Single Blog

Email marketing is still the most profitable form of digital marketing. According to Hubspot, “email generates $38 for every dollar spent, which is an incredible 3,800% ROI.” This is an incredible achievement when you consider that 3.9 billion people in the world check their email every day, and this number is expected to rise to 4.3 billion by 2023. In addition, 73% of Millennials prefer to have company communications come through email, and 59% of respondents say that marketing emails influence their purchasing decisions.

If email marketing is of paramount importance to your business, then you can’t help but know about a fantastic AWS tool: Amazon Simple Email Service.
It is a tool suitable for the needs of ambitious companies and growing businesses that, in addition to maintaining brand reputation, want to prevent their domain from being used as part of a phishing attack. So here we are going to show you how to implement three of these mechanisms, which visually authenticate emails sent from your domain to users and verify that emails in transit are encrypted. It can take as little as 15 minutes to implement these mechanisms on Amazon Web Services , and the result can help provide immediate, long-term improvements to your company’s email security.

Email phishing remains one of the most common ways that bad actors attempt to compromise computer systems. According to the FB’s latest Internet Crime Report, phishing incidents and related crimes far outnumber other categories of Internet crime. Phishing has consistently led to massive annual financial losses in the United States and around the world.

Email is a complex system of interoperable technologies. But it’s also fragile: a typo or a missing DNS record can mean the difference between whether an email is delivered or not. The main indicator that something is wrong is the absence of emails. Instead of seeing an error in your email server’s log, users will tell you that they expect to receive an email from somewhere that doesn’t arrive. Or they will tell you that they sent an email and their recipient cannot find it. DNS uses many caching and timeout values to improve its efficiency. This makes DNS records slow and a bit unpredictable as they propagate over the internet. So it’s crucial to keep in mind that while systems are being monitored, it can be hours or even more than a day before changes to DNS records have an effect that you can detect. This solution uses custom AWS Cloud Development Kit (CDK) resources, which are backed by AWS Lambda functions that you will create as part of your deployment. These functions are configured to use the runtimes selected by CDK, which will eventually no longer be supported and will require updating.

But what is implemented in this solution? This solution deploys the DNS records and supporting files that are required to implement BIMI, MTA-STS, and SMTP TLS reports for an email domain.
Brand indicators for message identification (BIMI) enable domain owners to coordinate with mail user agents (MUAs) to display brand-specific indicators next to properly authenticated messages. If the company in question has a trademarked logo, you can configure BIMI so that that logo is displayed to recipients in their inboxes. This can have a positive impact on your brand and indicates to end users that your email is more trustworthy. The BIMI group shows examples of how brand logos are displayed in users’ inboxes, as well as a list of well-known email service providers that support the display of BIMI logos.

Simple Mail Transport Protocol (SMTP) MTA Strict Transport Security (MTA-STS) is a mechanism that allows mail service providers to declare their ability to receive Transport Layer Security (TLS) secure SMTP connections and to specify whether sending SMTP servers should refuse to deliver to MX hosts that do not offer TLS with a trusted server certificate. Put simply, MTA-STS helps ensure that email servers always use encryption and certificate-based authentication when sending email to your domains, so that the integrity and confidentiality of messages are preserved while in transit over the internet. MTA-STS also helps ensure that messages are sent only to authorized servers.

There are a number of protocols for establishing encrypted channels between SMTP mail transfer agents (MTAs), including STARTTLS, DNS-Based Authentication of Named Entities (DANE) TLSA, and MTA Strict Transport Security (MTA-STS). These protocols can fail due to misconfiguration or active attack, leading to undelivered messages or delivery over unencrypted or unauthenticated channels. This document describes a reporting mechanism and a format by which sending systems can share statistics and specific information about potential errors with recipient domains. Recipient domains can then use this information to both detect potential attacks and diagnose unintended misconfigurations.