Home M3AAWG Blog M3AAWG Statement on Email Authentication for COVID-19 Mailings

There is a profound need for digital connectivity

The progenitors of the internet created and used email to facilitate the work that went into building and evolving the shared global resource that in these extraordinary times is connecting the world. That connection is made possible, in part, by the world-wide use of email. Email has proven to be the longest lasting digital communication channel, with the largest user base of any free or paid platform or product. What’s more, email is the first and most foundational source of identity on the internet. However, it is not without its difficulties—the email’s massive reach makes it a ripe target for bad actors seeking to deploy compromises and attacks on a global scale. 

The pandemic has provided air cover and new lures for bad actors to harness the collective anxiety, fear and social isolation the world’s sheltering in place societies are experiencing. In early April reports began to surface that phishing had, by some estimates, risen 14,000% in a matter of weeks that leveraged/referenced/used the coronavirus as a lure for phishing and other forms of email attacks. 

Combatting the assault on our inboxes is a collective endeavor, the importance of which is even more profound given the pandemic and the increased importance of achieving digital proximity while remaining physically distant.

M3AAWG represents the ecosystem

The Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG) and its membership have been leading the fight against spam and other abuse, particularly fraudulent email communications, for over fifteen years.  M3AAWG’s more than 200 members represent the entire mailing ecosystem—from those building mailing applications and systems, to analytics companies, anti-abuse vendors, threat intelligence actors and the world’s largest mailbox providers. Collectively, this body has been advocating the adoption of internet standards that address the rise in email that impersonates domains and individuals, and whose sole purpose is to defraud people of their personally identifiable information to commit fraud and fuel other, more devastating attacks and breaches. 

Over the years M3AAWG’s members have worked collaboratively to address problems of massive scale, including the development of email authentication standards and guidance on how those standards should be implemented for maximum effect. M3AAWG brings together technologists, subject matter experts, LEO, policy makers and vendors in a trusted forum. The corpus of M3AAWG knowledge and guidance represents the thinking and best practices of the entire ecosystem and an end-to-end view of sustainable digital communications at scale. 

Authenticate and protect

M3AAWG calls on the industry to take further steps to authenticate and secure their sending domains and email addresses by deploying email authentication at scale and at enforcement. Preventing rampant phishing, emboldened and bolstered by the global pandemic, should be the top priority for domain owners. 

The need for the widespread adoption of email authentication can not be understated. Not only is it crucial to ensuring the flow of critical information from organizations on the front lines of the battle against COVID-19, but the impending general election in the United States, and those in the rest of the world, must be protected from misinformation campaigns and phishing.  

The deployment of correct email authentication requires a careful and measured approach. M3AAWG and its members strongly encourage domain owners that operate email programs to adhere to the following email authentication parameters when publishing and signing their various records:

  • Publishing SPF records with at least ~all, or -all if the domain does not send email
  • Signing all mail with aligned DKIM
  • Publishing DMARC policies for organizational domains — even non-sending ones — at enforcement: using at least p=quarantine, although p=reject is preferable, across the entire domain and all subdomains without exception

During this time of pandemic, it is more essential than ever that malicious actors not be able to impersonate trusted sources of information or assistance. The need has been here all along, but the stakes are so much higher. Taking advantage of the full suite of email authentication protocols is the best way for a sender to establish and affirm their identity when sending email. By creating barriers to impersonation, a sender’s identity becomes more trusted and harder to forge, thereby restoring trust because the sender is who they claim to be.

The community is prepared to help

While this kind of trust is always important with email, it’s magnified during these challenging times. M3AAWG recognizes that implementing email authentication can be challenging and time consuming for many organizations, current circumstances notwithstanding. If you send your own email, then consult with your developers and operations personnel on the best way of deploying email authentication and moving to enforcement. If your email is sent by a third party, work with their technical teams as they may have ready, out of the box tools, to help you achieve the necessary posture. M3AAWG and a number of our members stand ready to help the sending community with resources, free tools, and documented best practices to protect their brands, domains and email addresses from impersonation. 

Click here for a full list of our members. 

For more information, see:

The views expressed in DM3Z are those of the individual authors and do not necessarily reflect M3AAWG policy.