Cloudflare, the Internet Infrastructure company, it already has its fingers in a lot of Customer Security pots of DDoS Protection to me Browser isolation To the Mobile VPN. Now the company is taking on a classic enemy of the web: email.
On Monday, Cloudflare is announcing a pair of email security and security offerings that it sees as a first step toward detecting more targeted phishing attacks, reducing the effectiveness of address spoofing, and mitigating fallout if a user clicks on a malicious link. The features, which the company will offer for free, are mainly geared towards small businesses and corporate customers. It’s designed for use on top of any email the client already hosts, whether it’s provided by Google’s Gmail, Microsoft 365, Yahoo, or even leftovers like AOL.
Cloudflare CEO Matthew Prince says that since its founding in 2009, the company has purposefully avoided going anywhere near a thorny email issue. But he adds that email security issues are relentless, so they’ve become necessary. “I guess what I was assuming was that hosting providers like Google, Microsoft, Yahoo were going to solve this problem, so we weren’t sure there was anything we could do in this area,” Prince says. “But what has become clear over the past couple of years is that email security is not yet resolved.”
Prince says Cloudflare employees were “amazed at the number of targeted threats that were arriving through Google Workspace,” the company’s email provider. He adds that this is not due to a lack of progress by Google or other large service providers in anti-spam and anti-malware efforts. But with so many types of email threats to deal with at once, strategically designed phishing messages keep leaking. So Cloudflare decided to create additional defense tools that the company itself as well as its customers can use.
On Monday, the company launched two products: Cloudflare for email routing and DNS Wizard for email security. The tools allow customers to put Cloudflare in front of their email hosting provider, essentially allowing Cloudflare to receive and process emails before sending them to Microsofts and Googles around the world. This is somewhat similar to Cloudflare’s longstanding role as a “content delivery network” for websites, where the company is an agent that can deliver data or capture any malicious activity as web traffic goes through.
Cloudflare email routing allows individuals or organizations to manage an entire dedicated email domain, such as @coolbusiness.com, from a single consumer email account, such as a personal Gmail address. The tool also allows you to combine multiple addresses—email@example.com, firstname.lastname@example.org—so that they are all forwarded to one mailbox. This way, small businesses in particular can take advantage of a dedicated, personalized email domain without having to manage an entire separate platform.
The second tool, Security DNS Wizard, aims to make two email security features available to Cloudflare clients and is easy to use. Sender Policy Framework (SPF) and Domain Key Identified Mail (DKIM) are two tools that are essentially a combination of caller ID and email screening systems: they aim to reduce email address spoofing by setting up public records that must match the email sender information for the message to be passed. This greatly reduces how easy it is for attackers, for example, to send an email to employees that really looks like it comes from the “Cool Business CEO”.
SPF and DKIM have been around for more than a decade, but they’re not ubiquitous, because they’re hard to set up without bugs that can lead to problems like missing legitimate emails. Cloudflare’s goal with the DNS handler for email security is to make it easy for users to set up a security or other protection without any fuss.