Email Security with the EnergySys Platform

In the past, email security for sending mail to a contact was not high. It had limited or no verification of the identity of the sender or the integrity of the messages themselves. As a result, spammers and phishers were able to forge emails pretending to be from any domain they chose. 

However, over the last ten years the widespread adoption of three important standards has significantly enhanced the security of email communications. In fact, they have proved so successful, we’ve adopted them as our own standards. So, while the detail of these standards is slightly complex, we thought we’d summarise their purpose and use.

Sender Policy Framework (SPF) 

The first of these is the Sender Policy Framework (SPF), a standard that allows domain owners to create DNS TXT entries that list the mail servers that can send mail on their behalf. Receivers of email can then reject email that does not come from an authorised source. On its own, SPF is valuable, but additional protection is provided by combining it with the next DomainKeys Identified Mail (DKIM) standard.

DomainKeys Identified Mail (DKIM) 

The DKIM standard is an email authentication method that allows the receivers of email to check it has been authorized by the owner of the domain. It also allows partial checks on the integrity of the email, and confirmation that the email has not been tampered with in flight. In this case, DNS CNAME records are added to provide a public key that can be used to validate the email headers and message body.  

Note that if your email services are provided by Microsoft then only the default onmicrosoft.com domain is protected with DKIM. You need to add the records necessary to protect your custom domain by following the instructions here.

Domain-based Message Authentication, Reporting and Conformance (DMARC) 

Domain-based Message Authentication, Reporting and Conformance (DMARC) standard is used to publish a sender’s policy for handling mail from their domain. It specifies whether SPF or DKIM or both is being used for the sender domain, and what receivers of mail should do if mail has failed the specified checks. This policy is published as a TXT record in the domain owner’s DNS. 

EnergySys does not support the use of DMARC to allow problems in DKIM or SPF to be ignored. 

Implementing Secure Email Services 

Implementing all three of these can dramatically increase the trust receivers’ place in mail they receive from your domain. The email service must be configured with these protocols by the domain address administrators, in the sending domain. Your DNS provider will undoubtedly have detailed instructions on setting them up. 

EnergySys supports the transfer of data to your instances via email. We have checks in place to limit email exchange to permitted senders, but these may be less effective if we are unable to confirm that the sender information is genuine. For this reason, we enforce the use of the standards described above, and will reject email that does not pass these tests.