DMARC
Our EU Director Dermot Harnett and Deployment Representative Matia Boldrini joined Dublin City University’s Information Systems Services (ISS) Team on April 9, 2024, to discuss the lessons learned and challenges overcome during DCU’s journey to DMARC compliance. The presenters take a straightforward, candid look at the DCU DMARC project, stressing the importance of building relationships and support among university departments and the coworkers that lead them. As you’ll learn in the presentation, DCU ISS was motivated by the NCSC’s email security guidance, and began their DMARC discovery phase, including advocacy among the university leadership and an initial trial with dmarcian. The ISS team shares their challenges for prioritizing this project and how they informed university stakeholders through meetings and internal communications. With the visibility gained through DMARC, they also talk about how they discovered redundant IT resources and were able to gain efficiency. If you weren’t able to join us
Ash Morin, our Director of Deployment, joined Mailgun’s Email’s Not Dead podcast crew to discuss Google and Yahoo’s DMARC sender requirements, which they began enforcing on February 1, 2024. Ash was a guest on Email’s Not Dead S2 E7—Spoofing, Phishing and for the Love of DMARC and on S3 E5—Implementing DMARC. In S5 E4, faithful hosts Jonathan Torres and Eric Trinidad asked Ash to join them and provide an overview of what he’s seen and what he predicts with the new email authentication standards update from Yahoo and Google. “Immediately after the announcement we started getting a lot of questions coming in. Not only questions from our existing customer base, but also in ecosystems,” Ash said. “There’s been a lot of ‘what does that mean?’ And almost immediately following, they were asking, ‘does that change anything about the standards? If not, what’s my current state? Am I actually good?’ Even
In February 2024, Google and Yahoo started implementing a series of gradual enforcements for organisations that send over 5000 emails daily, also defined as bulk email senders. These enforcements are especially relevant to Domain-based Message Authentication, Reporting & Conformance (DMARC). With this initiative, Google and Yahoo intend to reduce the overall amount of spam and spoofed content sent across the internet, especially focusing on the authentication of an organisation’s email infrastructure. This move, aimed at combating spam and improving email security, involves using Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and DMARC standards. This article covers the Google and Yahoo requirement specifications and focuses on the potential impacts on European businesses. In particular, it addresses the complications of implementing DMARC across the European email ecosystem and the necessary steps to comply with the enforcement. Impact on European Email Senders: A Closer Look Popular Email Providers in Europe Challenges of
DomainKeys Identified Mail (DKIM) is an email security standard designed to help prevent email spoofing. It works by adding a “tamper-proof” seal to email messages, ensuring their authenticity and integrity. However, sometimes legitimate emails fail DKIM signature verification due to canonicalization issues, leading to email delivery problems. This article explains how to resolve these issues by adjusting DKIM canonicalization settings on your email gateway systems. Below is a representation of how DKIM works in an email infrastructure: Video: DKIM Overview Here’s a brief DKIM overview to help you understand its role in email authentication and DMARC. Understanding DKIM Canonicalization Canonicalization in DKIM refers to the method used to prepare an email’s header and body for signing. According to RFC 6376 Section 3.4, there are two canonicalization algorithms for header and body: simple and relaxed. The choice between these settings affects how strictly the email’s content must match the sending and
It’s time to decode another deliverability acronym. Today, we’re going to tackle DMARC, which stands for “Domain-based Message Authentication, Reporting and Conformance.” It’s a bit of a mouthful, but it’s actually a relatively simple and good thing. This domain-level setting allows a domain owner to: Tell receiving internet service providers (ISPs) and mailbox providers (MBPs) (think Gmail, Yahoo, Outlook.com and others), what to do with email messages sent to email users on their platforms, purporting to be from your domain, but failing authentication checks. Protect your domain name by locking it down, setting a policy that says that mailbox providers should not trust mail from my domain unless it authenticates properly. Instruct mailbox providers where to send reports to help summarize and monitor for email authentication compliance. DMARC is implemented via a DNS text record. Learn more about that here. DMARC effectively requires correctly configured SPF (Sender Policy Framework) and/or
Reporting is an important part of DMARC. It provides valuable feedback from mailbox providers to help you identify any problems with authentication of your legitimate emails, and allows you to monitor for fraudulent email misuse of your domain name. But lots of people set up DMARC without understanding the reporting component — I myself have been guilty of simply routing DMARC reports (which tend to comprise a low volume if emails containing XML-formatted data attachments) to a folder or mailbox to review them “someday.” And if that day ever comes, I figure it would be good to understand what I’m looking at as far as the two different types of DMARC reporting — and why, ultimately, RUA (aggregate) reporting is all I (and you) should rely on. When creating a “reporting address” for your DMARC record, you might notice that there are two different “reporting” fields in the DMARC record
Here’s a link to DMARCian’s DMARC Dictionary. Say that ten times fast! Then bookmark it, because it’ll come in handy as you navigate this new world of DMARC. And don’t forget to keep their DMARC Inspector link handy, too.
It’s time for another Webinar Rewind! Recently I presented (alongside Jesse Kennedy) a live webinar specifically meant to help AWeber users get up to speed on the new sender requirements brought to us by Yahoo and Google. With a focus on the specifics of what buttons to push, what text to paste into what field, even where and how to buy a domain — from start to finish, how to configure your email domain so that your AWeber email sends are fully in compliance with the new email authentication requirements. If you missed it, don’t fret! You can find the recording here and embedded below. We made sure to save time to take your questions, and did a bunch of live poking at email authentication and domain DNS settings, so you could see us push the buttons that you yourself need to push to get everything in place. As an
Google and Yahoo’s DMARC requirements will be enforced in February 2024 for higher volume senders. We have resources to help you prepare for DMARC and other sender requirements to ensure your email delivery won’t be disrupted. Why DMARC now? There are few mechanisms that prohibit bad actors from sending an email pretending to be you. DMARC is the main control for fighting domain abuse. It’s a free and open technical specification that authenticates emails with SPF and DKIM. By publishing a DMARC record in your domain’s DNS, you can fight business email compromise, phishing and spoofing. DMARC, SPF and DKIM aren’t newcomers to the email authentication scene—they’ve been around for over a decade and have grown to become a best practice. Email is involved in more than 90% of all network attacks; without DMARC, it can be hard to tell if an email is real or fake. Because of the
DMARC — and specifically, DKIM and DMARC compliance with the new Gmail and Yahoo Mail Requirements — these are a very hot topic for 2024! I’ve been talking about all of this quite a bit lately and I don’t see that letting up any time soon. Want to get in on the action? Here’s your chance. On January 10th, 2024, LB Blair from Email Industries and yours truly (Al Iverson) presented a live webinar on this very topic: DMARC-Pocalypse Now: What you need to know about DMARC and new Yahoo/Gmail requirements . Explaining what DMARC is, why you need it, what to be aware of as far as implementing it — prerequisites, risks, policy settings, reporting annoyances, all that jazz. We didn’t focus on just a single email sending or newsletter send platform — it was more of a technical overview of what any savvy sender might need to know