DMARC
Hopefully you were able to attend the webinar yesterday with myself and LB Blair talking about DMARC and what senders need to know to be in compliance with the new DMARC requirements levied by Yahoo and Google this year (2024). We kept a lot of it high level — the point wasn’t to spend six hours training you through every bit of the protocol spec. But if you DID want to learn more, M3AAWG, the Messaging, Mobile, and Malware Anti-Abuse Working Group, has the good stuff. They’ve got a whole multi-part series on DMARC where they cover the fundamentals of authentication, alignment, policy, reporting, domain owner and mailbox provider best practices and more. If you just want to implement DMARC for your marketing domain and be done with it, you don’t need this. But if you do want to become a DMARC expert, this is the logical next step in
It’s time for some more fun with data! How broadly has DMARC been adopted? It’s a complex question and the answer is “it depends.” Many good senders have already implemented it — but based on Yahoo and Google pushing for it this year, it has clearly not been adopted widely enough for it to be considered a “must have” for every domain that sends mail. (And let’s not forget about domains that don’t send mail.) Every month, I take a peek at the top 10 million domains, logging various bits of DNS so that I can do later analysis. One of those data bits is: Does this domain have a DMARC record? Surprisingly, you can’t assume that the answer is yes. Though you can see that DMARC adoption is slowly nudging upward, only around 1.23 million domains (out of the top ten million) have a DMARC record in play. Now…this
Hey there! In my new role as Director of Deliverability for AWeber, I’m going to dive right in! I’m putting together a new webinar AS WE SPEAK, that covers everybody’s favorite topic — DKIM, DMARC, YAHOO, GMAIL & YOU! Also known as: what you need to do to comply with Yahoo and Google’s new sender requirements. Because this is focused on AWeber customers, I’ll cover everything from where and how to buy a domain name for your email messages (and why you have to), how to link that up to your AWeber account to correctly authenticate your email sends, how to configure and implement a DMARC record, and more! And I’ll take your questions, too! I hope you’ll join me alongside Jesse Kennedy to learn more about these very important bits for email sending success! The fun happens Wednesday, January 17th at 12:00 eastern. Click here to register.
As you well know, Gmail and Yahoo Mail are now requiring that all senders start to publish a DMARC record, if they weren’t publishing one already. Hopefully you watched the webinar with LB Blair and myself (I’ll link to the recording here as soon as it is available) where we talk at length about DMARC and what you need to know to start to be able to “speak DMARC” as needed. But if you didn’t watch that? And don’t have the time to dive into making yourself a DMARC export? What’s the five minute version of all of this, how do you get up and running quickly without having to stop and worry about RFCs and options. “Just tell me what I need to know to get it done.” Okay, I got you. Here we go. Before you proceed with this, you need to ensure that you’ve implemented DKIM authentication for
With Google and Yahoo transitioning several long-standing best practices to enforced sender requirements, we created the following guide to ensure you understand where you can find evidence of delivery issues and begin to understand what additional steps you need to take in order to ensure you are sending according to their guidelines. What are error codes? Email error codes and bounce strings are generated when one email server attempts delivery to another email server that results in a failure. Error codes are also commonly referred to as bounce codes, SMTP errors, or Delivery Status Notifications (DSN). You can use the messages and codes to help understand the underlying reason and attempt to troubleshoot them. Most often, the source sending emails on your behalf will have developed software to handle errors in an automated fashion for you. Where some email sources may expose these errors to you through their interface, the
What do you do for DMARC monitoring reporting? I’ve used OnDMARC by Redsift, dmarcian and EasyDMARC and I like different things about all three of them. I’d say they’re all worth looking at, but I don’t want to dive too deeply down the hole of which one is best for SMB, enterprise, etc. I could spend many hours investigating (and I’ve already spent a few) and who knows if I would come up with the best answer. (I’ve also looked at the Postmark free tier and it seems like it might be “good enough” for really small senders with light needs.) But together, that’s only four out of the universe of DMARC solution vendors out there. Is there a master list somewhere, with every possible one on it? It turns out that there is! DMARCVendors.com tries to be just that. I’m not sure who is behind this site, but I’ve
UPDATES: December 26, 2023: The Department of Defense published for comment a proposed rule for the Cybersecurity Maturity Model Certification (CMMC) 2.0 program. December 7, 2022: DMARC and other specs dropped from CMMC 1.0 have been sent to NIST to be included in future revisions of NIST SP 800-171, which CMMC is based upon. For more recent updates, you can visit the Department of Defense Chief Information Officer webpage. The following was published September 20, 2021. The Cybersecurity Maturity Model Certification (CMMC) is a cybersecurity framework being developed by the Department of Defense (DoD) to protect defense contractors from cyber threats. CMMC measures cybersecurity maturity with five levels consisting of security controls, practices and continual improvement to stop the theft of intellectual property, proprietary information and credentials that threaten economic and national security. When an organization sets out to achieve a particular CMMC level, it must also meet the preceding
Google says all senders (of a certain size) must have a DMARC record in place as of February, 2024, else you could find yourself blocked at Gmail. Yahoo Mail is similarly requiring DMARC. And if you’re not familiar with DMARC, where do you start? Where do you learn more and what do you do next? Never fear, LB Blair and I have got you covered! Spam Resource and Email Industries are partnering to present DMARC-Pocalypse Now: What you need to know about DMARC and new Yahoo/Gmail requirements , a live free webinar! The fun begins Wednesday January 10, 2024 at 11:00 US central time, and you can register for the webinar right here. LB and I will walk you through email authentication basics (DKM, SPF, and DMARC), explain exactly what a DMARC record is and why you should care. We’ll cover DMARC reports, why you might want a tool or service
Why don’t ESPs warn you, when you’re putting your email together, when you’re about to send the test message, if DMARC is going to fail? It was perhaps considered optional in the past, but from 2024 onward, DMARC effectively becomes mandatory given Gmail and Yahoo’s new sender requirements. Thus, DMARC compliance (and success) has become more important than ever before. Which means that it’s time for sending platforms to start warning people, before somebody sends a big email campaign that’s going to fail DMARC. A big ole blinking “DMARC alert” warning, please and thank you! This is such a great idea that I am saddened that I didn’t think of it. All credit here goes to Big Jason Henderson, who posited that when trying to execute a test send, a warning should pop-up telling you if the send platform thinks a message is likely to fail DMARC, why that is
The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), Federal Bureau of Investigation (FBI), and Multi-State Information Sharing and Analysis Center (MS-ISAC) have released Phishing Guidance—Stopping the Attack Cycle at Phase One to provide guidance in the ever-waging battle against phishing exploits. The guidance is relevant to all organizations, though it may pose challenges for those with limited resources. To address this, the guide incorporates a section with customized suggestions tailored for small- and medium-sized businesses that may lack the resources for a dedicated IT staff to consistently combat phishing threats. For software manufacturers, the emphasis is on adopting secure-by-design and default strategies. The guidance encourages software companies to create and deliver software that is resistant to common phishing threats, ultimately enhancing the cybersecurity resilience of their customers. In the phishing mitigation guidance for all organizations, CISA, NSA, FBI, and MS-ISAC recommend organizations implement DMARC and other controls