News Stay informed about the latest enterprise technology news and product updates.

BITS releases guide for implementing email authentication protocols

Organizations aims to help financial-services firms fight phishing attacks with paper on deploying Sender Policy Framework and Domain Keys Identified Mail protocols.

A new paper released this week by BITS is designed to help financial institutions combat phishing attacks by providing a guide for implementing standards-based email authentication protocols.
To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.

The paper, "Email Sender Authentication Deployment", focuses on two protocols, DomainKeys Identified Mail (DKIM) and Sender Policy Framework (SPF). The document provides a high-level technical overview of the protocols and addresses deployment considerations, metrics and best practices.

SPF aims to thwart email spoofing by providing a framework in which the domain of an email sender can be authenticated. DKIM allows organizations to add a cryptographic signature to outgoing mail, certifying the message came from the domain displayed in the mail header. The protocol was approved as an official IETF standard in 2007.

Deploying the email authentication protocols can help financial institutions reduce phishing and boost consumer confidence, said Paul Smocer, vice president of security at BITS.

Phishing attack uses pop-up message on bank sites: Security researchers have discovered a new phishing method that forces pop-up login messages to appear on legitimate banking websites.

Phishers targeting smaller financial firms, credit unions: Financial institutions remain a target of phishing attacks, but it's no longer just the biggest firms that are under assault. Fortunately, companies are finding ways to fight back.

"Phishing is a big problem in the financial services industry. Obviously the spammers and phishers know where the money is, so they go after our industry more than others," he said. "So we're looking for a solution or solutions that allow us to cut down on the amount of phishing."

Financial institutions also want email to be secured and become a valid business channel, he said. "So we can get to a point where enrolling new customers or offering new products can be done through email with an assurance of legitimacy." The vast majority of institutions shy away from using email for those kinds of activities out of concern of email spoofing, he added.

"If we can secure email effectively, then it results in only a preventative measure, but it also creates an opportunity," Smocer said.

BITS, a division of The Financial Services Roundtable, developed the document with eCert Inc., a San Francisco-based service provider that works with organizations to implement email authentication protocols. The paper is intended to help financial organizations understand how to plan to deploy the protocols and the steps they need to take to implement them, he said.

Smocer said about 10% to 15% of BITS' 100 members have deployed SPF while many are interested or are in planning stages to deploy the newer DKIM.

According to a report released last year by the Authentication and Online Trust Alliance, 52% of the Fortune 500's consumer-facing financial services brands adopted DKIM and Sender ID (SIDF), Microsoft's version of SPF.

SearchSecurity radio:

Smocer said it's not technically difficult to deploy SPF or DKIM, but one of the challenges for organizations is locating all their sources of email. This can be especially difficult for large companies with many lines of business and contractors sending email for them. A company can start its deployment by focusing on the most important email, he said.

The second challenge, he said, "is getting the ISPs and email service providers to actually honor the rule sets you're creating around SPF and DKIM." BITS has talked with ISPs and email services providers to understand the challenges they face and plans to work with them to ensure "we have a methodology for those industries to support implementation of this," Smocer said.

Financial institutions of all sizes can benefit by implementing the email authentication protocols, he said. "There is value for an institution that uses email to communicate with its customer base to having these protocols implemented."

Dig Deeper on Enterprise email security and messaging security

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.