Email is older than many think—it was created long before the Internet.
The first email system was developed in 1965 at MIT, allowing communication within a single mainframe—those massive, expensive multi-user computers that required air-conditioned rooms and constant supervision.
In 1971, the first email was sent between two connected computers—one small step for a message, one giant leap for digital communication.
SMTP, the protocol still used today to send emails, was introduced in 1982.
The insecure foundations of email
Email was born in a trusted, collaborative environment. Security wasn’t considered, so SMTP lacked:
- Sender authentication: anyone could impersonate anyone
- Confidentiality: messages were sent and stored in plain text
- Integrity checks: no way to detect changes to content
- Spam protection: no limitations on who could send what
As email usage grew, these issues quickly surfaced. But retrofitting security onto an existing system is far harder than building it in from the start.
This is a key GDPR principle: real security requires privacy by design.
SPF, DKIM, and DMARC: The Three Pillars of Secure Email
SPF – Sender Policy Framework
SPF lets your organization publicly declare which IP addresses are authorized to send emails for your domain.
It's simple to configure and low-risk: just list all the legitimate sending IPs. If done correctly, no messages will be lost.
Limitation: SPF alone doesn’t block all spoofing types, but it’s a strong first step.
DKIM – DomainKeys Identified Mail
DKIM ensures email content integrity. If the message is altered during transit, the DKIM signature will not validate.
Signatures are generated and verified automatically by mail servers; users don’t need to do anything.
It requires a bit more effort than SPF but is safe to implement: misconfigurations won’t cause lost messages.
DMARC – Domain-based Message Authentication, Reporting and Conformance
DMARC ensures that the visible sender in your inbox matches the results of SPF or DKIM.
It enforces that emails must be sent from authorized IPs (SPF) or be signed with a valid domain key (DKIM), otherwise they are blocked or flagged.
DMARC setup must be done carefully on a domain-by-domain basis by experienced email administrators.
Other Standards: TLS, S/MIME, and PGP
Additional tools like TLS (for encryption in transit), and S/MIME or PGP (for end-to-end encryption), offer extra protection but require more advanced user-side key management.
Of these, only TLS is widely used and handled automatically by mail servers.
Conclusion
Want to protect your organization? Start with SPF, move to DKIM, and then consider DMARC.
These tools won’t eliminate every email threat but will significantly boost the security and reliability of your communications.
Email is more complex than it seems—consult an expert to ensure secure and effective implementation.
