Discover how the AAA security processes and protocols improve email security by protecting recipients, email senders, and domain owners from phishing attacks, spoofing, and spam.
Authentication, Authorization, and Accounting (AAA) is a security framework designed to ensure access to computer resources and software applications is restricted to legitimate users. It achieves this by mediating network access and enforcing auditing policies.
As the crucial first step in the AAA security process, authentication ensures proper system access. When the AAA security server receives an access request, it compares the authentication credentials with the database credentials to see if they match.
Authentication is critical to email security because it gives the recipient confidence the email is who it claims to be. Authentication can be categorized under the following:
- Static passwords
- One-time password (OTP)
- Digital certificates
- Biometric credentials
The following are vital technical standards that make up email authentication:
What is DKIM?
The technical standard DomainKeys Identified Mail (DKIM) is a form of an email authentication process. It allows an organization to add a digital signature to their email messages, so recipients have a way to validate the email by matching its public cryptographic key with DNS records.
What is SPF?
The Sender Policy Framework (SPF) validates email messages by allowing the receiving mail server to check if the email is coming from an authorized IP address. The domain administrator compares the sender’s details with its list of trusted sending hosts published in the DNS records.
What is DMARC?
DMARC stands for Domain-based Message Authentication, Reporting & Conformance. It’s an email authentication protocol that uses SPF and DKIM to determine the email message’s authenticity.
What is DANE?
DNS-based Authentication of Named Entities (DANE) enables the domain owner to certify the keys used by its clients or servers and generate a certificate. Domain Name System Security Extensions (DNSSEC) is a requirement for DANE. For the security model to work, the DNS record must be signed with DNSSEC.
What is MTA-STS?
In 2019, Google announced that it was making Gmail more secure with Mail Transfer Agent/Strict Transport Security (MTA-STS). The mechanism instructs the SMTP server to ensure that the other SMTP server must be encrypted and the domain name on the certificate should match the domain.
MTA-STS protects against Man-in-the-Middle (MITM) attacks and downgrade attacks and solves SMTP security problems such as expired TLS certificates.
What is TLS-RPT?
Transport Layer Security Reporting (TLS-RPT) works with MTA-STS and DANE to enforce TLS. The protocol allows a domain to report email delivery issues when the email lacks TLS encryption. Through MTA-STS support, it guarantees emails sent to the domain get TLS encryption and are delivered securely.
After the user provides their credentials and proves their identity, the authorization process determines what they can and cannot access. Therefore, a user’s credentials may be authenticated as legitimate; however, they may not access specific data, programs, and services depending on the authorization rule.
The accounting step in the AAA process tracks the user’s activity for purposes such as forensic investigating, data collection, and detecting breaches. The system tracks data like login times and accessed resources.