Some DMARC questions answered, as deadlines near

Email providers like Google, Yahoo, and Apple are turning up the dial on email authentication requirements: Bulk email senders will need to adopt the open-source specification known as—deep breath—Domain-based Message Authentication Reporting and Conformance, or DMARC.

And plenty of orgs don’t have a DMARC policy in place, which means emails won’t make it to their D-stinations.

“If you don’t pass the DMARC standard, you are at risk of getting blocked or rejected,” Robert Holmes, group VP and GM, sender security and authentication at the cybersecurity company Proofpoint, told IT Brew.

A study from Proofpoint found that 27% of the Global 2000 companies “have no DMARC record in place at all.”

What is DMARC? A DMARC policy allows domain owners to dictate how emails are treated when they do not pass two important tests:

• A verification of the sending domain’s IP address (known as SPF).
• A cryptographic signature to validate the sender (known as DKIM).

Too many letters already, yes, but a DMARC policy says, effectively: reject, quarantine, or allow. For companies like Proofpoint, any sender not passing authentication requirements is rejected.

Why is DMARC important? Malicious phishing emails have increased by 1,265% from the fourth quarter of 2022 to the third quarter of last year, equaling about 31,000 daily attacks, according to a survey from the cloud messaging security company Slashnext of 300+ cybersecurity professionals. Emails from established, trusted senders are less likely to carry malware.

In the first quarter of 2024, Yahoo will require senders implement industry standards like SPF, DKIM, and DMARC. (Google said it would begin its DMARC quarantine policy enforcement on February 1.)

“These policy updates are best practices and email standards that have been around for years. While a lot of senders have already adopted them, we need to set a standard moving forward and start enforcing these no-brainer practices,” Kyle Miller, Yahoo Mail’s VP of product management, wrote in an email that did, in fact, reach IT Brew.

Why do many lack a policy? One may be a lack of awareness, said Holmes. Also: DMARC implementation is hard.

One wrong configuration can lead to the rejection of valid emails, Gerasim Hovhannisyan, co-founder and CEO of EasyDMARC, said. Hovhannisyan recommends that orgs determine all legitimate sending sources, including a company’s oft-forgotten legacy, CRM, or help desk systems. (Companies like Proofpoint and EasyDMARC help gather those senders.)

“Usually no one in the organization knows which ones they need. You need to go to an IT department; you need to go to marketing or sales to discover which sending source is valid, which one is still used, which one is outdated,” Hovhannisyan said.

What are the first steps? DMARC records, hosted on DNS servers as TXT entries, can enforce three policies: none (the message goes through, and the domain owner receives a DMARC report), quarantine (the message heads to a quarantine folder), and reject (the message is blocked from delivery).

Holmes recommends the “none” option, which acts as an audit mode and provides a company with all sender data—for example, that 1,000 emails came from the org’s domain and from this particular IP address. “You now have to figure out: Should that be allowed? And you may not have enough information to make that decision. So, do you put that on the list?” Holmes said.

What’s next? According to Holmes, SaaS email services will begin applying higher standards and harsher penalties to a fraction of emails.

“Email is the No. 1 vehicle by which companies interact with their customers. And it really is just as valuable as ever, if not more so. So, what is it worth to you?” Holmes said.