Over the past several years, a drastic increase in spam, email fraud and phishing, and email-borne viruses, Trojan horses, and worms has eroded the trust people place in the messages they receive. These problems occur when the "From:" field in an email message has been "spoofed" to falsely represent a sender or domain.

Email authentication promises to stop these abuses by ensuring that email senders and domains cannot be spoofed. However, the email industry has not yet standardized on a single technology for universal implementation of email authentication.

Two Email Authentication Approaches: DNS Authentication and Digital Signatures

DNS based Authentication and Signature based Authentication are complementary and can be used in combination with each other.

DNS-based Authentication

This approach allows organizations to use the Internet’s DNS architecture to determine if an email message was sent from an authorized email server. If the domain in the "From:" field does not match the authorized domain of the server, the message is rejected. The leading email authentication standards for this approach are SPF (Sender Policy Framework) and Microsoft’s SenderID.

Signature-based authentication

This approach enables email senders and domains to digitally sign email messages using a cryptographic “key”. These digital signatures assure email recipients that messages were sent from the email address in the "From:" field and have not been spoofed. The leading key-based authentication technologies include S/MIME, Yahoo DomainKeys, and Cisco’s Identified Internet Mail.

While these solutions overcome some of the third-party sender problems associated with DNS-based approaches, widespread adoption has been hindered due to the lack of a standard protocol for signing messages and storing and retrieving keys. For example, S/MIME is supported in 95% of commercial email clients, but is not supported by webmail vendors, who consider it too heavyweight for the high volumes of email they process. Tumbleweed MailGate Email Firewall supports both SPF authentication and S/MIME digital signatures, allowing organizations to prevent spam, phishing attacks, and email-borne threats from entering or leaving their email networks.

With MailGate Email Firewall, organizations can:

• Protect employees from exposure to fraudulent email by automatically applying SPF validation testing at the Internet gateway to ensure incoming emails have not been spoofed.
• Automatically apply inbound and outbound S/MIME digital signature policies at the Internet gateway to assure recipients that the email they receive from your organization is authentic.
• Receive automatic heuristic updates via Tumbleweed’s Dynamic Anti-spam Service to combat new phishing scams and spam techniques.

Learn more about MailGate Email Firewall.

Unless an email is digitally signed, recipients cannot trust the “From:” field in the message, leaving them vulnerable to phishing attacks and other forms of email fraud. While there is no failsafe way to prevent a scam artist from exploiting your company's brand to perpetrate an attack, you can provide positive proof to customers and partners that your communications with them are authentic.

MailGate Email Firewall includes an Email Authentication Engine that allows you to automatically apply S/MIME digital signatures to outbound email at the gateway, based on policies you define. Digital signatures are based on S/MIME, the industry standard for email security, which is supported in Microsoft Outlook, Microsoft Outlook Express, Lotus Notes, and Novell GroupWise. Together these email programs have an installed base of more than 350 million email clients throughout the world, making Tumbleweed’s solution easily and ubiquitously deployable.

When a recipient opens your digitally signed email, they can trust that 1) the domain in the "From:" address is legitimate, because 2) the email client displays a ‘ribbon’ or icon that indicates the message is valid, and not forged. As a result, consumers can easily identify bogus emails purporting to be from your organization.

How It Works

For your email users, digitally signing messages is an automatic process—no software to install or procedures to learn:

• The User sends an outbound mail from his/her email client.
• The MailGate Email Firewall determines that the email message should be signed.
• The Email Authentication Engine digitally signs the email message.
• The MailGate Email Firewall sends the message on to its destination over the Internet.

The S/MIME digital signature that is generated contains two pieces of "unspoofable" information:

• A digital certificate that contains information about the sender who signed the message. The digital certificate, issued by a 3rd-party Certificate Authority (CA), verifies that the message content came from the address in the “From:” field of a digitally signed email.
• An encrypted representation of the message that cannot be spoofed.

The digital signature verification process in the email client typically involves the following tests:

• Validate that the email address in the “From:” field of the email matches the email address in the digital certificate.
• Validate that the digital certificate was issued by a trusted CA.
• Validate that the message was not tampered with in transit, by decrypting the encrypted representation of the message and comparing it to a newly generated representation of the received message.
• Validate that the certificate has not expired.

Learn more about MailGate Email Firewall.                               

^ back to top