For any organization sending bulk email or high email volumes to Google and Yahoo accounts, there’s one date you should have flagged on your calendar. On February 1st, guidance indicates you’ll need to pay attention if you are sending over 5000 emails a day into Google and Yahoo mailboxes.
So, What Is the Issue?
On that day, any email domain sending more than 5000 emails on a daily basis will need to meet a minimum set of email authentication standards along with other controls in order for email to get delivered. Those who don’t meet those standards will see their emails rejected or bouncing back. (It’s also a good time to consider how your organization deals with email bounce backs!). The standards that Google and Yahoo are asking you to meet in order to send email to their users are email authentication protocols, also known as being DMARC compliant. So many organizations are not compliant or doing a bad job when it comes to email authentication, that it’s easily allowing threat actors and scammers to spoof their domains to successfully send unwanted and malicious email to their victims, which can include employees, customers, and partners.
How Do I Become Compliant?
So, what is email authentication and how do you become DMARC compliant? First, email authentication refers to any technique that helps detect when messages don’t actually originate from the Internet domain they claim to have been sent from. Some examples include DomainKeys Identified Message (DKIM) and Sender Policy Framework (SPF). To be DMARC compliant means that you are publishing a DMARC policy via DNS records across all your organization’s domains and that your sending sources are correctly authenticated and aligned. DMARC passes or fails a message based on how closely the message From: header matches the sending domain specified by either SPF or DKIM. This is called alignment. A DMARC policy allows a sender to indicate that their messages are authenticated with SPF and/or DKIM and tells a receiving mail gateway what to do if neither of those authentication methods passes – such as junk or reject the message.
DMARC removes guesswork from the receiver’s handling of these failed messages, limiting or eliminating the user’s exposure to potentially fraudulent and harmful messages. DMARC also provides a way for the email receiver to report back to the sender about messages that pass and/or fail DMARC evaluation, enabling them to quickly see any instances of unauthorized usage of their domains.
Besides working with your IT team and third party senders to authenticate your email traffic with SPF and DKIM and ensuring a DMARC record with at least a policy of “none”, there are other steps you should take as outlined by Google and Yahoo; such as ensuring your sending servers have valid forward and reverse DNS; that the connections are secured with TLS 1.2 or later; that your complaint rates stay low; and that your marketing platform supports one-click unsubscribe and includes a clearly visible unsubscribe link in the message body.
While email authentication and becoming DMARC compliant might sound complex, once you understand the basic concepts it can be more straightforward, especially if you are using a DMARC implementation and reporting service like the domain protection from Cisco’s SolutionsPlus partner Red Sift. These types of tools make the entire process much simpler and with Red Sift OnDMARC, it also includes AI capabilities that help you get to your goal of being DMARC compliant much faster than other platforms. This is a project that needs to be done carefully, for example if you forget to configure any of your authorized email senders then their email could be inadvertently blocked. These issues can be eliminated when you follow a solid project plan and use a respected platform.
What Are the Benefits of These Changes?
From a market viewpoint, this is great news because with Google and Yahoo enforcing these new requirements, more organizations will be forced to become DMARC compliant. This will reduce spam and unwanted email by helping to defeat exact domain impersonation attacks. While Microsoft has not yet imposed similar guidelines, they are recommending that their customers follow Google and Yahoo’s guidance.
For email receivers, this means that the email getting into their customer’s mailboxes should be more trustworthy. This won’t eliminate all spoofing issues as you may still see scams being sent from domain typo squatting, which is where a solution like Cisco’s Secure Email Threat Defense can provide additional protection.
The biggest benefit is for the email sender, as being DMARC compliant provides much better chances of your authenticated email successfully making it to the users you want it to get to. Plus, with the DMARC reports coming back to your organization from receiving email servers, you can identify unauthorized domain usage much more quickly, so you can react appropriately.
How Can Cisco Help Me Get Started?
We are now offering a 30-day free trial of domain protection from Red Sift OnDMARC that includes a consultation at no cost. This is a great first step for any organization looking to start their journey towards DMARC compliance and meet the minimum requirements for Google and Yahoo.
Start your Cisco Domain Protection free trial today.
We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Security on social!
Cisco Security Social Channels
Instagram
Facebook
Twitter
LinkedIn
Depending on how your email provider has implemented the new DNS and SPAM configurations, users widespread are finding out that they are either missing emails or not able to send certain emails. I have just spent the last week and a half working with my domain provider and my email provider trying to resolve multiple problems with emails being marked as spam that were not marked this way before Feb 1 and Mar 1 (Feb 29 is when my particular email provider “locked down” spam and changed their DNS configurations.) Very frustrating because many critical emails went into a black hole that seem never to be recovered. Including emails such as invoices and other business related items.
It took days to convince my provider partners that they needed to look at their SPAM configurations. But as a lowly user I had no cred until I could provide detailed headers and logs.
Email providers did not let users know there is or was a problem delivering email. These changes could have been handled differently. As always hindsight is 20/20. I always tell users never to depend on email delivery. There can be no SLAs or guarantees of delivery. This has always been true. It’s not a public utility or the snail mail infrastructure.