Cloudflare, The internet infrastructure company, already has its fingers in a lot of customer security pots, from DDoS protection to browser isolation to a mobile VPN. Now the company is taking on a classic web foe: email.
On Monday, Cloudflare is announcing a pair of email safety and security offerings that it views as a first step toward catching more targeted phishing attacks, reducing the effectiveness of address spoofing, and mitigating the fallout if a user does click a malicious link. The features, which the company will offer for free, are mainly geared toward small business and corporate customers. And they’re made for use on top of any email hosting a customer already has, whether it’s provided by Google’s Gmail, Microsoft 365, Yahoo, or even relics like AOL.
Cloudflare CEO Matthew Prince says that from its founding in 2009, the company very intentionally avoided going anywhere near the thorny problem of email. But he adds that email security issues are unrelenting, so it has become necessary. “I think what I had assumed is that hosting providers like Google and Microsoft and Yahoo were going to solve this issue, so we weren’t sure there was anything for us to do in the space,” Prince says. “But what’s become clear over the course of the last two years is that email security is still not a solved issue.”
Prince says that Cloudflare employees have been “astonished by how many targeted threats were getting through Google Workspace,” the company's email provider. That's not for lack of progress by Google or the other big providers on anti-spam and anti-malware efforts, he adds. But with so many types of email threats to deal with at once, strategically crafted phishing messages still slip through. So Cloudflare decided to build additional defense tools that both the company itself as well as its customers could use.
On Monday, the company is launching two products: Cloudflare Email Routing and Email Security DNS Wizard. The tools let customers place Cloudflare in front of their email hosting provider, essentially allowing Cloudflare to receive and process emails before sending them through to the Microsofts and Googles of the world. This is somewhat similar to Cloudflare's long-standing role as a “content delivery network” for websites, in which the company is a proxy that can serve data or catch malicious activity as web traffic passes through.
Cloudflare Email Routing makes it possible for individuals or organizations to manage an entire custom email domain, like @coolbusiness.com, from a single consumer email account, such as a personal Gmail address. The tool even lets you consolidate many addresses—email@example.com, firstname.lastname@example.org—so they all forward to a single inbox. This way, small businesses in particular can get the benefits of a dedicated, custom email domain without having to manage a whole separate platform.
The second tool, Security DNS Wizard, aims to make two email security features accessible for Cloudflare customers and easy to use. Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) are two tools that are essentially a combination of caller ID and screening schemes for email: They aim to reduce email address spoofing by setting up public records that must match an email's sender information for the message to go through. This significantly reduces how easy it is for attackers to, say, send an email to employees that really looks like it comes from "Cool Business CEO."
SPF and DKIM have been around for more than a decade, but they aren't ubiquitous, because they are difficult to set up without mistakes that can result in problems like legitimate emails getting lost. Cloudflare's goal with Email Security DNS Wizard is to make it easy for users to set up one or the other protection without any flubs.
“These are both technologies that have been around for a long time, but the problem is they don’t get a lot of use, because they're extremely complicated and in some cases dangerous to set up,” Prince says. “We're hopeful that implementing this tech, making it easy, and making it free will dramatically expand the usage and decrease the amount of targeted phishing and domain abuse."
Ultimately, Cloudflare plans to roll out a more comprehensive suite of services, called Advanced Email Security Suite, that will incorporate these two tools plus others. These initial offerings allow the company to get email flowing through its network, Prince says, so that it can study threats and patterns on a large scale. He adds that all Cloudflare email security products are carefully designed to leave crucial indicators intact for providers like Google and Microsoft. This way the tools aren't disrupting the important anti-spam and anti-abuse features that those services already have in place. And the goal is for existing Cloudflare offerings like browser isolation to work in tandem with the new email security features even when customers do click a bad link.
As with many Cloudflare offerings, though, one byproduct of turning on these email security features is that customers will need to trust the company with their messages on top of all the other web data they already have flowing through Cloudflare. When asked whether there are privacy implications of this, Prince repeats what he has often said about Cloudflare's approach.
“We think of customer data as a toxic asset. We don’t have a business around advertising, we don’t sell customer data,” he says. “We have privacy certifications and do external audits of our systems. But, yeah, we have to earn our customers' trust everyday."
In a way, email is one of the last web security frontiers for Cloudflare. Whether customers are willing to share this final piece of themselves with the company will likely depend on how successful Cloudflare can be at making a dent in the very real, and maddening, risks that come with corporate email.