Make e-mail messages delivered through NetDocuments more safe
I am posting this on behalf of a client of mine.
Email messages sent through the NetDocuments system are too easily spoofed. The e-mails that NetDocuments sends (from email@example.com) fail SPF authentication, are not signed via DKIM, and do not have a DMARC policy, as shown in this example:
This sample e-mail has every indication of not being an authentic e-mail and would be easy to spoof. Here is detailed information from our phishing defense system:
It would be extremely easy for someone to send a spoofed e-mail that looks like it comes from "Andrew <firstname.lastname@example.org>" but was actually sent by a malicious actor. Thus, sending our clients secure links through NetDocuments (instead of through Outlook) creates a security risk because it "trains" our clients to trust e-mails that come from that e-mail address and to click on links in those e-mails, but a malicious actor could easily spoof an e-mail and send a malicious link. It also creates a risk for our own personnel for the same reason.
The e-mail shown above looks like it came from an employee in our firm but was not sent through our firm's e-mail system. That would then leave us vulnerable such that someone could send an e-mail that looks like it came from "Andrew <email@example.com>" and had links that looked like NetDocuments links, but were actually malicious links. Because we will probably be sending each other NetDocuments links all the time, people will not be as careful clicking those links as they would when clicking links in other e-mails.
Would it be possible for NetDocuments to do one or both of the following:
- Publish SPF, DKIM, and DMARC (with a reject policy) for mail.vault.netvoyage.com and have the mail.vault.netvoyage.com e-mail server only send e-mails sent through IP addresses listed in the SPF record and that are DKIM-signed? This makes it difficult for someone to spoof an @firmname.com e-mail address, because the receiving e-mail server should (if they comply with DMARC, which most major e-mail systems do) flag the e-mail as suspicious and move it to spam or delete it.
- Have NetDocuments connect to our Office 365 system so that the e-mails sent through NetDocuments are actually sent through an Office 365 account in our e-mail system, such that they would be from an e-mail address like firstname.lastname@example.org and pass the SPF/DKIM checks for our @firmname.com domain name?