In this, the first of a series of three articles explaining DMARC and email authentication, we look at why SPF, DKIM, and DMARC are the key pillars of email authentication.

The Issue 

Businesses face numerous cyber threats, with email being one of the most common attack vectors. Phishing, spoofing, and malware are prevalent issues, making email security a top priority.

Effective email authentication mechanisms/protocols, therefore, like SPF, DKIM, and DMARC are ways to improve email security and are crucial in mitigating these threats, ensuring only authenticated emails reach their destination.

What Is SPF? 

The SPF (Sender Policy Framework) email authentication protocol helps prevent email spoofing by allowing domain owners to specify which mail servers can send emails on their behalf, i.e. to verify the sender of an email message.

This is achieved by publishing SPF records in the domain’s DNS (Domain Name System). DNS is the internet’s system for translating domain names into IP addresses, enabling users to access websites by typing human-readable names instead of numerical codes.

When an email is sent, the recipient’s mail server checks this record to verify the email’s origin. If the server isn’t listed, the email could be rejected or marked as spam.

What Is DKIM?  

DKIM (DomainKeys Identified Mail) adds an additional security layer by attaching a digital signature to outgoing emails. This signature, verified against a public key in the sender’s DNS, ensures the email’s content hasn’t been altered in transit. DKIM’s role in email authentication, therefore, strengthens the integrity and trustworthiness of email communication.

What Is DMARC? 

DMARC stands for Domain-based Message Authentication, Reporting, and Conformance. DMARC is essentially an email authentication protocol designed to give email domain owners the ability to protect their domain from unauthorised use, such as email spoofing. It does this by allowing them to specify and enforce policies on how their email should be handled if it fails SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) checks, and it provides a way for receiving email servers to report back to the sender about emails that pass or fail these authentication methods. Essentially, DMARC is a set of rules and reporting protocols added to a domain’s DNS records to improve and monitor the security of the email ecosystem associated with that domain.

DMARC, therefore, offers a way to unify SPF and DKIM’s capabilities, allowing domain owners to define how unauthenticated emails should be handled, and it provides detailed feedback on all emails sent from the domain, aiding in the detection and prevention of unauthorised use and email spoofing.

The Evolving Email Security Landscape – Recent Changes By Email Providers 

In response to a surge in email fraud and to comply with global data protection regulations like the GDPR, major email platforms are tightening their email authentication policies. For example, Google and Yahoo recently (February) expanded their guidelines for high-volume emailers. Yahoo said: “Sending properly authenticated messages helps us to better identify and block billions of malicious messages and declutter our users’ inboxes.”   

As an indication of how serious the problem is, it’s estimated that half of the 300 billion emails sent per day are spam … to reiterate, that’s 150 billion spam emails sent each day! Google, for example, says it blocks a staggering 15 billion unwanted emails every day (spam, phishing, and malware).

The regulatory landscape, demanding higher standards of data privacy and security, plus the sheer volume of spam/phishing/spoofing/malware emails have now catalysed action in the form of platforms trying to enforce stricter measures.

For UK businesses, therefore, adapting to these enhanced authentication standards is crucial to ensure emails reach their intended recipients and to maintain compliance with data protection laws, preventing emails from being lost to spam folders or blocked.

The Necessity for DMARC, SPF, and DKIM 

For the reasons just outlined, implementing DMARC, alongside SPF and DKIM, has now transitioned from a best practice to a necessity, hence a sudden push by many platforms to verify domains. These protocols are fundamental in validating email sources, ultimately enhancing deliverability, and protecting against cyber threats. Although it can feel like an extra hoop for businesses to jump through, their adoption ensures that businesses maintain their credibility and that their communications are effectively received.

What Does This Mean For Your Business?

For UK businesses, the implications of not implementing these email authentication protocols can be significant. Without proper setup, domains are at risk of being used for email spoofing, leading to potential data breaches and loss of customer trust. Additionally, non-compliance with the updated policies of email providers can result in emails being undelivered, affecting operations and communications.

To navigate this landscape therefore, businesses must adopt a proactive approach, regularly reviewing and updating their SPF, DKIM, and DMARC configurations to combat evolving threats. This involves not only technical adjustments but also staying informed about the latest in email security practices and threats.

It’s important to remember that adhering to these email authentication standards is not merely about compliance, it’s about securing your digital communication channels. By implementing SPF, DKIM, and DMARC, businesses can significantly reduce the risk of cyber-attacks initiated via email, safeguard their digital assets, and ensure the integrity of their email communications.

Next Time …. 

In this first of three in the series, we’ve looked at understanding the basics of email authentication and its significance in the digital age, i.e. looking at SPF, DKIM, and DMARC and their importance as business cybersecurity tools.

In the next week’s (second) in the three-part DMARC Diligence Tech Insight series, we’ll be taking a look at the critical but often neglected issue of securing multiple domains, including those not actively used for sending emails. It will emphasise the importance of applying DMARC policies to these “forgotten” domains to prevent them from being exploited in cyber-attacks, offering guidance on implementing comprehensive email authentication strategies across all owned domains.

Microsoft has announced that its Windows 11 Copilot AI companion (that’s been embedded into 365’s popular apps) has received an upgrade in the form of new plugins and skills.

Builds On The AI Key 

Microsoft says that the new features build upon the introduction of the Copilot AI Key on new Windows 11 PC keyboards, updates to the Copilot icon on the taskbar, and the ability to dock, undock and resize the Copilot pane.

Adding an AI key to Microsoft Windows 11 PC keyboards, from which Copilot could be directly launched, was the first significant change to Microsoft keyboards in 30 years and represents another way for Microsoft’s own AI to be seamlessly woven into Windows from the system.

New Popular App Plugins

The plugins from “favourite apps” that are being added to Copilot now include OpenTable, Shopify, Klarna, and Kayak. Microsoft gives examples of how this will help users, such as:

– Asking Copilot to make a dinner reservation with friends and Copilot using OpenTable to do so.

– For staying in, asking Copilot to create a “healthy dinner party menu for 8” and Copilot using the Instacart app plugin to buy the food, “all within Copilot in Windows”.

New Skills Too 

Microsoft has announced a list of skills that it will be adding to Copilot, beginning in late March, in the categories of settings, accessibility and live information. Examples include turn on/off battery saver, open storage page, launch live captions, launch voice input, show available Wi-Fi network, and empty recycle bin. Essentially, asking Copilot to do things instead of the user having to themselves is a convenient time-saver that Microsoft hopes will improve user experience and productivity.

New Creativity App Updates 

The rollout of two “creativity app updates” has also been announced by Microsoft. These are:

– Generative Erase for removing unwanted objects or imperfections in images when using the Photos app.

– Clipchamp silence removal preview, which provides an easy way to remove silent gaps in audio tracks for videos.

Other Announcements 

Microsoft has also taken the opportunity to announce other new features and upgrades including the ability to use an Android phone as a webcam on all video conferencing apps, a combined Windows Update for Business deployment service and Autopatch update for enterprise customers, and Windows Ink to enable natural writing on pen-capable PCs.

What Does This Mean For Your Business? 

With Google recently announcing its new Gemini models being combined with Bard to create a new Gemini Advanced subscription service that ties the Google suite together with AI, Microsoft (helped by its OpenAI partnership) has come back with its own AI upgrade. Competition is hotting up and with the integration of Copilot in its popular 365 apps, a significant keyboard change (the addition of the AI key) and now the addition of new plugins and skills, Microsoft is working to create a single seamless environment, managed by AI.

This will mean users can get everything they want within this environment just by asking, thereby offering ultimate ease and convenience with productivity benefits that will appeal to businesses. It seems that using the same idea as WeChat-style super apps, where users can do everything from one app, major tech players with their own product platforms are now using AI and plugins to achieve a similar thing, gain share and retain customers. It’s also a way to add value and raise existing barriers-to-exit by giving users an easy way to achieve everything within one familiar environment.

Brave, the privacy-focused browser, has announced the introduction of Leo, its privacy-preserving AI assistant built into the browser on all Android devices.

Users Can Choose Which Model – The Mixtral LLM & Meta’s Llama 2 

Brave says its new ‘Leo’ AI assistant is powered by the open-source Mixtral 8x7B as the default large language model (LLM) which became popular among the developer community since its December release. However, it says the free and premium versions of Leo also feature the Llama 2 13B model from Meta and that users can choose from the different models according to their needs and budget. Brave also says, however, that having Mixtral as the default LLM brings “higher quality answers”. 

What Can Leo Do? 

Launched 3 months ago, subsequently achieving what Brave describes as “global adoption”, Brave says Leo can create real-time summaries of webpages or videos, answer questions about content and generate new long-form written content. Brave says it can also translate pages, analyse, or rewrite them, create transcriptions of video or audio content, and write code. Leo can also interact in multiple languages including English, French, German, Italian, and Spanish.

In short, it appears to be able to do what other popular generative AI chatbots can do, e.g. ChatGPT.

What’s So Different About Leo? 

With Brave being specifically a privacy-focused browser offering ad tracker blocking and no personal data collection, Brave is keen to point out that what’s different about Leo is that it’s effective generative AI, but with “the same privacy and security guarantees of the Brave browser.”   

Brave says this privacy is achieved by:

– Anonymisation via reverse proxy. Leo uses a reverse proxy that anonymises all requests, ensuring Brave cannot link any request to a specific user or their IP address.

– No data retention. Leo’s conversations are not stored on Brave’s servers, and responses are discarded immediately after generation. No personal data or identifiers (such as IP addresses) are retained. For users opting for models from Anthropic, data is held for 30 days by Anthropic before being deleted.

– No mandatory account. Users can access Leo without creating a Brave account for the free version, promoting anonymity. A premium account is optional for multi-device access.

– Privacy-enhanced subscription. Premium subscribers use unlinkable tokens for authentication, ensuring subscription details cannot be associated with their usage. The email used for account creation is also kept separate from daily use, enhancing privacy.

Free and Subscription Versions 

Although Brave says Leo is free to all users and there is no ‘mandatory’ subscription, as with other chatbots, there is a subscription version at $14.99 per month – cheaper than others like ChatGPT and Gemini Advanced. One subscription covers up to 5 different devices across Android, Linux, macOS, and Windows.

What Does This Mean For Your Business? 

With other popular browsers incorporating their own AI chatbots, the pressure was on Brave to offer the same, but with the added challenge of keeping it private. Competing AI chatbots such as Google’s Gemini and ChatGPT warn users not to share private/personal details with the chatbots, acknowledging that these could possibly somehow be revealed elsewhere with the right prompts and/or may be used for training models. Also, in a world where AI chatbots (e.g. Copilot) are getting plugins that link them up with shopping apps, the potential for some kind of related data gathering through AI is there. Brave’s (Leo’s) differentiation, therefore, lies in its apparent ability to keep things private and could serve to help Brave to retain users and keep its share in the private browser world while adding value of the right kind for its users.

Early last year, competitor DuckDuckGo introduced a beta AI Wikipedia-linked instant answer ‘DuckAssist’ feature but withdrew it from private search in March last year. It was intended to help DuckDuckGo’s users to simply find factual information more quickly but also, in keeping with DDG’s privacy focus, it promised that searches were anonymous. Leo, therefore, represents a major opportunity for a private version of AI which some business users or users in sensitive sectors may prefer, but it remains to be seen how/whether the privacy protection affects the comparative quality of outputs.

It’s been reported that Apple has ceased work on its Autonomous Electric Vehicle known as “Project Titan”.

The 2,000 employees who were working on the decade-long project (and who reportedly had a say in the decision to stop work on it) are reported to have been moved to Apple’s generative AI team, other divisions in the company, or laid off.

There’s speculation that the decision to halt the project was based on:

– The low margins the car may deliver in the current market.

– A general re-evaluation and fall in investment in EV’s and EV batteries by other companies, e.g. Tesla, Renault, Polestar (Volvo), and VW.

– Challenges in defining the long-running project’s direction amidst pressures to innovate.

– Internal demands for quicker market entry (for what has been a long-running project), despite potential opportunities to diversify Apple’s revenue streams.

Cyber Security Company, Guardio Labs, has reported uncovering a major “SubdoMailing” campaign which involves the hijacking of 8,000+ trusted domains to send millions of spam and malicious phishing emails daily.

Brands whose subdomains are being exploited in the campaign include MSN, VMware, McAfee, The Economist, Cornell University, CBS, Marvel, and eBay.

Guardio Labs said it has identified the threat actor behind the campaign as ‘ResurrecAds,’ a bogus ad network known for reviving “dead” domains from big brands and using them as backdoors to exploit legitimate services and brands and circumvent email protection.

The advice to businesses, which should already have antivirus protection in place, is to exercise caution and to avoid opening any unsolicited and suspicious looking emails, even if they do appear to be from known brands.

Tata Group’s global battery business ‘Agratas’ has confirmed previous announcements that it will invest £4bn in a brownfield site near Bridgwater in Somerset to make it the UK’s biggest electric vehicle (EV) battery manufacturing facility.

Somerset To Be Centre Of UK’s Green Energy Revolution

Somerset Council has reported that the Agratas factory should create up to 4,000 jobs and many more as part of the supply chain and will, “put Somerset at the centre of the UK’s green energy revolution with the potential to kick-start countywide and regional economic growth and jobs”. 

The Leader of Somerset Council described the Agratas EV battery factory plans, which could see Somerset become the UK’s biggest producer of electric vehicle (EV) batteries, as “momentous and of global significance”. 

The EV factory will be built on the old Royal Ordnance Factory site, once a major employer in the area until its decommissioning in 2008. It’s been reported that the Agratas factory will be smaller, taking only 50 per cent of the land but should, by the early 2030s (production will begin in 2026), have the capacity to produce 40GWh of battery cells annually – half the EV battery manufacturing capacity for the UK’s automotive sector (enough batteries for 500,000 passenger vehicles). It’s understood that JLR and (not surprisingly) Agratas will be the first customers for the batteries.

Residents 

Agratas says it’s informing the thousands of residents around Puriton of its plans via a leaflet through the door, provision of a community WhatsApp channel for progress updates, and an introductory event in the coming weeks.

Agratas – Clean And Green Operations 

Agratas says the “world-class gigafactories” it’s building in India and now the UK unlock green growth opportunities for global customers, that it has a “sustainability-first approach” and that its operations are “accelerating the global transition to net zero.”  

Agratas points out that it’s not just the contribution of the product that will help with the climate crisis. It’s also keen to highlight how its factories (like the one to be built in Puriton, Somerset) are designed to be powered by clean sources of electricity and should include a purpose-built renewable energy plant, thereby supporting its goal of 100 per cent clean power across all its operations. In terms of a nearby (renewable) energy plant, it’s worth noting that the Somerset factory site is only 15 miles from Hinkley point nuclear power station.

Challenges 

In addition to other challenges, The United Kingdom’s ambition to be a leader in the electric vehicle (EV) market has been somewhat hampered by its lack of domestic battery manufacturing facilities (known as gigafactories). This gap has posed significant challenges and implications for the UK’s automotive industry and its transition to electric mobility, e.g. supply chain vulnerability, competitiveness and investment attraction, job creation and economic growth, meeting its environmental targets, and more.

The confirmation that a major EV battery gigafactory will be sited here has, therefore, been greeted enthusiastically by the UK government and those involved in the EV industry.

What Does This Mean For Your Organisation? 

Building an EV battery gigafactory in Somerset in the UK is likely to bring many important benefits. These include countrywide and regional economic growth and jobs – 4,000 new high-skilled green tech jobs. Also, the fact that Agratas will work with local and regional partners (e.g. Somerset Council, Bridgwater and Taunton College, and the wider Gravity Smart Campus) will mean bespoke education and training programmes with the promise of high-value local jobs for local people in the future. Also, the UK’s ambition to be a major player in the EV market will be well-served by having a battery factory here, and this will boost EV production in the UK, attract manufacturers and investment, and boost the economy.

On the green and sustainability front, the fact that Agratas has a sustainability-first approach and plans to use clean sources of electricity are clearly likely to be attractive. For residents in the Bridgwater area, which also has the first in a new generation of nuclear power stations (Hinkley Point C) being built just a few miles down the road, the EV battery site will contribute even more to the massive boost that the local economy has received in recent years.

All that said, for many people in the UK, there is still the downward pressure of a cost-of-living crisis taking priority over decisions to purchase expensive electric vehicles that don’t yet have anything more than what many would describe as a barely adequate charging network in place. Also, despite the EV factory’s sustainability and environmental focus, it should be remembered that there is still an environmental cost being paid in the mining, production, and transportation of materials including lithium, cobalt, and nickel for EV batteries, not to mention the scarcity of such materials.