In the past, email security for sending mail to a contact was not high. It had limited or no verification of the identity of the sender or the integrity of the messages themselves. As a result, spammers and phishers were able to forge emails pretending to be from any domain they chose.
However, over the last ten years the widespread adoption of three important standards has significantly enhanced the security of email communications. In fact, they have proved so successful, we’ve adopted them as our own standards. So, while the detail of these standards is slightly complex, we thought we’d summarise their purpose and use.
Sender Policy Framework (SPF)
The first of these is the Sender Policy Framework (SPF), a standard that allows domain owners to create DNS TXT entries that list the mail servers that can send mail on their behalf. Receivers of email can then reject email that does not come from an authorised source. On its own, SPF is valuable, but additional protection is provided by combining it with the next DomainKeys Identified Mail (DKIM) standard.
DomainKeys Identified Mail (DKIM)
The DKIM standard is an email authentication method that allows the receivers of email to check it has been authorized by the owner of the domain. It also allows partial checks on the integrity of the email, and confirmation that the email has not been tampered with in flight. In this case, DNS CNAME records are added to provide a public key that can be used to validate the email headers and message body.
Note that if your email services are provided by Microsoft then only the default onmicrosoft.com domain is protected with DKIM. You need to add the records necessary to protect your custom domain by following the instructions here.
Domain-based Message Authentication, Reporting and Conformance (DMARC)
Domain-based Message Authentication, Reporting and Conformance (DMARC) standard is used to publish a sender’s policy for handling mail from their domain. It specifies whether SPF or DKIM or both is being used for the sender domain, and what receivers of mail should do if mail has failed the specified checks. This policy is published as a TXT record in the domain owner’s DNS.
EnergySys does not support the use of DMARC to allow problems in DKIM or SPF to be ignored.
Implementing Secure Email Services
Implementing all three of these can dramatically increase the trust receivers’ place in mail they receive from your domain. The email service must be configured with these protocols by the domain address administrators, in the sending domain. Your DNS provider will undoubtedly have detailed instructions on setting them up.
EnergySys supports the transfer of data to your instances via email. We have checks in place to limit email exchange to permitted senders, but these may be less effective if we are unable to confirm that the sender information is genuine. For this reason, we enforce the use of the standards described above, and will reject email that does not pass these tests.
Try more from our latest Resources
EnergySys' growth in the APAC region is something we’re immensely proud of and is testimony to a growing need for flexible, value-driven software within an increasingly agile energy industry. Our partnership with ELS will ensure that customers have access to powerful solutions that meet the unique challenges of the LNG market.
Okta, the identity provider we currently use for authentication, announced a security incident on 22 March 2022. Following an investigation they advised the risk as low, impacting only 2.5% of customers.We take security extremely seriously at EnergySys. Despite Okta’s reassurance that none of our users were impacted, and as per our ISO 27001 certified process, we mobilised our Incident Response Team to assess any risk to our users.