys Identified Mail (DKIM)
DKIM is essentially public key cryptography. It’s very similar to how certificates work, like HTTPS. In today’s world when you open a browser and go to a website, if you see the lock and the HTTPS you know you’re secure.
DKIM is kind of like that. If a message isn’t signed, it’s like a non-HTTPS URL. But if it is DKIM signed, then you can be assured that it’s coming from the known recipient.
The complexity here is that a record must be created in the domain name system (DNS), which translates IP addresses to names. The recipient’s email system can retrieve that public key from DNS and use it to verify that the message was actually sent by the purported sender.
With DKIM, a company will need to register all of its valid sender domains by creating separate keys and entries in DNS. For regular users, this is probably just the company domain and one record can work for all.
But for the marketing team, it means all of the third-party tools, such as CRMs and bulk mail services, each need to be registered in order to use DKIM. If a sender goes unregistered, messages may not get delivered, or the sender may end up on a blacklist due to the misconfiguration.
Sender Policy Framework (SPF)
SPF is a way for senders to identify other trusted senders that can send mail on behalf of their company domain. It’s a simple text record also added into DNS and this denotes the allowed senders.
SPF is most important for marketing. Marketers often send mail on behalf of their clients through third party tools. And without SPF, a threat actor could potentially jump in and send email on your company’s behalf as well. SPF helps to shut that down.
So register your CRMs, mass mail tools, HubSpot, and third-party tools in SPF. Unlike DKIM, however, you can only have one record for SPF — not one record for each approved sender. Within that record, multiple entries can be listed to account for each approved sender.
Domain-Based Message Authentication Reporting in Conformance Policy (DMARC)
DMARC is the glue that ties together DKIM and SPF. And by using a DMARC policy, it will help you to secure your email overall and ensure that email is coming from trusted senders and that nobody is spoofing your domain.
DMARC is the policy that says what happens if mail fails SPF or DKIM checks, and there are three options for what happens to those messages.
You can choose to do nothing with them. Or, you can quarantine a message, meaning manual intervention is required before that message can get delivered to a user’s inbox. Or, you can just discard that message outright.
Blacklisting
I’ve already mentioned blacklisting previously. Blacklisting occurs when someone has been determined to be a poor email sender. Typically, blacklisting is done by a third-party provider that monitors email traffic. They look at all the traffic out there, and then they make a determination on the quality of the email that’s coming from a given domain.
These service providers give scores to email senders. A low score indicates that the sender’s emails are irrelevant or malicious, users are marking their emails as spam, the emails aren’t being signed, or they’re not a trusted sender.
The end result of blacklisting is that messages are not going to reach their intended recipients. They’re either going to end up in spam buckets, or get dropped altogether before they arrive at the recipient’s email system.
In short, if you are blacklisted, you are being labeled as a domain known for sending spam or other malicious content. Even legitimate content from your domain could get blocked.
It’s important to keep an eye on these blacklisting services. And if you see that your company is being blacklisted, you need to investigate why and try to get yourself removed from those lists.
Spam and Content-Blocking Filters
On the internal side, it’s also important to take a look at spam and content-blocking filters. This is how phishing messages are prevented from ever making it to a user’s inbox.
If the message doesn’t get there, they can’t click that link, cough up credentials, or otherwise somehow allow a threat actor into the organization.
These filters are very specific to an individual email system. But in general, these filters incorporate rules, which could be keyword based or domain based. They can also use other pieces of meta information to determine whether an email is good or bad.
What Are the Most Common Email Configuration Errors to Watch Out for?
As mentioned, I often see multiple SPF records, whereas only one is allowed. Multiple SPF records could result in your domain being blacklisted.
I also frequently see the DMARC policy missing, or set to none, which means recipients may allow unauthenticated messages to be delivered.
I also see spam filters that are out of date or not being maintained. Filters are especially important as a company’s business needs change. Vendors and suppliers change frequently. Messages can inadvertently get marked as spam for a variety of reasons or can get quarantined or rejected.
If you don’t have somebody looking at these things on a regular basis, you could be blocking important messages from getting through to your company.
A less common error I see is a failure to rotate DKIM keys. Once set up, experts recommend rotating them at least every 6 months. Unfortunately, many companies treat this as a “set it and forget it” configuration. This can be complicated by numerous email integrations, making the task harder and thus more likely to be skipped.
Also, I often see smaller and even mid-sized businesses assuming that this configuration is being handled by a third party SaaS provider such as Microsoft or Google. But that’s not true — it’s up to each tenant to configure security accordingly. Without it, you are essentially wide open.
Related: 5 Big Security Problems and How to Avoid Them
How Do Email Configuration Errors Put Companies at Risk?
Not configuring these settings or not paying attention to blacklisting could result in emails not getting delivered. If the email is for a contract or some other important business function, it could impact revenue.
Even worse, many of these misconfigurations allow threat actors to gain access to your company through delivery of malicious content such as phishing emails.
Also, these misconfigurations could allow a threat actor to act on your behalf, sending malicious content as if it were you. This could be damaging your reputation or worse.
How to Check for Email Configuration Errors
If you survived the alphabet soup above, you might have the stomach to monitor these settings yourself. Most mid-sized and large organizations have a team of individuals to perform this work on an ongoing basis.
For savvy small business owners who have some technical skills, this can be done without expert intervention. Review your configurations on a regular basis and keep them simple, involving only a few trusted sender sources.
Email configuration can also be handed to an MSP. If outsourced, trust but verify. Many MSPs gloss over this configuration due to resources being over-utilized. It’s easy to overlook, as a base configuration might be good enough to get by at first. However, it won’t stand the test of time as the business needs evolve.
Black Kilt has experts available who specialize in email security. Ask us for a free consultation to see if you could benefit from an engagement to reconfigure and secure your email system.
