Back to blog
9 September 2024·3 min read

New email security measures: Part 2

In the first part of this article we looked at key technologies such as mail gateways, antispam filters, DKIM, and SPF, which are essential to protect business email. In this second part we explore additional protocols such as DANE, MTA-STS, and BIMI, which complement and strengthen security in email communication. We also discuss other advanced measures you can implement for more robust protection.

Securing TLS connections

The DANE (DNS-based Authentication of Named Entities) protocol adds a layer of security to email by ensuring connections between mail servers use TLS (Transport Layer Security). DANE uses DNSSEC (DNS Security Extensions) to verify the authenticity of TLS certificates, helping prevent server impersonation attacks.

Advantages of DANE include:

  • Protection against man-in-the-middle (MitM) attacks.
  • Stronger authentication of security certificates.

Drawbacks include:

  • DNSSEC and DANE require advanced DNS configuration.
  • Not all mail providers support DANE, which limits adoption.

Another key protocol for securing server-to-server connections is MTA-STS (Mail Transfer Agent Strict Transport Security). This protocol enforces TLS on SMTP communications so messages are not sent unencrypted.

Benefits include:

  • Prevents downgrade attacks, where an attacker tries to force an unencrypted connection.
  • Ensures mail between servers is always sent securely.

Points to note:

  • MTA-STS is relatively straightforward to implement, but requires DNS to be configured correctly and the server to support TLS.
  • Unlike DANE, it does not depend on DNSSEC, which simplifies setup.

The TLSA record in combination with DANE helps administrators validate which certificates are trusted for secure connections over TLS. This makes it harder for communications to be intercepted using forged certificates.

Advantages:

  • Ensures verification of the certificate used by mail servers.
  • Adds an extra layer of authentication to TLS connections.

BIMI: authenticity and branding in email

BIMI (Brand Indicators for Message Identification) improves security and adds commercial value by letting authentic emails display the brand logo in the mail client. This protocol reinforces visual authenticity and helps prevent phishing.

Important points:

  • Builds trust in email by showing a verified logo.
  • Improves branding and brand visibility.
  • BIMI depends on correct DMARC implementation, so misconfigured SPF or DKIM will affect how it works.

Greylisting: a temporary filter against spam

Greylisting is a technique that temporarily delays delivery of mail from unknown senders. By asking the sender to retry, it blocks much automated spam, because legitimate systems typically retry while many spam setups do not.

Two-factor authentication (2FA)

Although often used for account login, implementing 2FA for email sessions can protect accounts against unauthorised access even if credentials are compromised.

It is important to remember that DANE, MTA-STS, BIMI, and other advanced measures complement the protocols covered in the first part of this article, such as SPF, DKIM, and mail gateways. Together they form an end-to-end solution that balances security and usability.

Email security is a constantly evolving challenge. While protocols such as SPF, DKIM, and antispam filters are essential, newer technologies such as DANE, MTA-STS, and BIMI add further layers of protection and visibility. Technical administrators should maintain continuous oversight and adapt configurations as attacker tactics evolve. Only a comprehensive approach that combines established and innovative measures can deliver robust security for business email.

Balancing security, authenticity, and ease of use is key to optimising the user experience and ensuring the integrity of digital communication.

For more information, keep reading our blog and our upcoming posts!