How ARC makes e-mail safe again

Johannesburg, 02 Feb 2021
Read time 5min 40sec
Sam Gelbart, Technical Director, SYNAQ
Sam Gelbart, Technical Director, SYNAQ

In the words of Mark Twain, the death of e-mail is often vastly exaggerated. Many collaboration services punt themselves as a replacement for electronic mail, promises that don't come to pass. E-mail is just too entrenched and ubiquitous, not to mention very useful. It fits nicely into a specific form of communication, enabled by a universal protocol that forms part of the Internet's foundations. No matter how good the collaboration or instant messaging alternative is, they can't seem to hit all the marks to replace e-mail. But why reinvent the wheel when it works so well?

Only, e-mail doesn't work so well. It's a particular challenge for security. Numerous reports reveal e-mail as the prime channel online criminals use to snare victims. Phishing, malware attachments and man-in-the-middle attacks are a few examples of e-mail exploitation. And it's grown much worse in recent years, says Sam Gelbart, Technical Director at SYNAQ: "In digital lifespans, e-mail is a very, very old technology. It doesn't lend itself well to a lot of security stuff that we have in place now that would potentially combat crime and protect messages. And it's grown into a big problem lately. E-mail has become much more exploited in the last decade. Spoofing and identity theft are big problems. There are also issues aligning e-mail with modern security. It often happens that security policy can derail e-mail, or e-mail derails security policy."

Making a DMARC

E-mail presents two fundamental challenges to security: it can be spoofed, meaning it's sent from a source other than reflected by the e-mail, and a third party can alter it. There also isn't sufficient reporting around e-mail to build better security policies.

Efforts to address these culminated roughly a decade ago into DMARC, or Domain-based Message Authentication, Reporting & Conformance. DMARC was a massive step forward for e-mail security. Systems architects and administrators can use the protocol to check an e-mail's authenticity and report incidents to beef up general knowledge around e-mail attacks.

"DMARC opened threat awareness, so you can see global exploit activities," says Gelbart.

But DMARC has a specific shortfall. The protocol assumes an e-mail remains unaltered since it was sent, which is rarely the case. If an e-mail changes after the initial send action, it will fail DMARC authentication and be rejected or flagged as spam. This, unfortunately, includes adding company branding or signatures, or redirecting e-mails – all common and useful activities.

So, while DMARC has vastly improved e-mail security, it's not flexible enough for many e-mail scenarios, Gelbart adds: "The policies that authenticate DMARC assume the mail arrives directly from the sender unchanged. So any type of changes, or what we call mutations, is a problem. Many companies don't realise this: if they add, for example, a company banner automatically to every e-mail sent, that change will likely flag DMARC and potentially stop that e-mail from reaching its recipient. It could be rejected by authentication at the receiver or even by the e-mail service provider."

The emperor's seal

DMARC needs a chain of custody, a way to show that even if there are alterations, the correspondence is still legitimate. In days long past, DMARC would be the equivalent of a signet ring or emperor's seal.

Famous examples include the Roman Emperor Augustus' ring, and the Imperial Seal of China, an ancient stamp carved from jade. Such a unique stamp was the verification of authority – more than one palace coup was arranged by someone 'borrowing' an official seal.

Several emperors, though, discovered that a single seal was problematic. Administering a vast kingdom was beyond what one person could handle. At times when pragmatism overrode paranoia, such seals were sometimes copied and given to trusted officials who could dispatch or alter orders on the emperor's behalf.

DMARC has the same difficulty as emperors did, and ARC solves that problem. The ARC (Authenticated Received Chain) protocol is the equivalent of reapplying a seal, indicating that changes to an e-mail are authentic and vetted. Even though it's not much more than five years old, ARC is fast becoming a global standard, already being enabled by major e-mail service providers.

"ARC creates a chain of custody for each hop the e-mail takes. You can see where it's been and its authenticity status at that point. So, when DMARC authenticates an arriving e-mail, ARC tells it where changes were made and if they were legitimate. ARC makes DMARC more flexible and increases e-mail security."

Email 2.0

E-mail is too useful to go away. It's easy to use, universally understood and no technology has managed to replicate its specific usefulness – not even Slack channels or social media. The fast-paced adoption of DMARC shows that the market doesn't want to get rid of e-mail, and ARC's even-faster adoption reflects how broad our uses for e-mail have become.

E-mail security challenges concern everyone: large companies running their own e-mail servers, e-mail hosts such as ISPs and smaller companies that use e-mail as a service. If a service fails to support these new protocols, it's both a security risk and a business problem: perfectly safe e-mails likely won't reach their recipients and might as well not have been sent at all.

ARC adoption should interest every type of organisation – from small SMEs with a handful of employees to larger enterprises covering thousands of people. Fortunately, most can expect this requirement from their e-mail hosts, and those hosting their own mail can use the services of a third-party's gateways to alter e-mails without violating DMARC.

"Companies are not going to give up their e-mail, and nor should they," says Gelbart. "Security had to rise to the challenge, and that's why we have DMARC and ARC. ARC adoption is still in its early days, but it's spreading fast because the market needs it. We've begun developing solutions that use ARC. I urge companies to ask their e-mail administrators and service providers about this. These protocols help fix e-mail and secures its place in the current digital world."