83 percent of breached occur via email

How many times has a vendor or client contacted you, asked why you haven’t responded to the email(s) they have sent only to find that email caught in your SPAM filter? I guarantee it has  happened and if you have been paying close attention to your SPAM filter, you are seeing more and more non-SPAM emails being quarantined. Part of that is because email systems are no longer just doing spam filtering. They are analyzing emails for hundreds of attributes far beyond simple spam classification. This change is because many industry analysis companies have found that 83% of breaches occur because the cybercriminals were able to get into an organization via an email. As a result, email providers, like Microsoft 365, have started to create more rigorous default receipt and screening standards for inbound email filtration which means more emails end up in quarantine.

Whitelist is not the answer

Now, I am sure you have heard from vendors and clients (and let’s be honest, you have probably said this as well) that they “just need to be added to the whitelist” and that will solve the problem. That is absolutely incorrect and here is why. When you whitelist a domain, you are telling your email security filter to let anything and everything through which appears to be coming from that domain or that sender. In other words, you have just opened a hole for cybercriminals to get through. Look at this recent article about the Salesforce domain is being used for a phishing campaign. Users, in general, would think it’s perfectly fine to whitelist salesforce.com so they do and unknowingly open the door for a cybercriminal.

So, what is the right answer and why are very few organizations doing it? Part of the solution is for business leaders to stop demanding that IT whitelist email domains and senders thereby defeating the security mechanisms meant to protect you. Be part of the solution. Many IT staff do not have the ability to push back and coach a demanding executive on proper security when they fear losing their job. I know a lot of executives that get very emotional about email delivery because they are concerned about adverse business impact related to lost business or delayed communications with customers. But you need to be equally concerned about the massive risk that is the email vector to the ongoing sustainability and profitability of your company.

The right way to approach this problem is with a complete view. Policies and processes must be in place to address inbound email handling, but also to make sure that your own company’s configuration is not part of the problem. Most organizations have not done what they should in order to indicate to their recipients that their emails are secure and coming from authorized sources. Part of the solution is to have DMARC, DMARC, and SPF configured correctly. And if you don’t know what DKIM, DMARC and SPF actually are and wouldn’t know where to start for proper configuration, don’t feel bad as many inside and outside of the technology industry don’t know either. It is complex but can be conquered. You just need a technology partner like QPC Security.

How it all works

DMARC DKIM SPF

The deadline is approaching

To further complicate things, by December 31st, 2021, the 2021 NDAA legislation states that all US based email systems must implement DMARC. And because they are interconnected, DKIM and SPF have to be setup correctly to be able to properly configure DMARC. To further convey how serious this legislation is, cyber insurance providers can and will publicly analyze the efficacy of your SPF, DKIM and DMARC configurations as part of their risk profile system. If they are able to assess, by using publicly available information, the quality of design of the sender framework of your mail domain and it is done well, then they can presume that the inbound side of emails is being competently managed. Conversely, if they determine that it is not configured to standards, then you will pay higher insurance premiums.

And when I say ‘publicly available’, I mean it is available to all. Case in point, recently, the Metropolitan Milwaukee Association of Commerce was hacked. I did a SPF, DKIM, and DMARC assessment and they failed on all three. SPF was not configured correctly and DKIM and DMARC not even configured. In my view, that is a significant argument for changing who is managing that email system. The hackers were able to do the same analysis I did with publicly available information. And they assessed same as me that it was likely going to be easy to compromise given the indications of improper management. They can easily correlate that data with known compromised passwords on the dark web and other publicly available information to find a viable exploit against an organization. You don’t want to be that target.

Email marketing automation platforms

Another piece to the email deliverability problem is marketing email automation platforms like Constant Contact, InfusionSoft, and MailChimp. They simply do not provide any form of competent advice to users like you to be able to properly configure DMARC etc. when using their systems. Also, did you know that as a rule of thumb, you should never have your primary domain (example: bob@abccompany) be the same domain you utilize for marketing emails? A sub-domain (example: bob@mail.abccompany.com) is what you should be using. The issue becomes though that your DMARC rules have to address that sub-domain or the cybercriminals can easily spoof on that sub-domain. And if you make the mistake of not having a sub-domain, what happens to your business operations when your primary domain becomes blacklisted? It can and does happen. A staff person makes a mistake and sends out an email from your marketing automation platform which gets identified as SPAM and your domain is blacklisted. The CAN-SPAM Act is enforced legislation This now means that ALL emails you send, be they from your own Outlook or say even from your accounting system like QuickBooks, will now be blocked – again, because your entire domain is blacklisted. Getting on a blacklist doesn’t take much. Getting off a blacklist can take months. Can your business survive months of not being able to send emails?

With all of this, I feel it is intellectually dishonest for any person who manages an email system, be they in-house staff or an IT Service Provider, to say to anyone that their domain “just needs to be whitelisted”. We have moved way beyond that. DMARC, DKIM, and SPF can be properly configured. Problem is that many are just not taking the time to learn how because after all, their solution is just to whitelist the domain. As a business owner, you simply can no longer accommodate people’s incompetence in managing your email system and marketing automation platforms. Without proper DMARC, DKIM and SPF configurations, and with the just ‘whitelist the domain’ mentality, you are providing cybercriminals with the one little hole they need to infiltrate your systems, exfiltrate your data, ransomware your infrastructure – all of which lead to reputational and economic destruction.

December 31st is coming. Don’t be fooled into thinking that you are prepared for this. QPC Security has the expertise and team to tackle this problem. We know how to properly configure DMARC, DKIM, and SPF so that your emails systems and ultimately your business are protected. We also have comprehensive solutions for information security policies, phishing testing, phishing training, and cybersecurity awareness training for your staff. We know how to fix all the DNS issues and how to manage the complexities of the marketing automation platforms or any other variable you have. We have over 25 years managing complex emails systems and have performed over 30,000 email migrations. We are ready to handle your technical challenges and complexity. I take a deeper dive into this topic on my Breakfast Bytes podcast so click here to listen in. For more information on this topic, contact us today at 262-553-6510 or by visiting qpcsecurity.com.