This document describes the email authentication features Everbridge has begun to implement.

Intended Audience

Account Administrators and Information Technology personnel who are familiar with the SMTP protocol (for emails) and with email authentication standards.

Document Topics

1. Effects on Organizations
2. Everbridge DNS Records
3. Everbridge DKIM Implementation
4. Everbridge DMARC Statement
5. Everbridge TLS

Everbridge clients and public email services such as Microsoft, Google, and Yahoo! have implemented and will continue to enforce industry-standard email authentication security practices to protect their email infrastructures, their businesses, and their users from a variety of security threats. As part of our continued commitment to information security, Everbridge has implemented a suite of email authentication capabilities to assist our clients in achieving their email security and message delivery goals.

The following email authentication standards are implemented in the Everbridge platform:

• DomainKey Identified Mail (DKIM) (see www.dkim.org)
• Domain-based Message Authentication, Reporting & Conformance (DMARC) (see www.dmarc.org)
• Transport Layer Security (TLS)

Effects on Organizations

The implementation of these features will not negatively impact the current delivery of emails from the Everbridge application to your contacts. In fact, these changes will ensure your email notifications are accepted with a higher rate of success by the various public email services such as Microsoft, Yahoo!, etc.

If you want to leverage these features to meet your business goals, then please review the information below and review the relevant technical information readily available on the Internet.

Everbridge DNS Records

As a first step, Everbridge has updated all Everbridge Domain Name Servers (DNS) records to ensure you have access to the latest information about the Everbridge domains and to support the implementation of the upcoming email authentication features. We will continue to update our DNS records as Everbridge expands its service. These updates will not be included in our Release Notes.

Everbridge DKIM Implementation

manager.everbridge.net

For users of Everbridge Suite solution that log in to "manager.everbridge.net", which includes Mass Notifications, Interactive Visibility, and Incident Management:

Everbridge implemented DomainKey Identified Mail (DKIM) on email servers to:

• improve the deliverability of emails to all destination email servers (private and public)
• enable destination email servers to process emails based on local email security policies

Everbridge uses the DKIM certificate based on the "everbridge.net" domain to sign all emails sent from the Everbridge application. Everbridge inserts a digital signature in the header of all outgoing emails sent from Everbridge Suite; this includes notifications, user registration emails, forgot-password emails, CSV upload alerts, etc. The DKIM signature does not change how Everbridge prepares and sends emails to your intended contacts and recipients. In addition, the DKIM signature will not impact the delivery of emails to your recipients if you don't change your current inbound email processing rules that will prevent the delivery of emails.

Below is a sample DKIM signature:

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=everbridge.net; s=20160121; t=1453784422; bh=zy/5J6UYWB6jBhRLjZUz0HKhNN5z9JEnvwacBaMgTs4=; h=From:Reply-To:To:Subject; b=aIOqhsch4Ph5O4rjFBDPo7YmNM824uBanx9tOM/1lxRZFrk11PWjbfz+Ir/sd2pmFL0c6EpaY9JW98z9X/jXcK35QZ6cvfwY6smdnqjNu7vvzoNM2zCQtetsZixfs0KUkzd a7Lzvhu0iAoprv/h2mEzNsBrs4BGIoHUssn3WDsE=

manager.everbridge.eu

For users of Everbridge Suite solution that log in to "manager.everbridge.eu", which includes Mass Notifications, Interactive Visibility, and Incident Management:

Everbridge implemented DomainKey Identified Mail (DKIM) on email servers to:

• improve the deliverability of emails to all destination email servers (private and public)
• enable destination email servers to process emails based on local email security policies

Everbridge uses the DKIM certificate based on the "everbridge.eu" domain to sign all emails sent from the Everbridge application. Everbridge inserts a digital signature in the header of all outgoing emails sent from Everbridge Suite; this includes notifications, user registration emails, forgot-password emails, CSV upload alerts, etc. The DKIM signature does not change how Everbridge prepares and sends emails to your intended contacts and recipients. In addition, the DKIM signature will not impact the delivery of emails to your recipients if you don't change your current inbound email processing rules that will prevent the delivery of emails.

Below is a sample DKIM signature:

DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=eu.sparkpostmail1.com; s=ssp0116; t=1556670051; i=@eu.sparkpostmail1.com; bh=4k/bRBh/Aqq/F12OcLLkU+coVRX1Cjr6XA1OIGU8YeQ=; h=Date:From:To:Message-ID:Subject:Content-Type; b=FzlZf76igJ4UlaMBbu7HNu+4ona1X3Hf9qC3iqHFnHj9siN4cZ7wkOA7W0Ze9F/M/Tub5SJEbTrwyq01KCL3gMEtkLTlyJ83uYOwE3izP3Cg4Kc1UMJ/FtD26zz1Jukfjtv 1oLYOlF7GlczsLVjAqq0rsfxDBVp9oSuBD6ySav8=

Everbridge DMARC Statement

Everbridge has published a DMARC statement in the DNS record for EVERBRIDGE.NET. The purpose for implementing this policy is to enable Everbridge to assess the effectiveness of email deliverability and to troubleshoot operational issues.

The DMARC statement provides a recommended action for emails that fail your SPF and DKIM validation tests if you have DMARC enabled for your inbound email. Please reference technical information regarding DMARC at www.dmarc.org.

Below is a sample DMARC statement. You will find our actual DMARC statement in our DNS records.

_dmarc.everbridge.net. IN TXT "v=DMARC1; p=none; sp=none; rua=mailto:rua@everbridge.net!10m; ruf=mailto:ruf@everbridge.net!10m; rf=afrf; pct=10; ri=86400"

Everbridge Settings:

• Policy= "None"
• RUA= Aggregate Report Email address (aggregate report of statistics)
• RUF= Failures email address (NONE - do not send detailed forensics reports)
• Percentage= 10% (Percent of the messages we request the ISP to check)
• Reporting Interval (1 day)
• Report format: arfr (Authentication Failure Reporting Format)

Please note that we plan to change the policy ('p') parameter value from "none" to "quarantine" to "reject" over time and the reporting percentage from '10' to '100' based on reporting data over time. There is currently no timeline for the parameter value changes.

Everbridge TLS

There are no changes required to your email server(s) unless you want to leverage a TLS connection for receiving email notifications.

Everbridge is now using Transport Layer Security (TLS) opportunistically when attempting to deliver email notifications. The "opportunistic" configuration means that our outbound email servers will first request a TLS connection from the remote email server. You will continue to receive email notifications if you choose not to enable TLS for receiving notifications.

• If the remote email server accepts the TLS request, then the Everbridge email server will deliver notifications using the encrypted session.
• If the remote email server declines the TLS request, then the Everbridge email server will use an open, unencrypted connection to deliver the email notifications.

However, the email servers used to send administrative emails (such as User Registration Invitation, Forgot Password, Upload Alerts, etc.) do not currently use TLS when attempting to submit those emails to remote email servers. We will update this document when the configuration is updated on those email servers.

Please refer to the article Everbridge Permit Listing Best Practices for information regarding permit listing of Everbridge domains if you need this information for configuring your TLS setting.