TLS and DMARC

As a member of the Netscape browser team in the mid-to-late 90's, I participated on the front lines in the browser wars. I'm not just talking about the competition between Netscape and Microsoft for market share, but the battle between those of us trying to establish the browser as the next-generation application platform and the criminals trying to exploit it for nefarious purposes. At the core of the browser security stack was HTTPS, the protocol that ensures bidirectional encryption of communications and allows a user to validate the identity of the site to which he or she is connecting. It didn't take long for the use of HTTPS to become common practice for all sensitive web transactions and in the last few years it's used on many sites for all pages.

Despite the ubiquity and importance of email for transactional and business-critical communication, it's taking much longer for the equivalent security standards in the email world based on the SMTP protocol to become as prevalent. The use of TLS (or, more correctly, STARTTLS) at the transport level and DMARC-based email authentication at the operational level can plug a significant hole in SMTP that criminals are exploiting on a daily basis. The good news is that usage of both SMTP over TLS and DMARC have finally reached a critical mass of adoption, with large email senders such as Facebook, PayPal and Twitter and email receivers such as Google, Microsoft and Yahoo contributing to the network effect.

If HTTPS secures web transactions by itself, why are both SMTP over TLS and DMARC required for email? With web transactions, the domain of the web server and the domain of the website must be the same. However, with email, multiple servers with different domain identities can send email on behalf of a given email domain. For example, only web servers with the domain identity acme.com can serve content for the website https://acme.com. But emails from the email domain acme.com may legitimately originate from servers hosted by companies like Google (since Acme uses Google Apps for Business), Salesforce and Marketo, each with a different domain identity.

TLS will provide connection-level encryption and validate the identity of the servers involved in an SMTP exchange to each other, preventing wiretapping and man-in-the-middle attacks. But DMARC is necessary in addition to validate that a server can legitimately send messages for the email domain of the message, preventing spoofing attacks. The two used in conjunction can ensure end-to-end security between sending and receiving entities.

It's been over a decade since the initial browser wars, but the battle to secure email still continues. With SMTP over TLS and DMARC, the tools are in place to win and it looks like they may soon gain the ubiquity of HTTPS.