In my previous article (Part 1), I identified several different types of unsolicited email messages and the common methods used for their propagation. In this article, I will go into detail about how to prevent unsolicited email using up valuable business resources (a very important issue for employers that seek to maximise efficiency from their employees) and some technical steps needed to protect your business from email forgery (these do require an IT professional to implement properly).
Please take into consideration that if you wish to minimise the amount of unsolicited emails that you receive, the advice below is most effective for new and well chosen email addresses.
If you are already signed up for thousands of daily unsolicited messages, it's a bit too late and the best way forward is to gradually phase out your email account. Setting up a harsh filtering system to combat more extreme cases will, without doubt, junk a lot of genuine emails.
Choose your Email Correctly
This is the first and most important step.
You want to choose email addresses with a full combination of first name and last name (e.g. firstname.lastname@example.org). Keeping only your first name (especially if it's common) in front of your domain is not the best choice. The same applies to common default addresses – info@, enquiries@, sales@, etc. Avoid these if you can.
If you already have an email address without your fullname, consider phasing it out.
Keep Personal and Business Email Separate
Keep a separate personal email address that can be easily discarded. Leave the business email address for business use only and sign up to offers or newsletters using your personal email address.
Server-Side SPAM Filtering
The most effective SPAM Filtering occurs at the email server, before the messages actually get to the Inbox on your computer or your phone. Server side SPAM Filtering works well because the applications that carry out this service are well-maintained on a regular basis (either by proprietary firms or the open source community), widely used, have access to large amount of sample data to learn from, as well as have live access to public and private blacklist databases of known sources of SPAM.
You generally have a simple choice with server side SPAM Filtering. You can either engage a cloud email hosing provider to handle your emails, or use a typical web hosting provider that offers SMTP/POP3/IMAP email services with the SPAMAssasin server-side filter.
There are advantages and disadvantages to both choices.
With the first choice, you are completely handing over the wheel to an external provider. The SPAM filtering systems offered by these providers are usually effective, however they can be on the harsh side and often label genuine emails incorrectly as SPAM. While users of these systems are generally satisfied with the low amount of unsolicited messages that get through, there is a risk of losing business. Configuration and customisation options are usually limited. Privacy may be an issue as the extent of access to personal data by the cloud provider is not under control. On the other side, these systems are simple to use, don't require much in terms of setup and getting started. They usually provide high quality web based interfaces and additional business features such calendars.
The second choice is a better option if you would like to retain more control. Open source email filters such as SPAMAssasin are very widely used and offer versatile configuration options. This type of filtering software is generally not as harsh and uses a “scoring” system to determine the legitimacy of each email. Your choice of web hosting providers is very wide when using this type of software, as well as your choice of actual web hosting services – such as shared web hosting, virtual private servers and dedicated servers. Software like SPAMAssasin, however, generally requires an IT person with technical web hosting expertise to configure – this can often be done by the professional that takes care of your web hosting, such as your web developer.
Client-Side SPAM Filtering
In addition to filtering SPAM on the server, you can also choose an appropriate email application to filter messages again after receiving on your computer. This is generally not required and isn't relevant if you are using a cloud email hosting provider. However it may be of use if using server-side filtering tools like SPAMAssasin (see above) with loose filtering settings that let some SPAM messages through.
There are many suppliers of client side email applications with in-built SPAM filters. A good example is Mozilla Thunderbird, which is a widely-used, free, open source and cross-platform application.
The best case scenario is still to avoid client-side SPAM Filtering applications, as results can be inconsistent. You will likely have variations when using your email across multiple devices. This solution is often limited to personal use, a micro-business or as a temporary fix. It is not scalable for businesses with a large number of employees and email accounts.
A little known fact - irregardless of how sophisticated cloud email service providers appear with their offerings, how much new development has occurred in the digital space in recent times…. all emails that you send and receive on a daily basis are handled via a rather archaic protocol known as SMTP (Simple Mail Transfer Protocol) first defined in 1982. Unfortunately, it hasn't changed much since. It's simply too difficult to introduce major changes and improvements to such a widely- deployed protocol.
The particular issue with this protocol is that it appeared during an era where the Internet was a bit of a different place. It's not that the protocol isn't secure – it's just that the way it's designed, it doesn't provide much in terms of sender authentication.
The in-built limitations mean that anyone can easily send any email message on behalf of anyone's sender address – this can quickly become an important issue for your business if someone decided to forge email messages and use your good name for malicious purposes. It does happen, and I have indeed reported forged messages I have received to business owners myself on a few occasions, just to inform them as to what was happening behind their back.
There are steps to minimise this. The limitations of the protocol still mean that there is no in-built method to eliminate this problem, however there are several standards that are currently used to check the integrity of an email message sender.
SPF, DKIM and DMARC
SPF, DKIM and DMARC are the 3 open standards that assist in verifying the authenticity of email messages. These standards are applied to domain names and email servers.
They are widely-implemented and you must ensure that your own domain name and email server configuration is in good order to ensure your messages are delivered as intended to your recipients and your business domain name is protected from forgery.
SPF (Sender Policy Framework) – SPF defines email servers that are allowed to send emails from your business domain. Once SPF is configured correctly for your domain name, the recipients email server can check if email messages that appear to come from your business are indeed sent through an approved email server. To configure this option a special record needs to be added to your domain via your domain name hosting provider.
DKIM (DomainKeys Identied Mail) – Another method of sender authentication, this standard relies on using cryptography to verify email messages. Your email server will need to be configured to automatically add a digital signature to each email you send, as well as your domain will need to have a special record added with a “public key” used for verification by the recipient email servers.
DMARC (Domain-based Message Authentication, Reporting and Conformance) – In simple terms, this is a special standard used to set rules for emails that fail verification. Once both SPF & DKIM are properly configured for your domain name, you can instruct conforming recipient email servers to automatically reject email messages that appear to come from your domain name and fail the two verification checks.
For most users, configuring SPF records is sufficient. Some may prefer to go the extra step and set up all 3 standards for a more complete protection. Not all email servers abide by these additional standards, but this system is quite effective and is gaining widespread acceptance. Please note that proper configuration can be quite involved and external email applications that send emails on your behalf (e.g. CRM tools) can be affected if they are not taken into consideration.
If you are interested in custom web design and development, please get in touch with Daniel Moisyeyev B. IT, Software Engineer, Partner.