Email security gateway: stopping phishing and malware

Email remains the most significant attack vector—over 90% of all initial infections begin with an email. A well-configured email security gateway is the first and most important line of defense.

Email Authentication: SPF, DKIM, DMARC

The three pillars of email authentication:

SPF (Sender Policy Framework):
  → Defines: Which servers are allowed to send emails for domain.com?
  → DNS TXT record: v=spf1 include:spf.protection.outlook.com -all
  
  Mechanisms:
  +all:  (NEVER!) All allowed
  ~all:  Soft fail (usually ends up in spam, no block)
  -all:  Hard fail (unauthorized IPs → reject!) → RECOMMENDED
  
  Common mistakes:
  → Too many include entries (Limit: 10 DNS lookups!)
  → ~all instead of -all (too lenient!)
  → forgotten third-party providers (newsletters, CRM, etc.)

DKIM (DomainKeys Identified Mail):
  → Digital signature of the email (header + body)
  → Public key: in the DNS
  → Private key: on the mail server (keep secure!)
  
  DNS record example:
  selector1._domainkey.company.com IN TXT
    &quot;v=DKIM1; k=rsa; p=MIIBIjANBgkq...&quot;
  
  → DKIM key length: at least 2048 bits (1024 is outdated!)
  → Key rotation: every 6–12 months

DMARC (Domain-based Message Authentication):
  → Combines SPF + DKIM results into a policy
  → Defines: what happens if neither SPF nor DKIM passes?
  
  DNS TXT record:
  _dmarc.company.com IN TXT &quot;v=DMARC1; p=reject; rua=mailto:dmarc@company.com; ruf=mailto:dmarc@company.com; pct=100&quot;
  
  Policies:
  p=none:     monitor only (no blocking) → START phase
  p=quarantine: Spam folder
  p=reject:   reject → GOAL! (BSI recommends reject)
  
  DMARC rollout:
  Week 1:   p=none + Monitoring (which systems are sending?)
  Month 1:   p=quarantine; pct=10 (10% of errors in quarantine)
  Months 2-3: Gradually increase pct to 100
  Months 3-4: p=reject

Anti-Phishing Techniques

Modern phishing detection methods:

URL rewriting:
  → Gateway replaces links in emails with proxy URLs
  → Click goes first to the gateway → URL check → then to the destination
  → Comparison: URL reputation database + sandboxing
  → &quot;Time-of-click&quot; protection: URL is checked upon CLICKING
    (not just upon receipt—links can change!)

Attachment Sandboxing:
  → Attachment is executed in an isolated VM
  → Dynamic analysis: reveals malware’s true nature
  → Delay: 1–10 minutes (depending on sandbox depth)
  → Zero-day detection: even unknown malware is detected

Anti-impersonation (BEC protection):
  → Display name spoofing: &quot;John Doe&quot; with an external address
  → Domain lookalike: company-invoice.com instead of company.com
  → Internal sender check: Does the email really come from an internal source?
  → ML-based: Learning communication patterns (baseline)

DKIM signature enforcement:
  → Gateway: reject if DMARC policy = reject + DMARC failure
  → Reporting: DMARC reports show spoofing attempts

Safe Links / URL Defense:
  Proofpoint URL Defense:
  → Rewrites: https://urldefense.proofpoint.com/v2/url?...
  
  Microsoft Safe Links (Defender for Office 365):
  → Rewrites: https://nam06.safelinks.protection.outlook.com/?url=...
  → Detonation: Open suspicious URLs in a sandbox

Email Gateways Compared

Secure Email Gateway Solutions 2024:

Microsoft Defender for Office 365 (Plan 1/2):
  Included in: M365 Business Premium, E3/E5
  Strengths:
  → Native M365 integration (no gateway required!)
  → Safe Attachments + Safe Links
  → Anti-phishing ML (DKIM, DMARC, spoofing)
  → Attack Simulator (integrated phishing test)
  → Plan 2: Threat Explorer, AIR (Automated Investigation)
  
  Weaknesses:
  → Less control than a dedicated gateway
  → Limited archiving (Plan 2 required for full functionality)
  
  Price: Included in the M365 bundle (cost: M365 license)

Proofpoint Email Protection:
  Strengths:
  → Market leader in the enterprise sector
  → Very Attacked People (VAP): Who is attacked the most?
  → TRAP (Threat Response Auto-Pull): Retroactive deletion
  → TAP (Targeted Attack Protection): APT-focused
  
  For: Enterprise (1,000+ employees), high-risk industries

Mimecast Email Security:
  Strengths:
  → British, GDPR-native
  → Good archiving (e-discovery!)
  → Continuity: Email fallback if Exchange fails
  → Brand Exploit Protect: Monitoring for domain lookalikes
  
  For: Mid-sized businesses, strong in UK/DACH

Hornetsecurity (German!):
  Strengths:
  → German provider (Hanover), GDPR compliant
  → Data center in Germany
  → Affordable for SMEs
  → QR code phishing protection (Quishing)
  → 365 Total Protection: Bundles Email + Backup + Awareness
  
  For: SMEs in DACH, GDPR-sensitive, budget-conscious

Analyzing DMARC Reports

Understanding DMARC Reports:

RUA Reports (Aggregate Reports):
  → Daily from receiving mail servers
  → XML format: summary of all sent emails
  → Includes: sending IP, SPF result, DKIM result, count
  
  # Example entry in DMARC report:
  <record>
    <row>
      <source_ip>40.107.22.15</source_ip>
        <!-- Microsoft IP -->
      <count>1250</count>
      
      <policy_evaluated>
        <disposition>none</disposition>
        
        <dkim>pass</dkim>
        
        <spf>pass</spf>
      </policy_evaluated>
    </row>
    <row>
      <source_ip>185.220.101.55</source_ip>
        <!-- Unbekannte IP! -->
      <count>12</count>
      
      <policy_evaluated>
        <disposition>none</disposition>
        
        <dkim>fail</dkim>
        
        <spf>fail</spf>
      </policy_evaluated>
    </row>
  </record>
  
  Interpretation:
  → 1st entry: legitimate M365 emails (PASS)
  → 2nd entry: someone is attempting to send as company.com (FAIL!)
    → Check IP: Spam server? Compromised service?
    → Action: Add IP to blocklist; enable p=reject if necessary

DMARC Tools:
  dmarcian.com:    DMARC report visualization
  dmarcanalyzer:   GDPR-compliant, European provider
  postmark:        DMARC wizard
  easydmarc:       Guided DMARC rollout

Secure subdomains:
  # Subdomains also require DMARC:
  sp=reject → Secure subdomains as well
  
  # Unused domains: empty SPF + DMARC reject
  v=spf1 -all
  v=DMARC1; p=reject; sp=reject; adkim=s; aspf=s

Email Archiving and Compliance

Legal requirements:

Archiving obligations:
  Commercial law (HGB §257): 6 years (commercial correspondence)
  Tax law (AO §147):   10 years (tax-relevant documents)
  GDPR:                   Follow the deletion policy!
  GoBD:                    Immutability, machine-readability

Technical Requirements:
  → Immutability: Archive must not be manually altered
  → WORM Storage: Write Once Read Many
  → Completeness: All emails (including deleted ones!)
  → Searchability: Full-text search within the retention period

Products:
  Microsoft Exchange Archiving (In-Place Archive):
  → Native in M365
  → Litigation Hold: Retain all emails indefinitely
  → eDiscovery: Search archives for legal purposes

  Mimecast Archiving:
  → 99-year retention
  → Independent of Exchange (even if Exchange is deleted!)
  → GoBD certification available

GDPR vs. Archiving:
  → Conflict: GDPR requires deletion, HGB requires retention
  → Solution: separate archiving systems with distinct purposes
  → Delete personal data after the HGB retention period
  → Tax-relevant data: 10 years (even if personal)
  → Legal basis: Art. 6 (1) c GDPR (legal obligation)