An important aspect of corporate email security architecture is its method of preventive countermeasures. These
defenses are charged with thwarting a variety of threats from spam and phishing to malware like Trojans and rootkits. First-line countermeasures include message content inspection. This type of reactive system relies on signature engines and updated databases of known spam and phishing phrases. Additional prevention techniques employ domain filtering using blacklists and whitelists. More effective filters combine heuristic techniques with statistical analysis through Bayesian filters to analyze email based on collected content. However, these detection methods often fall short, relying on slow updates from limited data and resulting in unacceptable numbers of false positives. Furthermore, identity spoofing and domain hopping of malicious senders has weakened the effectiveness of these countermeasures.
In response, several types of email authentication technologies have been developed and implemented with varying results. Prevailing authentication methods categorically employ path-based or cryptography-based methods. Path-based or IP-based authentication systems evaluate the network path traversed by email. They rely on DNS records that identify trusted IP addresses for sender validation. This straightforward approach of verifying the message path from sender to recipient has been widely adopted due to its simple implementation. Sender ID and Sender Policy Framework have emerged as the dominant path-based methods in use today. While both of these techniques publish DNS policy records, they use them differently. SPF authentication compares the DNS record against the email's return-path address header (the envelope layer); while Sender ID uses a Purported Responsible Address header validation method, in addition to authenticating the SPF record.
Cryptographic, or signature-based authentication systems rely on digitally signing messages with PKI pairing. Recipient mail servers perform signature validation with public keys retrieved from DNS records. This method is utilized by the DomainKeys Identified Mail (DKIM) authentication framework, recently adopted by eBay and PayPal, the two companies most notably targeted by phishing attacks in recent years.
While both IP-based and signature-based systems rely on the DNS infrastructure, they fundamentally differ in their focus of email analysis. Path-based systems examine where the message originated; while cryptographic methods look at who sent the message.
The corporate implementation of these two different authentication methods has revealed their situational strengths and weaknesses. The advantages of using a path-based approach include easy implementation and rapid deployment, without the cryptographic related impact on server performance. Therefore, path-based systems may be beneficial to companies looking to expedite a simple system with minimal resource constraints. However, signature-based standards have the added value of providing message integrity and greater resistance to mail forwarding limitations. Digitally-signed mail is best utilized as a robust solution for corporate protection of email containing intellectual property and other critically sensitive business information. Finally, it is important to note that these differing authentication solutions can work in tandem -- several IP/signature combination systems are presently being evaluated with promising results.
A comprehensive risk analysis of data sensitivity, coupled with mail traffic metrics, is essential when determining proper requirements and resources for implementing an effective email security strategy. Since the protocols and standards for authentication will ultimately change with emerging threats, it's important to adopt authentication technologies with backwards compatibility and scalability. It is necessary to remember that authentication plays only one role in email security, and must be combined with reputation scoring systems for establishing and updating acceptance and rejection thresholds. Regardless of what email authentication method is employed, their true effectiveness will be ultimately determined by what prevails as an accepted global standard.
About the author:
Noah Schiffman is a reformed former black-hat hacker who has spent nearly a quarter century penetrating the defenses of Fortune 500 companies. Today he works as an independent IT security consultant specializing in risk assessment, pen testing, cryptography and digital forensics, predictive analysis models, security metrics and corporate security policy. He holds degrees in psychology and mechanical engineering, as well as a doctorate in medicine from the Medical University of South Carolina. Schiffman is based in Charleston, S.C.