David Papp Blog

Cloudflare Working To Improve Email Security

Cloudflare – an internet infrastructure company that’s involved in customer security, DDoS protection, browser isolation, and mobile VPN – is looking to provide security to a classic web foe: email.

Cloudflare recently announced their plan to launch a pair of email safety and security options that it views as the first step towards better email security. The pair is designed to catch more targeted phishing attacks, reduce the effectiveness of address spoofing, and mitigate fallout of users if they click on a malicious link.

What’s amazing about this feature is that it’s free and It’s mainly geared for uses in corporate and small businesses. What’s also nice is these services are covered from top email hosting users like Google’s Gmail, Microsoft 365, Yahoo, and even some old accounts like AOL.

Why Now?

When asked about why these features are being delivered now, Cloudflare CEO Matthew Prince said since its founding in 2009, the company intentionally avoided this thorny issue. Despite that, email security issues are unrelenting, and it’s gotten to the point where it’s become necessary to have.

When asked for more details, Prince thought tech giants Google, Microsoft, and Yahoo were already working on solving the issue on their own platforms. However, after two years of seeing email security issues and no solutions, it became clear the issue wasn’t being solved.

To look at examples, the employees at Cloudflare were astonished by the targeted threats occurring through Google Workspace. These occurrences aren’t due to a lack of progress on anti-spam or anti-malware efforts. Rather, it the many types of email threats that these companies must deal with.

Even the most strategically crafted threats can slip through the cracks.

Product Details

The company is launching two products: Cloudflare Email Routing and Email Security DNS Wizard. Through these tools, the customers are able to place Cloudflare at the front of their email hosting provider. What this means is that Cloudflare is able to receive and process emails before sending them through to the actual email host provider.

This is all so similar to Cloudflare’s long-standing role as a “content delivery network” for websites. For that service the company is a proxy that can serve data or catch malicious activity as web traffic passes through it.

Cloudflare Email Routing

Getting into further details, this product is possible for individuals or organizations to manage an entire custom email domain, such as @my-great-business.com, from a single consumer email account. It’s very similar to a personal Gmail address.

This tool can even let you consolidate many addresses so that all the emails get sent to a single inbox.

The benefit here is that small businesses can get benefits of a dedicated, custom email domain without the pain and hassle of managing a whole separate platform.

Security DNS Wizard

The DNS Wizard is aiming to make two email security features accessible for Cloudflare customers and to make it easy to use. Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) are two tools that are basically a combination of a caller ID and screening process for email.

The goal here is to reduce email address spoofing by setting up public records that have to match an email sender’s information or else the message won’t go through. This will reduce a significant amount of the ease that attackers enjoy when sending their attacks via email.

What’s also nice about SPF and DKIM is that these have been around for over a decade, but they aren’t ubiquitous. These systems have been difficult to set up without making mistakes that result in issues like legitimate emails getting lost in the process. With the DNS Wizard though, it’s streamlining the process and making it easier for users to set these systems up without any mistakes.

Plans for the Future

This is only the start for the business though as they plan to roll out a more comprehensive suite of services called Advanced Email Security Suite. This product will incorporate those two services and others.

This initial offering is a way for businesses to get emails flowing through its network. This will help the company moving forward since they can study threats and patterns on a larger scale.

What’s also nice about this is that Cloudflare designed these products to leave crucial indicators intact for email host providers. The tools themselves aren’t meant to disrupt the important anti-spam and anti-abuse features that the email host providers already have.

The other goal of these is for existing Cloudflare offerings like browser isolation will also work in tandem with these new features. Even when customers click on a bad link.

The only wrinkle to these plans though is that customers will need to trust Cloudflare with their messages. And if you’re a customer that’s on top of the other web data you’re providing to Cloudflare already.

It is a privacy issue for sure, however Prince has repeatedly stated what Cloudflare’s approach is:

“We think of customer data as a toxic asset. We don’t have a business around advertising, we don’t sell customer data. We have privacy certifications and do external audits of our systems. But, yeah, we have to earn our customers’ trust everyday.”

Let’s see if Cloudflare will be successful in making a dent in this very real and maddening risk that comes with corporate email, actually email in general for everyone.