Public email vendors push DMARC
To thwart spammers from exploiting insecure bulk email servers, Public email vendors push DMARC in a better-late-than-never response to spammy and malicious email messages. Google and Yahoo now require domain owners to add DMARC (Domain-based Message Authentication, Reporting & Conformance) policies or risk having their email messages blocked by their platforms.
Given that email remains the number one attack vector and business email compromise alone accounted for huge losses in 2022, it’s not surprising that we continue to see an increasing number of regulations, requirements, and recommendations for better email security.
What’s changing with DMARC in 2024?
A month into 2024, there are announced requirements for DMARC that most security leaders in the industry are at least aware of. They range from those from email providers like Google and Yahoo (link below), to those from governments, to those from security rating and cyber insurance companies.
Changes to email security is not an infrequent thing. Just last year Microsoft made big steps forward with their “Secure by Default” strategy which is discussed on our blog in April 2023 here: Did ‘Secure by Default’ get out of control? – Core Team One
One thing we know for sure is that as Cyber Threats continually evolve, so must our protection strategies to defend against it. That’s what Cyber Security is, and that’s why you need a hard-working vendor to help you stay up to date and in the best shape possible to protect your business.
What is email authentication?
SPF, DKIM, and DMARC are public records that are used to authenticate email, helping email servers around the world to determine what is HAM and what is SPAM! (what is good email, and what is bad email)
In reality, lots of email vendors are a little behind the curve. DMARC has been around for almost a decade, DKIM since around 2007 (originally designed by Mark Delany of Yahoo!) and SPF (sender policy framework) dates back to the turn of the millennium!
- SPF (Sender Policy Framework) is a way for us to list all the locations that we DO send emails from. Any emails coming from anywhere else can be easily identified as possible junk, spam or malicious email.
- DKIM (Domain Keys Identified Mail) allows us to “sign” or “stamp” our emails with a signature (a private key). This private key is matched to the public key (our DKIM public DNS records) to help confirm that we actually wrote the email in the first place.
- DMARC (Domain-based Message Authentication, Reporting & Conformance) is used to tell any email server around the world exactly how to handle our emails. Typically, our DMARC record will tie together the SPF & DKIM results, and say “if an email from our domain does not comply with our SPF and DKIM records, then REJECT IT!” because we know its either junk, spam or malicious.
- Additionally, DMARC can contain instructions to send reports to domain administrators about which emails are passing and failing these checks. This gives us the information we need to decide how to adjust our DMARC policies to best ensure no good email is getting inadvertently blocked.
What about Microsoft?
Back in October 2023, Microsoft urged its customers to implement solid SPF, DKIM and DMARC email authentication methods in the wake of Googles announcement to implement new rules around their email handling. The Google Blog article can be read here: Gmail introduces new requirements to fight spam (blog.google) Back then, Google confirmed that in 2024 they will introduce tighter restrictions and a number of new requirements, especially for bulk senders.
In reality, Microsoft have been implementing SPF by default as part of their setup routines for a long, long time in the Microsoft 365 platform. They provide DKIM services, help and assistance free of charge, with associated helpful guides to enable it. And they also have support guides for helping people setup DMARC for free too!
CTO have been helping its customers implement secure SPF, DKIM and DMARC setups for over 5 years, and continue to deploy it as standard across our entire customer base.
How to setup email authentication
DMARC, DKIM, and SPF have to be set up in the domain’s DNS settings. Administrators can contact their DNS provider, or, web hosting provider to gain access to tools and control panels needed to edit DNS records.
Administrators should also have a good overall knowledge of how email is used in the organisation:
- Your main email platform – Google or Microsoft? How does that send email?
- What about your website or web apps – do they send emails?
- What about your ERP system or Accounts platform -do they send out purchase orders and invoices by email?
- Consider any 3rd Party bulk-sending platforms such as Mailchimp – what is your Marketing department doing?
- And what about that scanner in the corner of the office? Does it have Scan-to-Email?
The process of setting up these records can be complicated and time-consuming. Policies that are too relaxed can let lots of junk through the net. Policies that are too strict can stop good email getting through the net!