Email Authentication: Interview with Alexander Garcia-Tobar of Valimail

We take authentication for granted in our everyday activities. For example, we log into bank websites using a username/password or some stronger form of authentication, and we would never initiate such activity without this critical validation. Yet we don’t think twice about opening an email without any sense of whether it has been authenticated — leading to rampant impersonation attacks and significant damage to company brands. It is trivially easy to spoof messages so that hackers and criminals can impersonate a trusted source. As a result, more than 90 percent of cyber attacks start with an email.

Because of this threat, email is a key focus for enhanced authentication. The goal is to enable email recipients to trust the sender identities. This is a welcome advance, since email has until recently lacked such authentication. Valimail focuses on automating email authentication, with a range of different capabilities including support for an alphabet soup of authentication protocols: DMARC, SPF, ARC, BIMI, and DKIM. We recently asked Alexander García-Tobar, CEO and co-founder of Valimail, to share how his team sees this expanding market, and how his anti-impersonation platform provides authentication support for enterprise security and messaging teams around the world.

EA: What are the most common threats to modern email?

AG-T: There is a wonderful quality to email: It’s neutral, and nobody owns it. It just works, and it works everywhere, thanks to the open standards that it’s built on. Someone in Uzbekistan, for example, can send an email to someone in Canada without having to ask anyone permission or go through any gatekeepers. And it could be an important email message, potentially life-changing for the recipient. This explains why literally half the planet uses email. By some estimates, this includes 3.7 billion active users, more than any other digital social network. But that openness is also email’s security downfall because that email from Uzbekistan could easily be a phish. That is, a fraudulent message designed to trick the recipient into downloading a malicious file, giving up the password to a critical account, or sending back personal information. There’s very little in email’s basic technology set to prevent senders from purporting to be whoever they want to be.

EA: What is meant by email authentication?

AG-T: Simply put, email authentication depends on widely accepted standards (DMARC, SPF, ARC, BIMI, and DKIM) to ensure that only designated and approved senders can send messages using your domain name in the “From” field. With authentication, you can trust that a message originated with the organization it appears to have come from. Recall that, in the 1980’s, credit cards were becoming an increasingly popular payment method. A merchant would create a carbon copy imprint of the credit card, the holder would sign the paper, and the merchant would cross their fingers that they would get paid. As credit cards proliferated, increasingly complex and manual processes were put into place to authenticate the card — ever thicker booklets listing fraudulent cards, for example. Fraud exploded, so a new approach was launched: Visa, First Data, and Verifone POS terminals created a real-time, automated authentication process. Each company went on to multi-billion dollar valuations and the credit card market exploded. In the modern email scenario, we are replacing the POS terminals and Visa with the largest ISPs (Microsoft, AOL, Google, and Yahoo!). Email authentication is the email equivalent to the credit card clearinghouse function described above.

EA: What does the Valimail platform include?

AG-T: We automate the deployment and running of real-time email authentication. We also provide in-depth reporting to help organizations gain visibility into which services are sending email on their behalf, and interact with third party services to ensure authorized email is delivered while unauthorized email is rejected — both inside and outside your organization. This is a relatively complex set of procedures and typically it is extremely challenging for companies to do it on their own. Why? In the cloud era, it’s not uncommon for a single company to be using dozens of different cloud services, most of which send email “as” the company, using its domain name in the “From” field of the messages. For example, such services might include a marketing automation service, a payroll management service, a lead-scoring app, even a tool to support legal discovery and legal communication. Your IT people may not even know all these services are in use, since they may have been set up by line of business owners or department managers. With Valimail’s detailed reports, these “shadow email” services become instantly visible — and manageable.

EA: Do customers have to employ experts to properly publish DMARC records?

AG-T: Email authentication is unique in that it’s public, so analysis of public DNS records shows the success rates, how long each project has taken, and whether a company is doing it themselves or with a vendor. About 65 percent of all DMARC projects are do-it-yourself (DIY) — and looking at millions of DNS records shows the DIY approach fails 80 percent of the time, even with 2-3 full-time employees working on it for 12 months. First-generation DMARC vendors provide consulting expertise and some technology that can reduce the load to about one full-time employee. But even there, the success rate after a year ranges from 20 to 40 percent depending on the vendor in use. Valimail was born out of these unacceptable stats: The notion was to create a fully automated system that works invisibly. We created the only company in the email authentication market to offer a guarantee that we will get you to DMARC enforcement. As a result, our success rate is well over 90 percent with a median of 60 days to enforcement and near zero FTEs.

EA: Do you see email authentication expanding to other forms of online communication including OTT apps?

AG-T: Our expanded mission is to “Authenticate the World’s Communications.” The need for authentication comes to every major form of technology sooner or later. Authentication of people is possible now through unified login products like Duo, Okta, Gigya, and OneLogin. These services give enterprises control over who is logging in and accessing key digital resources, whether those are employees using internal apps or customers accessing the public website. Cloud access service brokers (CASBs) like Skyhigh and Netskope help enterprises manage what resources various services can access. They provide a centralized point of control, detection, management, and enforcement for cloud services, giving IT staff simpler control and visibility into the various services used throughout the organization. Authentication for communications is coming into its own, starting with a massive surge of adoption for email authentication. Over the past year, the number of domains with DMARC records tripled. Usage of DMARC has also been spurred by the U.S. Department of Homeland Security’s mandate that all federal agency domains use DMARC, with a strict policy of enforcement, by October 16, 2018. The U.K. government issued a similar mandate a few years ago, resulting in a remarkable surge of adoption. After email becomes authenticated by default, who knows what’s next? We see authentication expanding into any area where the identity of who you’re communicating with needs to be verified. That could include IoT applications and many other areas. Once you grasp the power of authentication, it’s hard to believe it’s not used everywhere, which is why we think the growth potential in this market is so huge.