SYNAQ bolsters email authenticity with ARC
Extending DMARC for Email Forwarding, Mailing Lists and Email Modifiers
Delivering correctly authenticated email from our platforms is top of mind at SYNAQ with the rapid uptake and global standardisation of domain-based message authentication, reporting and conformance (DMARC) policy enforcement on top of Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) authentication for outgoing email.
One of the problems that we face in securing our customers' email is that we are a security, mailbox and email branding service provider. With all those layers of functionality on offer, there are several steps or “hops” when mail is changed or redirected before we deliver it to the internet.
Why does this matter?
When a mail server signs a mail with a DKIM signature before internet delivery, that email’s content is encapsulated and treated as an immutable object until a receiver’s server can verify the email’s DKIM signature and all the components encoded into it. This is in addition to the receiver ensuring that the sender’s domain SPF checks pass and that the email passes DMARC.
However, there are several problems with the concept of immutability. First, not all email leaves SYNAQ platforms because they were sent by a customer (mailbox forwarding rules) and second, we must sometimes change the content of an email before it leaves our platform (email branding with the application of signatures and banners).
So how do we forward and brand emails while still maintaining the authenticity of our customers’ email? This is where ARC comes in.
The Authenticated Received Chain (ARC) system for DMARC provides a way to generate what is in effect a “chain of custody” for email messages. This allows each mail hop, or a mutating service like SYNAQ branding, to see all the hops that previously handled the email in question. It also shows the message’s authentication status across each step throughout the handling chain.
This is really important when we look at the first problem of email redirects or rule-based forwarding. Before ARC, when forwarding a DKIM-protected email, the receiver would receive the mail with new headers and the DKIM signature check would fail. This also meant that these emails would fail DMARC. With ARC in play, all original authentication information is sealed in place for the receiver to inspect and evaluate before forwarding takes place.
The same concepts apply when Email Branding is applied before delivery. If the mailbox server DKIM signs a mail and ARC seals it and the email ID is sent on to the branding server, the next hop would traditionally evaluate the mail and find email body hash (DKIM encoding) mismatches.
Now with ARC, the original mail is DKIM signed, so when branding service evaluates the mail and confirms its validity, it too applies an ARC seal that confirms the original signature was valid, and so on. The result is that any downstream receiver that supports ARC authentication can follow the “chain of custody” and can validate that the mail is authentic and that it passes the DKIM component of DMARC. Assuming the sending domain’s SPF records are correctly applied for SYNAQ, the email will pass both SPF and DKIM checks for their DMARC policy and will be as authentic as it can be.
SYNAQ is hard at work to ensure that all our mail hops perform ARC sealing after prior validation of the previous mail system’s actions and mutations. As mentioned above, these complex and thorough testing protocols are being built to ensure we get this enhanced security right. But we are on the right track and look forward to rolling out DMARC (with DKIM, SPF and ARC support) as a formal toolset on SYNAQ Securemail, Cloud Mail and Branding services in the first half of 2021.
Please review this article linked below for more detailed information on how ARC works: https://en.wikipedia.org/wiki/Authenticated_Received_Chain
Glossary of Terms:
DKIM - DomainKeys Identified Mail
SPF - Sender Policy Framework