In the most recent release of Cloudmark Security Platform (CSP) for Email 5.7, Cloudmark’s carrier-class email security gateway adds support for two emerging authentication and security protocol standards: Authenticated Received Chain (ARC, RFC 8617) and SMTP MTA Strict Transport Security (MTA-STS, RFC 8461).
The ARC protocol addresses a difficulty in authenticating forwarded messages not addressed by other email authentication standards. It enables a chain of custody handoff between email systems, adding an indexed set of headers to a given message that describe the message’s email authentication validation status(es) as seen at each hop in the message’s SMTP delivery path. These headers enable a receiving MTA to look one or more hops upstream for email authentication validation results from intermediary email systems, strengthening trust and reducing the number of legitimately forwarded messages that might have previously failed email authentication validation.
If, for example, a message passed through an intermediary hop with an IP address that the sending domain didn’t have specified within their published Sender Policy Framework (SPF) policy record, that message would in many cases fail validation once it was received at the end email server destination. Likewise, with Domain Keys Identified Mail (DKIM) authentication, if a message passed through a forwarding hop that made a small modification to a DKIM-signed message header or added an email footer, the cryptographic hashes created by the original email server to prove ownership no longer matched when checked at the final destination, resulting in a failed DKIM validation. If both SPF and DKIM validations fail, the likelihood that the final downstream SMTP destination would reject the message increases, impacting deliverability of legitimately forwarded messages or messages sent through email mailing list platforms. In the upcoming 5.7 release, both ARC signing and ARC header validation are supported.
In 2017, Cloudmark introduced support for DNS-Based Authentication of Named Entities (DANE, RFC 7672) in Cloudmark Security Platform for Email version 5.2 which improved site to site email security. DANE SMTP is a protocol that relies on Domain Name System Security Extensions (DNSSEC), a security-enhanced DNS protocol enhancement with DNS zones that are digitally signed and verifiable up the DNS directory tree, all the way to the root zone. Due to the perceived complexity of deploying DNSSEC, adoption of the standard has been slow since its initial deployment in 2010, deterring many organizations from deploying DANE. As an alternative solution, the MTA-STS protocol specification was born.
MTA-STS relies not on DNSSEC, but rather Transport Layer Security (TLS) delivery requirement policies that are indicated in DNS but hosted on HTTPS-secured web servers at the destination domain. This SMTP TLS-enhancing protocol enables site to site email deliveries to be upgraded from standard opportunistic TLS to a more secure forced TLS connection, when the downstream domain specifies this policy in DNS. The published policy advertises to SMTP clients that all inbound email traffic must be TLS-encrypted using a specified server certificate.
With the addition of support for MTA-STS in the CSP for Email 5.7 release, both DANE and MTA-STS protocols can be simultaneously supported. This allows the mail server to choose which TLS upgrade protocol to use based on what protocol is supported at the destination domain for a given email message. While the technical implementations of DANE and MTA-STS are different, the outcome is the same: Site-to-site email delivery will be significantly more resilient against man in the middle (MiTM) attacks as compared to plain text email delivery or relying on opportunistic TLS which is subject to plain text downgrade attacks.
By including support for both ARC and MTA-STS protocols in Cloudmark Security Platform for Email 5.7, we are pleased to be able to contribute to more reliable and secure email communications for our clients and their users.