1. Everbridge
  2. Knowledge
  3. Everbridge 360™ (Everbridge Suite) - Organization
  4. Communications
  5. Delivery Methods
  6. Email

EBS: Everbridge Email Authentication Features

Updated
Terry Branoff
Optimized Resolution Standard Resolution High Resolution

This document describes the email authentication features Everbridge uses.

NOTE:
  • This document is not intended to provide detailed technical information about the SMTP protocol, about email servers, or about email security and threats.
  • Everbridge recommends that readers interested in learning about SPF, DKIM, DMARC or TLS refer to authoritative information.

Intended Audience

Account Administrators and Information Technology personnel who are familiar with the SMTP protocol (for emails) and with email authentication standards.

Document Topics

  1. Effects on Organizations
  2. Everbridge DNS Records
  3. Everbridge DKIM Implementation
  4. Everbridge DMARC Statement
  5. Everbridge TLS

Everbridge clients and public email services such as Microsoft, Google, and Yahoo! have implemented and will continue to enforce industry-standard email authentication security practices to protect their email infrastructures, their businesses, and their users from a variety of security threats. As part of our continued commitment to information security, Everbridge has implemented a suite of email authentication capabilities to assist our clients in achieving their email security and message delivery goals.

The following email authentication standards are implemented in the Everbridge platform:

  • DomainKey Identified Mail (DKIM) (see www.dkim.org)
  • Domain-based Message Authentication, Reporting & Conformance (DMARC) (see www.dmarc.org)
  • Transport Layer Security (TLS)

Effects on Organizations

NOTE:
The above features are enabled in the Everbridge application and are transparent to message senders and to message recipients. There is nothing you need to do if you don't want to leverage the email authentication features.

 

Everbridge DKIM Implementation

manager.everbridge.net

For users of Everbridge Suite solution that log in to "manager.everbridge.net", which includes Mass Notifications, Interactive Visibility, and Incident Management:

Everbridge implemented DomainKey Identified Mail (DKIM) on email servers to:

  • improve the deliverability of emails to all destination email servers (private and public)
  • enable destination email servers to process emails based on local email security policies

Everbridge uses the DKIM certificate based on the "everbridge.net" domain to sign all emails sent from the Everbridge application. Everbridge inserts a digital signature in the header of all outgoing emails sent from Everbridge Suite; this includes notifications, user registration emails, forgot-password emails, CSV upload alerts, etc. The DKIM signature does not change how Everbridge prepares and sends emails to your intended contacts and recipients. In addition, the DKIM signature will not impact the delivery of emails to your recipients if you don't change your current inbound email processing rules that will prevent the delivery of emails.

Below is a sample DKIM signature:

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=everbridge.net; s=20160121; t=1453784422; bh=zy/5J6UYWB6jBhRLjZUz0HKhNN5z9JEnvwacBaMgTs4=; h=From:Reply-To:To:Subject; b=aIOqhsch4Ph5O4rjFBDPo7YmNM824uBanx9tOM/1lxRZFrk11PWjbfz+Ir/sd2pmFL0c6EpaY9JW98z9X/jXcK35QZ6cvfwY6smdnqjNu7vvzoNM2zCQtetsZixfs0KUkzd a7Lzvhu0iAoprv/h2mEzNsBrs4BGIoHUssn3WDsE=

manager.everbridge.eu

For users of Everbridge Suite solution that log in to "manager.everbridge.eu", which includes Mass Notifications, Interactive Visibility, and Incident Management:

Everbridge implemented DomainKey Identified Mail (DKIM) on email servers to:

  • improve the deliverability of emails to all destination email servers (private and public)
  • enable destination email servers to process emails based on local email security policies

Everbridge uses the DKIM certificate based on the "everbridge.eu" domain to sign all emails sent from the Everbridge application. Everbridge inserts a digital signature in the header of all outgoing emails sent from Everbridge Suite; this includes notifications, user registration emails, forgot-password emails, CSV upload alerts, etc. The DKIM signature does not change how Everbridge prepares and sends emails to your intended contacts and recipients. In addition, the DKIM signature will not impact the delivery of emails to your recipients if you don't change your current inbound email processing rules that will prevent the delivery of emails.

Below is a sample DKIM signature:

DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=eu.sparkpostmail1.com; s=ssp0116; t=1556670051; i=@eu.sparkpostmail1.com; bh=4k/bRBh/Aqq/F12OcLLkU+coVRX1Cjr6XA1OIGU8YeQ=; h=Date:From:To:Message-ID:Subject:Content-Type; b=FzlZf76igJ4UlaMBbu7HNu+4ona1X3Hf9qC3iqHFnHj9siN4cZ7wkOA7W0Ze9F/M/Tub5SJEbTrwyq01KCL3gMEtkLTlyJ83uYOwE3izP3Cg4Kc1UMJ/FtD26zz1Jukfjtv 1oLYOlF7GlczsLVjAqq0rsfxDBVp9oSuBD6ySav8=

Everbridge DMARC Statement

Everbridge has published a DMARC statement in the DNS record for EVERBRIDGE.NET and EVERBRIDGE.EU. The purpose for implementing this policy is to enable Everbridge to assess the effectiveness of email deliverability and to troubleshoot operational issues.

The DMARC statement provides a recommended action for emails that fail your SPF and DKIM validation tests if you have DMARC enabled for your inbound email. Please reference technical information regarding DMARC at www.dmarc.org.

Below is a sample DMARC statement. You will find our actual DMARC statement in our DNS records.

_dmarc.everbridge.net. IN TXT "v=DMARC1; p=reject; sp=none; rua=mailto:rua@everbridge.net!10m; ruf=mailto:ruf@everbridge.net!10m; rf=afrf; pct=100; ri=86400"

Everbridge Settings:

  • Policy= Reject
  • RUA = Aggregate Report Email address (aggregate report of statistics)
  • RUF = Failures email address (NONE - do not send detailed forensics reports)
  • Percentage= 100% (Percent of the messages we request the ISP to check)
  • Reporting Interval = 1 day
  • Report format = afrf (Authentication Failure Reporting Format)

Everbridge TLS

There are no changes required to your email server(s) unless you want to leverage a TLS connection for receiving email notifications.

Everbridge uses Transport Layer Security (TLS) opportunistically when attempting to deliver email notifications. The "opportunistic" configuration means that our outbound email servers will first request a TLS connection from the remote email server. You will continue to receive email notifications if you choose not to enable TLS for receiving notifications.

  • If the remote email server accepts the TLS request, then the Everbridge email server will deliver notifications using the encrypted session.
  • If the remote email server declines the TLS request, then the Everbridge email server will use an open, unencrypted connection to deliver the email notifications.

However, the email servers used to send administrative emails (such as User Registration Invitation, Forgot Password, Upload Alerts, etc.) do not currently use TLS when attempting to submit those emails to remote email servers. We will update this document when the configuration is updated on those email servers.

Please refer to the article Everbridge Permit Listing Best Practices for information regarding permit listing of Everbridge domains if you need this information for configuring your TLS setting.

Was this article helpful?
0 out of 0 found this helpful