You can outsource your email, but a good chunk of securing that email remains in-house. Here's what you need to know. Credit: Thinkstock While outsourcing email is right for many, if not most, enterprises, it’s not enough to ensure both inbound and especially outbound email is secure. For example, outsourcing email would not prevent this from happening:“Dear [FirstName] [LastName],” the email reads, “Click here to register for the AcmeCorp holiday party. Don’t forget to RSVP!”You check the return email address: HolidayParty@AcmeCorpHolidayParty.com. Not the usual corporate domain, AcmeCorp.com. Looks phishy. You forward it to your security department and wonder who clicked on the RSVP link. Later, you find out it was a legitimate email from the event organizers and scratch your head. HR wants a head count ASAP. You click the link and pray the email from the ad hoc domain isn’t a phishing email and thus a major security risk. Will clicking on the link download and execute malware on your work computer, making you another victim of business email compromise (BEC)? No, the email is legitimate and the link harmless, but now everyone in the organization who received that email is a little less vigilant about spotting phishing emails because they know not to expect a standard domain.Far-fetched scenario? Not at all. For many — if not most — organizations today, outsourcing email is a no-brainer. Securing email is hard, and unless you have a team of email security engineers, outsourcing email security to the experienced folks at Google, Microsoft, Fastmail or another reputable email provider may well be the right choice. Unless you’re a large global conglomerate or you’re working on sensitive R&D that you want to protect from theft or espionage, outsourcing email is likely the right decision for your organization.The organizational challenge of email securityOnce you’ve decided to outsource your corporate email, your in-house security team cannot simply “set it and forget it,” as some risks, such as the event organizer scenario, remain. Securing outbound email quickly leaves the realm of technical security work and becomes an organizational challenge. Procurement and brand protection need to be involved to secure enterprise outbound email.Procurement needs to work with the security team to develop standard contractual language to prevent vendors from spoofing a corporate domain’s email or setting up typosquatting domains like AcmeCorpHolidayParty.com. That anti-phishing training you give your employees? It won’t help much if you condition them to think those kinds of typosquatting domains are normal and legitimate.Typosquatting domains like paypa1.com or g00gle.com are frequently used as phishing domains. Training employees to be wary of emails from such domains is important to prevent phishing. Therefore, using such typosquatting domains for legitimate reasons confuses employees, and potentially threatens brand reputation if well-meaning employees or vendors start sending email from those domains to clients, vendors, sales leads, etc.“It becomes a procurement chain challenge to make sure the events group within the company, and the process that they use for procuring services, knows how to catch these things and direct them through the security team at the company, so all the vendors do the right thing,” Kurt Andersen of the M3AAWG (Messaging Malware Mobile Anti-Abuse Working Group) tells CSO.Brand protection also needs to be involved to firmly remind vendors that such antics, while well-intentioned, are not acceptable, and pose a serious risk to both brand reputation and the security of the enterprise. “It’s still the Wild West as any salesperson can go out to Mailchimp or other marketing email provider and start spewing email,” Andersen says. “For outbound mail, make sure the security team is hooked into the right corporate processes [like procurement and brand protection], and make sure you have a DMARC record and are monitoring the reports so you have visibility.” Are you checking those DMARC reports?Configuring DKIM, SPF and DMARC correctly is critical to securing outbound email, but if you’re not reviewing those DMARC reports on a daily basis, you’ll miss early warning signs that something is amiss — especially if you’re still at the monitor only (p=none) stage of DMARC deployment.If someone is spoofing your AcmeCorp.com email domain, for either good faith or nefarious reasons, your DMARC reports are going to let you know. It will also give you visibility into authorized marketing or accounting efforts to use Salesforce or Marketo or Mailchimp that have failed to alert the security team. Including those authorized third parties in your SPF record is key to ensuring your enterprise email doesn’t wind up in recipients’ spam folders.All this holds true even if you are outsourcing enterprise email, including deploying SPF, DKIM, and DMARC. You need to understand how these technical security measures work in order to hold your vendors accountable.The future of email securityIt’s easy to fall into the trap of thinking email security is a solved problem. If you live and work in a walled garden like Gmail or inside a well-protected government network, teams of engineers spend enormous effort to prevent spam and abuse from reaching your inbox. The truth is dealing with the vast amounts of garbage email on the internet is a hard problem that’s been mitigated by a feudal security model of outsourced email, but has never been truly solved because of the insecurity inherent in the ancient design of email and the economics of spam that favor the attacker. “I don’t know that we’re going to be able to change email as we know it, the network effects are so overwhelming,” Andersen tells CSO. “There continue to be discussions, very early discussions, in the IETF [Internet Engineering Task Force, the folks who bring you RFCs] around a next set of revisions to the basic standards for SMTP, none of them go as far as saying ‘we’re going to break backward compatibility’.”One key sticking point, and it is OK to laugh while you read this, is the widespread deployment of email as a reporting mechanism for legacy industrial IoT devices that have decades-long life spans and send email using IP address literals instead of domain names. “These things still send email as a notification mechanism,” Andersen says. “How can we raise the bar for security for these devices that maybe can’t even do TLS? They still rely on SMTP and [their owners] are very vocal that we not break their world.” Related content news Administrator of ransomware operation LockBit named, charged, has assets frozen A Russian national alleged to have been the administrator of the notorious and prolific LockBit ransomware provider faces international charges. A $10-million reward for the suspect’s arrest has been offered. By Lucian Constantin May 07, 2024 3 mins Advanced Persistent Threats Hacker Groups Ransomware news US deploys commerce and communications against cyber threats, Blinken says The US government is moving to address the challenges of quantum computing, cloud strategies, and generative AI, Anthony Blinken said in a speech that was light on specifics. By Evan Schuman May 07, 2024 4 mins Cyberattacks Government Threat and Vulnerability Management news Change Healthcare went without cyber insurance before debilitating ransomware attack In doing so, Change exposed itself not just to greater financial risk, but reputational damage too. By John Leyden May 07, 2024 5 mins Data Breach Ransomware news Citrix quietly fixes a new critical vulnerability similar to Citrix Bleed Much similar to Citrix-Bleed, the information disclosure bug was identified within NetScaler devices configured as gateway or virtual servers. By Shweta Sharma May 07, 2024 3 mins Vulnerabilities PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe