DMARC’s vital role in email authentication and domain security is in the limelight now more than ever, as phishing attacks surge, and enterprises and regulatory bodies make implementation mandatory.
Over the last few years, cybercrime has grown exponentially and phishing has been the most popular method of attack, with an estimated 3.4 billion spam emails being sent daily. This has led to an increased need for email authentication to prevent domain spoofing, resulting in the adoption of Domain-based Message Authentication, Reporting and Conformance (DMARC) to mitigate this and other email-based threats. But when was DMARC first created and why has adoption risen in recent years?
Exploring DMARC’s creation and growth
DMARC is a global email authentication standard that interrogates and verifies the source of an email and ensures that every email received from a domain is the real thing. It allows organizations to see when cybercriminals are using their domain without authorization, while also helping to ensure that legitimate emails make it to the intended recipient’s inbox.
The work to establish DMARC as a global standard was started in 2011 by a group of high-profile organizations, including Google, Facebook, Yahoo! Mail, and PayPal to name a few. A draft DMARC specification was published in January 2012 and by March 2013 it was being circulated publicly.
This means that for over a decade, organizations and regulatory bodies have recognized a need for this global best practice, but it’s only in recent years that adoption has truly taken off. That’s because phishing attacks have grown by 150 percent per year since 2019 and in the last few years, the number of brand names that have been spoofed in phishing attacks has almost doubled.
By spoofing a trusted brand’s email domain, cybercriminals can create sophisticated emails that trick victims into installing malware or handing over sensitive information or money. This makes it unsurprising that organizations are increasingly looking to authenticate emails with DMARC to safeguard their brands against impersonation.
DMARC mandates to take note of
1. Google and Yahoo’s bulk sender requirements
From February 2024, Google and Yahoo began to monitor bulk email senders, ahead of their June deadline for organizations to implement DomainKeys Identified Mail (DKIM), Sender Policy Framework (SPF), and DMARC, if they send over 5 000 emails at once or within a 24 hour period, to Gmail or Yahoo addresses.
With some senders already seeing temporary errors for unauthenticated email, organizations need to prioritize having properly configured DMARC records. This will not only prevent cybercriminals from spoofing their domains and launching phishing attacks on customers, partners, employees, or any other stakeholders, but will also help ensure that legitimate emails are always delivered.
In 2022, almost 49% of emails worldwide didn’t make it to the inbox, and in 2023 that number was still shockingly high at 45%. Many of these are legitimate emails sent from a company’s domain, but because the organizations don’t have a DMARC policy in place, authentic emails are often marked as spam and never reach the intended recipient’s inbox. Now, Google and Yahoo have upped the ante, with sender rules aimed at preventing spam and ensuring user safety by mandating having a DMARC record.
So, no matter what email platform an organization uses, it needs to take the required steps to ensure uninterrupted delivery to Gmail and Yahoo users. Microsoft has also started issuing alerts in customer dashboards, warning users that they need to ensure authentication records are set or they will run into deliverability issues when emailing third-party accounts.
Although it’s true that Microsoft “does DMARC”, its two primary roles are to send reports and enforce DMARC, which isn’t sufficient for a domain owner to achieve DMARC compliance. Users who don’t yet have the right authentication in place should look to seamlessly integrate a comprehensive DMARC solution into their Microsoft 365 environment to ensure full compliance.
By spoofing a trusted brand’s email domain, cybercriminals can create sophisticated emails that trick victims into installing malware or handing over sensitive information or money.
A spotlight has been shone on DMARC’s implementation as the simplest and most effective way to protect senders and recipients against domain spoofing. We expect to see the number of regulatory bodies and organizations making email authentication mandatory continue to expand.
DMARC adoption isn’t only about complying with regulations, but about protecting the people and organizations you do business with, as well as maintaining your business’s good reputation.
Embracing DMARC needs to be an organization-wide effort, as not having the correct email authentication standards in place impacts your ability to continue doing business.
If an organization doesn’t have the right email authentication protocols in place as per Google and Yahoo’s new requirements, legitimate emails coming from service providers will be rejected or land in Spam folders, meaning important information may not be delivered to key stakeholders. And to add fuel to the fire, Google and Yahoo both count spoofed emails towards the cap of 5 000 emails allowed to be sent to their users in a day.
Adopt DMARC to ensure email deliverability & legitimacy
A comprehensive DMARC solution is essential to helping prevent fraudulent email activity or deliverability disruption as well as complying with the rules highlighted in this article. Sendmarc is a leading email security expert that provides seamless DMARC integration and threat detection that won’t disrupt your business’s email flow. We also offer detailed reports of who is doing what in your email environment. Being able to deliver these reports helps with compliance audits, as you’re able to prove you had full visibility into any changes made and that you had the right measures in place to prevent your domain from being spoofed.
Think your domain might be vulnerable? Test its risk here or contact us to see how we can ensure only real emails are delivered from your domain and in turn, help your business comply with new mandates.
Click here to get my digital business card: Shaakira Hoosen Digital Business Card
Click here to schedule a meeting with me: Meet Shaakira Hoosen