Blog / Email: Inhouse or Cloud Based?
Inhouse and Cloud email can’t both be right, right?
Cloud services have long been touted as the future of computing. You don’t need to spend money on hardware, which is nice, but you do need to pay a monthly subscription. One of the other claims is that the security is improved. This can be true, though it is fundamentally based on your organizations security posture and the cloud service you’re using, which brings us around to this week’s topic: email.
Using a cloud service for email is good, right?
When you setup an in-house email domain, you have an opportunity to provide additional information like SPF and DKIM records. These are settings meant to keep bad actors from sending emails that looks like their from your organization.
However, when you’re using a cloud-based email service, email can come from any IP in their network and you need to configure those records differently. This means that:
- You need to setup your anti-spoofing records to include all the cloud servers IPs, and
- Anyone using the same cloud service could potentially send an email that appears to come from you.
Now before you get too anxious, keep in mind that many cloud email services like Gmail and Office 365 let you setup custom domain (with the proper subscription) and will prevent a second account for the same domain being setup with them.
Still, you can avoid the problem by running your own email server, right?
To a point. Spam filtering services use DNSBLs (Domain Name Service Black Lists) to track of which IPs are spammers and check if an email is coming from a spammy IP. Part of the process is figuring out the average number of emails that get sent from each domain or IP. A sudden jump in your outbound mail could be a sign that someone is using your outbox to spam and can result in you being flagged. This seems reasonable until you remember that many organizations have legitimate reasons for occasional spikes in their email, monthly or quarterly newsletters being the most common example.
So even if you run your own mail server, there’s often good reason to supplement your email infrastructure with a cloud service. There are plenty of bulk mail services, like Mailchimp, that are designed for exactly these tasks. Using them is as easy as setting up an account and modifying your SPF record to include them… and now you have a situation where anyone else using that service could send an email from your domain. Once again you’re relying on the systems of an external service to prevent another account from using your domain.
As a cybersecurity professional I always feel a bit uncomfortable putting my security in someone else’s hands. When something is inside your network you can rely on the security of your organization to act as the first line of defense. Cloud-based services don’t offer that option. While they tend to do their best (for obvious legal liability reasons) a large cloud service also has a massive target painted because of its size and popularity. They have their place and certain advantages, but they are not always the right or best choice.
For this Shakespearean quote we turn to Romer and Juliet: “Go wisely and slowly. Those who rush, stumble and fall”
If you’d like to discuss the best option for your own server, contact a TRINUS cybersecurity professional and get yourself some stress-free email.
Be kind, courtesy your friendly neighbourhood cyber-man.