At Reward Gateway, we handle a lot of different processes for our clients. Some of these processes include transactions on behalf of our clients and some include notifying their employees about changes in their benefit eligibility. Due to this type of communication, our clients need to be sure that emails from Reward Gateway are trustworthy.
Email was invented in a collegiate environment when impersonation and fraud was not seen as a potential issue. Since then, businesses have come to rely on email, and additional protections have been introduced to ensure that email is trustworthy. The need to ensure the sender is really who you think it is has become more and more relevant.
What do Reward Gateway use to ensure safe email communication?
We have implemented various technologies to provide assurance when it comes to email communication. In this article we’ll cover the main three that we use:
-
Sender Policy Framework (SPF)
-
DomainKeys Identified Mail (DKIM)
-
Domain-based Message Authentication, Reporting and Conformance (DMARC)
When combined together the SPF, DKIM and DMARC procedures ensure that email is a secure form of communication.
Sender Policy Framework (SPF)
SPF is about controlling and stopping attempted sender forgeries, this includes:
-
Fraud
-
Malware & adware
-
Phishing
When a recipient receives an email, the server that sent it is checked against the email address. If this server is not on an approved list the server is considered un-reputable and the email flagged.
Learn more on Wikipedia.
DomainKeys Identified Mail (DKIM)
DKIM does much the same as SPF. It uses public-key encryption to prevent spoofers from tampering in any way with the message contents, and flagging if the messages have been tampered with.
Learn more on Wikipedia.
Domain-based Message Authentication, Reporting and Conformance (DMARC)
DMARC works across both DKIM and SPF standards. It allows us to specify rules to ensure that any fraudulent activity appearing to come from our domains is blocked. It also provides us with a reporting channel to monitor what email is being blocked, and servers.
Learn more on Wikipedia.
How does this ensure our clients email security?
At the moment we’re indicating to servers to flag emails that do not meet our SPF or DMARC rules. Your email servers should already be configured to check these.
Over the course of 2019 we will be increasing the strictness of these rules and asking our clients servers not just to flag messages, but to actively drop them instead.
Why is email safelisting important?
The above measures ensure that no one malicious can send emails on our behalf. It does not ensure that the mail will be delivered once it is received. It is possible that any of our clients' email solutions may classify our emails as spam, apply delivery delays, block images etc.
This is a common problem for us as we send to many different individuals in many different organizations in quick succession. Many email servers try to detect this behavior and classify it as marketing emails, placing them in a digest format. Our safelist guidelines are to help ensure this does not happen and that end-users do not raise support issues because of delays in message processing - safelisting is not about turning off any security measures, it is about ensuring the right emails reach the right people at the right time.
What about phishing?
We are aware that phishing poses a serious threat to organizations and their security, and that benefits are a soft-target for phishers. Learn more about phishing campaigns.
We will not authorise any company or client to use Reward Gateway content, branding or websites for phishing simulation tests. We take proactive steps to detect potential phishing threats in the wild if any client of ours believes they have received a phishing email using our details, it should be reported to us at (infosec [at] rewardgateway [.] com) and we will take every step to disrupt the campaign.