A little late to the game, I recently binge-watched season 7 of the Game of Thrones. One thing I noticed is that for all the thick walls, barred doors, and armed guards, most of the castles in the show were not taken through a direct attack on their outer defenses, but rather through infiltration. Invaders circumvented the castle’s defenses using backdoors and hidden tunnels. They even walked through the castle gate while impersonating a resident.

SaaS applications that send email—which is all SaaS applications—are similarly vulnerable. As an engineering leader, you may have followed security best practices: training, code reviews, third-party penetration testing, secured your infrastructure, and more. And yet all your efforts could come to naught if a bad actor steals a user’s credentials from that user.

A common approach bad guys take to stealing user credentials is to impersonate your email: a phishing attack. A malicious third party sends your users an email that looks like it came from your application. A link in the email takes users to a website resembling your own and requests their username and password to log in. The attackers now have access to your application, allowing them to walk right through your castle gate.

DocuSign phishing email courtesy of KnowBe4

An attack like this—impersonating your application—could result in customers losing trust in your service and present an existential threat to your business.

You may believe that you’re not liable for a customer’s internal security training and that there’s not much you can do to stop attacks like this. And you’re right in thinking you can’t easily stop these emails being sent. You can, however, strongly influence whether your users receive these emails.

Phishing is possible because, in the early days of email, the small group of organizations using it trusted one another. The Simple Mail Transfer Protocol (SMTP) lives up to the “simple” part of its name. A mail client can send a message by connecting to a remote Mail Transfer Agent (MTA), provide the To and From addresses of the message, and then the message body itself. The SMTP protocol does not specify a way to validate that the party sending the email has the right to send from any given address, allowing the sender to claim they are sending a message on behalf of anyone.

Fortunately, new standards are making it easier for companies to protect themselves and their users from phishing. These standards add the ability to authenticate the identity of a message sender. They allow mailbox providers such as Gmail and Microsoft, along with corporate email administrators and others, to filter messages that don’t pass validation and alert the company targeted by phishing to the impersonation attempt.

Apple phishing email courtesy of mailguard.

The first of these technologies is Sender Policy Framework, or SPF. SPF defines a way to validate that an email message was sent from an authorized mail server. SPF establishes a method for receiving mail servers to verify that incoming email was sent from a host IP authorized by the sender’s domain administrators. It piggybacks on the existing Domain Name System (DNS).

While SPF can define which servers are allowed to send messages on behalf of your domain, it doesn’t offer a mechanism to verify whether the message headers or body have been altered or forged. This is handled by DomainKeys Authenticated Mail, or DKIM. It works by using a private key to creating a unique digital signature for the email’s header and content and adding this to the existing headers of the message. The signature can then be validated against a public key in your DNS records.

Domain DNS verification section
SparkPost domain setup displaying DKIM configuration.

The third standard that serves to bring the first two together is Domain-based Message Authentication, Reporting, and Conformance, or DMARC. DMARC is another DNS-based technology that enables an organization to publish their authentication practices, advise receivers on how to treat messages that don’t validate against SPF and DKIM and to request that notifications be sent to the organization when non-authenticated messages are encountered.

With these combined standards, mailbox providers can identify messages that have been legitimately sent from your application and ensure that they are delivered to your user’s mailboxes. Those that aren’t may be sent to a spam folder or quarantined, with your team notified. The email purportedly sent from your application asking the user to change their password would likely not have been delivered to their inbox.

Your customer’s data may not be pilfered via a frontal assault on your application. Rather, using deception, a bad actor can fool your users into giving away the keys to your castle. There are, however, actions you can take to mitigate this risk and ensure that your customers remain safe.

—Steve Murray, SparkPost CISO

P.S. Want to learn more about preventing phishing and ensuring that your messages reach your user’s inbox? Our Email Deliverability Guide is a great resource. And if you’re implementing email authentication standards, check out our free tools for inspecting and validating your SPF and DKIM records.


Stop the New Messaging Threats

Large-scale phishing email blasts still make the news, but today’s most dangerous digital attacks use spearphishing messages aimed directly at particular individuals or organizations. Both the Online Trust Alliance and Symantec accorded 2013 the dubious honor of being the year of data breaches. According to Symantec’s 2014 Internet Security Threat Report, the total number of breaches in 2013 was 62 percent greater than in 2012 with 253 total breaches. Eight of the breaches in 2013 exposed more than 10 million identities each. In 2012 only one breach exposed over 10 million identities.

Spearphishing exploits begin with targeted, personalized messages that seem legitimate, yet lure recipients to open malware, or hand over passwords or login information. Such attacks have an alarming success rate. When successful, they can result not only in the loss of critical data, but also the unauthorized use of email deployment systems or other critical infrastructure. Moreover, these attacks can jeopardize your sender reputation and your brand.


Target’s well-publicized data breach earlier this year cost the company deeply in terms of brand reputation and revenue and was traced back to a single phishing email. This is why all enterprises — and the email service providers (ESPs) that work with them — must safeguard not just inbound message streams, but outbound streams as well.

A More Intelligent Approach to Message Security

In a recent report released by the Online Trust Alliance scoring the email integrity of businesses, it was noted that:

Unfortunately, in many enterprises the email infrastructure does not natively support outbound signing or inbound checking for SPF, DKIM or DMARC. Equally as concerning is the lack of support for inbound authentication from leading MTAs (Mail Transfer Agents), the hosting community and email technology providers.”

– 2014 Email Integrity Audit report

Out of the 800 companies and brands that were audited, Message Systems was among the 12% of companies that measured up to the stringent security standards of OTA. Unlike commodity MTAs, Message Systems takes the issue of email security very seriously. Our email infrastructure platform, Momentum, (available in on-premise and managed cloud versions) is designed to support both inbound and outbound email authentication. A two-way approach is critical because threats change constantly, points of vulnerability are too numerous to list conclusively, and realistically not all messaging attacks can be prevented. You may think your security systems are functioning correctly, only to see a sudden spike in complaints, bounces or blocks in your outbound stream, exposing an attack in progress and a compromised email deployment system.

Spearphishing attacks per day

Respond Immediately and Prevent Recurrence

With Message Systems solutions, prevention and mitigation processes are inter-connected. Our customers gain the ability to apply a full range of default and custom policies for screening out abusive mail at the network and protocol layers. And they can integrate best-of-breed third-party solutions for optimal scanning at the content layer. With this approach, organizations can instantly take user feedback into account, pinpoint suspicious activity and take action before damage is done. Additionally, by facilitating responsive action and self-learning, Message Systems helps companies to not only stop malicious activities as quickly as possible, but prevent them from happening again in the future. In fact, Message Systems’ commitment to ensuring that our customer’s emails are safe from phishing attacks, is one of the many reasons why the world’s largest senders choose us to send 20% of global legitimate email.

Learn more about how DMARC is helping to save the world’s email in the How DMARC Is Saving Email eBook today!

How DMARC Is Saving Email