Email Security Best Practices: Identity Verification, Brand Protection & Inbox Security
Securing the inbox requires aligning identity, brand, and security through integrated protocols like DMARC and BIMI.
Unified Solution for Email Security
Obtaining a verified emblem adjacent to email addresses has historically required coordination between two distinct entities. Organizations must engage a DMARC partner to establish DMARC and BIMI protocols while also acquiring a Mark Certificate through a certified Certificate Authority. This fragmented approach necessitates reliance on multiple vendors, creating unnecessary delays. Red Sift and GMO GlobalSign have streamlined this process by integrating both components into a unified solution. Red Sift’s OnDMARC manages DMARC enforcement, while GMO GlobalSign provides the underlying PKI infrastructure for BIMI, Verified Mark Certificates, and Common Mark Certificates, which enable trusted logos in email inboxes. This collaboration eliminates the need for separate providers, offering a cohesive pathway from certificate issuance to BIMI activation.
Email Protocol Vulnerabilities
The email protocol, despite its widespread use, lacks inherent security mechanisms. Its vulnerabilities have become a primary entry point for adversaries, prompting increased scrutiny from security professionals. Rahul Powar, CEO of Red Sift, and Mike Boyle, VP of Identity Certificates and Digital Signing at GMO GlobalSign, outlined the current challenges. Powar emphasized that the protocol, developed over two decades ago, was never designed with security in mind. As it became the primary communication channel for businesses, its weaknesses evolved into significant risks. Attackers shifted from mass spam to targeted spear-phishing campaigns, while the slow adoption of protective measures exacerbated the problem.
Integration into Digital Trust Frameworks
Boyle highlighted a common oversight: organizations treat email as an isolated system rather than integrating it into a broader digital trust framework. He stressed that identity verification is critical to mitigating threats, noting that the protocol must now prioritize trust and brand protection. Attackers exploit siloed defenses, while security teams often address email, web monitoring, DNS hygiene, and PKI as separate domains. Powar argued for a holistic cybersecurity strategy that treats these elements as interconnected attack surfaces. Boyle agreed, stating that adversaries target the entire organization, seeking vulnerabilities in human or technological factors.
Rise of Artificial Intelligence in Cybersecurity
The rise of artificial intelligence has further lowered barriers for malicious actors. Powar noted that affordable, high-quality AI models have democratized attack capabilities, enabling adversaries to operate at unprecedented scales. Language is no longer a barrier, as AI tools handle content generation. Boyle observed that AI’s accessibility expands the pool of potential attackers, while the same technology can aid defense through threat detection and analysis. However, he cautioned that the cost of entry for malicious activities remains minimal. Powar advised focusing on foundational security practices, emphasizing that while no single solution offers complete protection, robust hygiene measures are essential.
DMARC and BIMI as Baseline Requirements
DMARC has become a baseline requirement for email domains. Sending messages to major providers like Google, Microsoft, or Yahoo without initiating DMARC with a p=none policy risks rejection or quarantine. Powar stated that organizations operating at scale without DMARC are likely misconfigured. BIMI, which builds on DMARC to display verified logos in inboxes, offers additional benefits. Powar noted growing collaboration between marketing and security teams, as BIMI enhances open rates and click-through rates while strengthening security postures. Boyle acknowledged that adoption remains concentrated among large enterprises, with DMARC implementation lagging across broader markets.
Recommendations for Security Leaders
For new CISOs or security leaders, Powar recommended abandoning the concept of a rigid perimeter. He highlighted that critical attacks often originate outside network boundaries, targeting suppliers, customers, or partners. DMARC, he argued, should be prioritized as a foundational defense layer, followed by account takeover detection and phishing simulations. Boyle emphasized that implementing controls is only the first step, requiring continuous monitoring and integration with brand and identity assurance mechanisms.
A closing observation, attributed to Powar, underscored the asymmetry of security: attackers need only one successful breach, while organizations must maintain constant vigilance.
Conclusion
The article explores strategies for aligning identity, brand, and security in email systems, highlighting collaborative solutions, evolving threats, and best practices for enterprise protection.
