E-mail authentication is about verifying that the system sending e-mails using your e-mail domain really belongs to your organization. The reasons for its importance are two-fold:
- Trusting legitimate mails. Organizations absolutely need to get their legitimate mails through, whether it is about one-to-one communications or B2B/B2C marketing.
- Blocking spoofing. If the organizations cannot flag ownership of their legitimate mails, these e-mails are treated equally with spoofing e-mails created by attackers, as the recipients cannot distinguish between these two. The damage resulting from spoofing e-mails is taken by the victims of the spoofing attacks, whether internal users or external recipients. In the long run the organization’s brand and trustworthiness also take a big hit.
The technology for all this – SPF, DKIM and especially DMARC – has been available for a long time. Many big players have adopted DMARC, but too many organizations are still lacking this basic e-mail hygiene. This has meant success for the attackers who can continue to use spoofed e-mails as a major initial attack vector.
What has changed and how to get started
To be able to provide secure e-mail services, the e-mail service providers have started to take additional action. For several years, providers like Google and Microsoft have done DMARC-style analysis for each incoming e-mail, whether the organization has implemented DMARC or not.
Being at the mercy of a black-box evaluation is not a good thing for a sender, and therefore this has led to an additional wave of DMARC implementations. In August Microsoft updated the default DMARC handling in Exchange Online to strictly follow the sender’s policy setting.
Now Google is increasing the stakes and making additional demands. In less than four months it will demand, that the senders sending more than 5000 mails a day to Gmail recipients need to be DMARC compliant. The sender’s DMARC policy can still stay in “none” policy mode, but each system sending the mails needs to implement SPF and/or DKIM with sender field alignment – the exact same things that being DMARC compliant requires.
So, if you still have not made your e-mail sending systems DMARC compliant, you need to do it now. We have secured dozens of big and small organizations with companywide DMARC implementation, together with fixing the e-mail security for Microsoft 365.
Learn more in our webinar!
Join us in the free webinar to hear more about how to succeed in your DMARC implementation