Email serves as a crucial communication channel for businesses, but it also falls prey to cybercriminals, with an estimated 90% of cyberattacks initiated through malicious emails. As a result, email security is an indispensable component of any organisation’s cyber security strategy. DMARC (Domain-based Message Authentication, Reporting, and Conformance) emerges as a highly effective yet often overlooked method to safeguard email security and deliverability. Recently, major email service providers like Google and Yahoo have announced that they will block mass emails that fail to meet their DMARC standards. This development implies that third-party email marketing platforms like HubSpot, Mailchimp, and Salesforce will cease to function with these email service providers by the end of February 2024.
What is DMARC?
DMARC is an email authentication protocol that enables domain owners to protect their domains from unauthorised use. It works by verifying that incoming emails are authentic and have not been tampered with. DMARC builds on two widely used email authentication mechanisms: DomainKeys Identified Mail (DKIM) and Sender Policy Framework (SPF). DMARC was created by founding contributors including: AOL, Comcast, Gmail, Hotmail, Netease, and Yahoo! Mail. Senders: American Greetings, Bank of America, Facebook, Fidelity, JPMorgan Chase & Co., LinkedIn, PayPal. Intermediaries & Vendors: Agari, Cloudmark, ReturnPath, Trusted Domain Project.
The Benefits of having DMARC enabled.
However, having DMARC properly enabled has several benefits, including:
- Improves sender reputation: DMARC helps to improve the reputation of the sender’s domain by ensuring that only authorised emails are sent from it.
- Stops email impersonation, especially CEO impersonation: DMARC helps to prevent email impersonation, which is a common tactic used by cybercriminals to trick recipients into revealing sensitive information or transferring funds.
- PCI DSS Compliance in 2024: The Payment Card Industry Data Security Standard (PCI DSS) requires organisations to implement DMARC by 2024 to protect against email-based attacks.
- Bulk email allowed (via 3rd parties) with Google / Yahoo from February: Google and Yahoo will allow bulk emails sent via third-party platforms like HubSpot, Salesforce, and Mailchimp to be delivered to their users if the sender’s domain is DMARC compliant.
How do you configure DMARC on your organisation’s domain?
Implementing DMARC for your domain is a multi-step process. Here are the general steps you need to follow:
- Identify valid sources of mail for your domain: Before you can implement DMARC, you need to identify all the valid sources of email for your domain. This includes your email servers and any third-party email services you use.
- Set up SPF for your domain: Sender Policy Framework (SPF) is an email authentication mechanism that allows email receivers to verify that incoming mail from your domain is legitimate. You must set up SPF for your domain before implementing DMARC.
- Set up DKIM for your domain: DomainKeys Identified Mail (DKIM) is another email authentication mechanism that allows email receivers to verify that incoming mail from your domain is legitimate. You need to set up DKIM for your domain before you can implement DMARC.
- Create a DMARC record: Once you have set up SPF and DKIM for your domain, you can create a DMARC record. The DMARC record specifies how email receivers should handle messages that fail SPF or DKIM checks.
- Publish your DMARC record: After you have created your DMARC record, you need to publish it in your domain’s DNS records. This allows email receivers to find and use your DMARC policy.
Further DMARC resources:
- Microsoft Learn provides a step-by-step guide on how to configure DMARC for Office 365.
- Email Industries provides a complete guide on how to set up DMARC.
- SendMarc provides a free tool to analyse DMARC settings in your DNS.
In conclusion, DMARC is a powerful tool for securing email and protecting against cyber threats. While the approaching deadline for DMARC implementation may cause concern for some organisations, the benefits of having DMARC properly enabled far outweigh the risks. By improving sender reputation, stopping email impersonation, and ensuring compliance with industry standards, DMARC is an essential component of any organisation’s cyber security strategy.