Email Authentication Management (EAM)
Service Terms
Background
Sending an email invokes use of the SMTP protocol which mail servers use to communicate. In that communication process, the sending server identifies itself, the sender, the recipient(s), and other details such as the subject and message body. Cyber attackers can manipulate that exchange to make mail appear to originate from any source they choose. The email client renders the “From:” field per the cyber attacker’s specification, so a piece of email could appear to be sent from any email address of choice.
In 2012, a new specification was written to combat spammers, phishers, and spoofers. In 2017, the Department of Homeland Security issued a directive that required certain federal agencies to implement these changes.[1] Additionally, the Center for Internet Security (CIS) recommends that organizations take action to implement this necessary configuration.[2] Finally, CMMC SI.3.219 requires that organizations implement email forgery protections.[3]
Bound Planet’s Email Authentication Management service (EAM) provides businesses with implementation of necessary changes and monitoring to prevent email impersonation attacks that may include but are not limited to fraud, spoofing, phishing, and spam. Businesses that subscribe to this service are better able to protect their name/brand, reduce email impersonation attacks, and improve email delivery.
To take advantage of this additional capability, it is up to the domain owner to tell the Internet how to handle email it receives from their domain. There are three related email authentication mechanisms that must be configured for each mail source for a particular domain. These are SPF, DKIM, and DMARC. Nearly all organizations lack a complete implementation of these authentication mechanisms.
SPF (sender policy framework) states that servers receiving a piece of email should check a record published by the sending domain owner which declares servers authorized to send for that domain. The receiving server can then check to see which qualifier has been published and deliver or reject mail accordingly.
DKIM (DomainKeys Identified Mail) states that the sending mail server will sign mail with a signature that the domain owner publishes. When an email is received by a mail server, the signature on the message is checked against what is published by the domain owner. If the signature does not match, the receiving server can reject the message.
DMARC (Domain-based Message Authentication, Reporting and Conformance) takes care of checking differences between SPF, DKIM, and the “From:” field in a message. Domain owners specify a DMARC policy which dictates actions to be taken by receiving mail servers. Messages that fail alignment are rejected if a strict policy has been published. DMARC supports reporting so that receiving servers can identify when an email either passes or fails alignment. The DMARC reports can be sent to a specific location when a DMARC record is published.
Service Workflow
Assess
The current state of the organization’s SPF, DKIM, and DMARC records will be established. For each domain a company owns, a DMARC record with a policy of ‘none’ will be published, and all email sources will be observed to determine the status of DKIM and SPF alignment. Sources will be evaluated for support of SPF and DKIM. Source mail volume will also be observed which can factor into overall pricing of the service. The DMARC record will be set to send reports to Bound Planet’s management portal.
Implement
For any domain that does not deliver email, a DMARC policy of ‘reject’ will be published, and a blank SPF record will be published. This configuration will declare to the Internet that the domain does not send email.
For all other domains, each source will be reviewed and implementation of SPF and DKIM will take place. Bound Planet will work with any necessary third-parties to enable DKIM signing, and DNS records for both SPF and DKIM will be published. Bound Planet can assist with the configuration of DNS records.
Observation continues to ensure that sending sources adhere to the configuration put in place and necessary compliance and alignment has been achieved. A period of one to two weeks must be observed with nearly 100% alignment before a domain may be moved to a DMARC policy of ‘reject’.
Manage
When all domains have SPF and DKIM fully configured and have achieved 100% DMARC compliance with a published policy of ‘reject’, the EAM Service begins and the organization will be considered to be in the ‘Manage’ phase. This management phase includes daily monitoring of the DMARC reports for the domain and support for changes observed to mail sources. Support for configuration of new mail sources is also included in the EAM service. Ongoing monitoring is important because it can reveal attempts by bad actors to spoof the domain, mail volume, and it can reveal any potential configuration changes by mail sources. Reports can also be sent on an interval to any identified customer account.
EAM Subscription
Bound Planet partners with a company called Dmarcian to deliver the EAM Service. Dmarcian was founded in 2012 by one of the primary authors of the DMARC specification. The Dmarcian tools enable Bound Planet to easily check domain status, observe email sources, and review DMARC reports to determine alignment. The partnership allows Bound Planet to utilize the Dmarcian tools. Additionally, Bound Planet can pass on subscription savings to customers versus going directly to Dmarcian for purchase.
When a Bound Planet customer subscribes to the EAM service, it includes use of the Dmarcian tools by Bound Planet in addition to the proactive monitoring mentioned above. Support for adding new mail sources is provided, and configuration for new domains is included when the new domain is added to the EAM subscription. Daily reviews of the monitoring portal are included to uncover malicious activity or determine changes to sources that have been configured. Subscriptions are preferably based on an annual renewal; however monthly options are available. Early termination available; amount to refund or charge will be the number of months used plus one month.
Pricing
Subscription pricing relates to the number of domains a customer has as well as email volume. Standard pricing exists on a per-domain basis for domains that do not exceed 20,000 messages per month. Custom pricing exists above the 20,000 messages per month threshold and will be discussed prior to moving forward with an EAM Service Subscription.
Effort to configure the domains (Assess and Implement phases) is not included in the subscription pricing and will be billed separately as determined in initial scoping discussions. The Assess/Implement pricing can be billed hourly or as a fixed fee depending on customer preference. An estimate will be provided for this effort.
After having completed the Assess/Implement phases for domains that were new to the EAM service, the Assess/Implement phases for further new domains will be included in the subscription cost of the new domain. For example, consider a customer that subscribes to the EAM service and has four domains currently. The customer will have previously worked with Bound Planet to configure the four domains with a strict DMARC policy and will have completed the Assess/Implement/Manage phases. If the customer purchases a new domain, only the subscription cost of the new domain will be charged per the annual or monthly term per above.
Data Storage and Mail Flow
By default, DMARC reports include only the information necessary to determine alignment with SPF and DKIM such as sender domain, SPF domain, DKIM alignment, source IP and others. No actual message content or attachments flow to the Dmarcian portal that Bound Planet manages. However, customers can opt to include detail information in cases where alignment issues persist. The detail information may include actual message content, and this special case must be agreed to by the customer via a request form will be provided and filed.
It should also be noted that this service does not make any changes to customer MX records or cause any changes to mail flow pathing. The customer should be aware that impacts to mail delivery can be caused when implementing DMARC. This is why the observation period is critical and changes to DMARC record must be agreed upon after ensuring all mail sources have been properly configured for a domain that is to receive strict DMARC policy updates. Additionally, the customer must be aware that adding new mail sources will require the configuration of SPF and DKIM for that source.
[1] https://cyber.dhs.gov/bod/18-01/#what-are-the-standards-that-enable-email-authentication
[2] https://www.cisecurity.org/controls/email-and-web-browser-protections/
[3] https://www.acq.osd.mil/cmmc/draft.html