DMARC protection is essential for successful email marketing
In October 2023, Google and Yahoo announced the need to start rejecting mass mailer emails with no DMARC records found. Most mass mail providers, such as Mailchimp and SendGrid, updated their platforms asking the account owner to put a TXT record into your DNS records to overcome this restriction.
So what does this mean?
Email has been around for almost six decades, becoming a vital communication channel and powerful marketing tool for businesses worldwide. On average, 361 billion emails are sent daily. But there’s been one huge flaw ever since their inception: anyone could send an email pretending to be from any domain.
All someone needed was the domain name – the part after the @ in your email address. Unless the recipient knew where and how to check, they wouldn’t notice that the email hadn’t come from your email address.
Let’s face it, who bothers to scrutinise an email header? Apart from me, of course, because that’s my job!
The industry tried to fix this flaw by introducing SPF (a list of approved server addresses that were allowed to send emails on your behalf) and DKIM (a certificate mechanism that proves an email has not been altered on route to being delivered).
But these mechanisms were only a patch, not a solution. That’s because the receiving mail servers had no way of knowing what to do with these emails if they failed SPF or DKIM, or both. So, in 2012, a consortium of tech companies, including Apple, Microsoft, Gmail, etc., came up with the DMARC standard.
How DMARC works
DMARC was created so that you, the domain owner, can tell recipient email servers what to do with emails if they weren’t sent by you or didn’t meet the right SPF and DKIM checks.
So, when you add the DNS record “v=DMARC1;p=none;” to your email marketing platform, it commands the recipient to simply deliver the email even if it fails SPF and DKIM checks.
In other words, you’re telling it to just deliver your emails.
Unfortunately, cybercriminals are leveraging these email security vulnerabilities to launch malicious attacks at an ever-increasing rate, and this trend is not slowing.
91% of cybercrimes start with an email
Cybercrime is expected to cost the world over $23 trillion annually by 2027.
This is why DMARC protection is essential. It not only protects your business and online brand, but also improves deliverability of your emails.
So how should DMARC be setup?
To receive its full protective benefits, use a DMARC provider/analyser.
Why should I when I can manually set DMARC up in Microsoft 365 or Google workspace? Because when you first configure DMARC, you need to identify every mailing platform your business uses – Microsoft 365, HubSpot, Mailchimp, etc.
If you have an IT department, they should know every platform you use. But with the rise of Cloud services, your IT team may not be aware of platforms employees have signed up for and could be using. So, if you switch DMARC to ‘quarantine’ or ‘reject’, services that employees use would be affected.
But DMARC has reporting as part of its configuration, so I can just read the returning emails. Yes, that’s true, but for every email that’s sent from your business, you’ll get a returning report email. If you send 30,000 emails a year, you will have 30,000 reports to check. And the returning emails are in XML (not human readable text). Analysing these emails to ensure they’re being delivered properly and that no rogue actors are using your domain could be a full-time job.
Many companies set their DMARC to ‘quarantine’
This setting allows emails to be delivered to the recipient, but you’re telling their email servers to deliver the email to Junk mail. In theory, this protects your brand as the emails are being received, at least. But how many times have you looked for an email and found it in Junk mail? Did you question why it was there, or did you move it to your Inbox?
With DMARC set to quarantine, you run the risk that recipients could interact with potential malicious or phishing emails that appear to have come from your brand.
The ultimate goal is to set your DMARC to reject. That way, any emails not sent from your approved sending infrastructure and/or are failing DKIM will be rejected by the recipient’s email servers, preventing your brand from being tarnished or associated with a cyberattack.
What is a DMARC Advisor/Analyser?
They ingest the DMARC reports you receive and translate the information into a human readable format, confirming that DMARC protection is working. The reports highlight whether a rogue actor is trying to impersonate your brand. If so, it’s time to check all other parts of your business security. Someone is looking for a vulnerability in your protection.
A good DMARC provider not only gives you the analysis but also helps you configure DMARC to include the proper SPF and DKIM settings. They can also offer SPF optimisation (flattening), and help ensure the DNS Lookup limit is optimised.
Adding additional email marketing systems or CRM can quickly consume your 10 allotted DNS Lookups. When that limit is reached, any SPF records are ignored, meaning that both delivery and security issues can arise. With SPF optimisation, this problem is solved.
DMARC analysis is key when identifying any missed configured DNS settings. If you just set your DMARC to reject and don’t check the reports, you won’t know that emails are not being delivered to the recipient.
DMARC analysis also identifies when an employee signs up for a cloud service and sends out emails that the business has no knowledge of. This is known as Shadow IT.
When configured correctly, SPF, DKIM, and DMARC prove that an email sender is legitimate and that the message hasn’t been compromised, ensuring that only emails that have passed authentication checks reach an inbox.
While anti-spam is excellent for blocking unwanted bulk emails, it isn’t enough to secure your business against email-based cyberattacks. Because even with anti-spam in place, cybercriminals can still use your organisation’s domain to send malicious emails targeting your external stakeholders.
DMARC solves this problem by ensuring that fraudulent emails aren’t delivered to inboxes.
By implementing DMARC with the strongest policy, and as long as the recipient server adheres to your DMARC policy, fraudulent emails are blocked and won’t reach the inboxes of staff, partners, customers, or any other stakeholders.
Rising email fraud – especially phishing – has pushed DMARC into the limelight in recent years. Mandates for its implementation from email giants like Google and Yahoo, as well as governments and regulatory bodies, are taking effect around the globe. These mandates make one thing clear: DMARC is no longer a nice-to-have, but a must-have for businesses.
Regulatory compliance issues
Failure to comply with industry regulations can result in penalties and fines, and contribute to reputational damage. By not complying with the latest bulk sender requirements for DMARC implementation, emails sent to Gmail and Yahoo users will be rejected or land in Spam or Junk folders, making your brand appear less trustworthy.
In other cases, like the PCI DSS’s rule 52 requiring that businesses handling payments have anti-phishing technology in place, failure to comply could lead to the suspension of a business’s permission to process card payments.
Ultimately, the cost of having the right email security measures in place – including SPF, DKIM and DMARC – is far less than the cost of the damages your business would sustain if a cyberattack was successful.
In fact, implementing and maintaining DMARC probably costs less than what your business spends on coffee in a month!
Protecting your email ecosystem and, in turn, your employees, customers, partners, and all other stakeholders against email-based threats has never been more important. Especially considering how much your business must depend on daily email communications.
Command-R will help you protect your business against phishing, spoofing, and impersonation with automated and powerful DMARC, DKIM, and SPF control. Partnering with Sendmarc, our DMARC platform empowers the management of any number of domains, safeguarding them against the sending of fraudulent emails and other misuse.
Please get in touch to discuss how Command-R, in partnership with Sendmarc, can help protect your business.