Author: Technical Committee
Last month, members of the Messaging Malware and Mobile Anti-Abuse Working Group (M3AAWG) met to collaborate and discuss issues related to email and messaging security, network security and related topics.
The keynote presentation saw a number of industry experts from across the email ecosystem staffing a panel discussion that focused primarily on the importance of email authentication.
Email authentication is the industry term used to describe methods for authorizing use of a specific domain in various contexts in an email message, and M3AAWG has previously published a best practices publication for its members on the topic, M3AAWG Email Authentication Recommended Best Practices.
The panel reiterated the importance of email authentication, with one panelist even going so far as to state “...authentication gets you the deliverability you deserve.” The meaning behind that statement is that with email authentication, the domain(s) responsible for generating an email message can be clearly identified. This in turn means that any credit for following best practices (or blame for not doing so) can be accumulated by the responsible domain(s), and the receiving site can assign the correct reputation to the domain(s). This reputation, then, is a major factor in determining whether a given message ends up in the recipient’s inbox, spam folder, or is perhaps rejected outright.
The panel presented statistics showing current adoption numbers for Domain-based Message Authentication, Reporting, and Conformance (DMARC), an email authentication protocol specifically designed for authorizing the use of the domain in the visible From header of an email message. Some in the industry see this as the most important of the available email authentication protocols, and so M3AAWG will continue to push adoption here whenever possible.
The session included a lively Q&A with audience participants who were both in the room and attending remotely, with many of the questions focused on current problems with email authentication and how to mitigate them. One topic in particular here that drew a lot of interest was a particular attack used by spammers to exploit DomainKeys Identified Mail (DKIM), and these questions and follow-on discussions that took place during the rest of M3AAWG may lead to updates to the M3AAWG Email Authentication Recommended Best Practices.
In summary, the panel session was a great way for M3AAWG to kick off its first in-person meeting in two years, and served as the germination point for many conversations among members from across the email industry.
As an additional resource, M3AAWG has published the first of a series of best practices on brand protection. Detailed blog posts and a link to the best practices document can be found here, https://www.m3aawg.org/blog/beyond-basic-domain-management-securing-your....
A number of other best practices on email, messaging, authentication, delivery and other topics are here, https://www.m3aawg.org/published-documents.