Email Security Insights
Our EU Director Dermot Harnett and Deployment Representative Matia Boldrini joined Dublin City University’s Information Systems Services (ISS) Team on April 9, 2024, to discuss the lessons learned and challenges overcome during DCU’s journey to DMARC compliance. The presenters take a straightforward, candid look at the DCU DMARC project, stressing the importance of building relationships and support among university departments and the coworkers that lead them. As you’ll learn in the presentation, DCU ISS was motivated by the NCSC’s email security guidance, and began their DMARC discovery phase, including advocacy among the university leadership and an initial trial with dmarcian. The ISS team shares their challenges for prioritizing this project and how they informed university stakeholders through meetings and internal communications. With the visibility gained through DMARC, they also talk about how they discovered redundant IT resources and were able to gain efficiency. If you weren’t able to join us
The FBI’s Internet Crime Complaint Center (IC3) has released the 2023 Internet Crime Report, which is based on internet crimes reported to the IC3. In 2023, as in 2022, phishing/spoofing was the top crime reported, and investment scams were the most financially damaging. The IC3 received a record 880,418 complaints with associated record losses of more than $12.5 billion, up 10% and 22% respectively from 2022. Keep in mind that these are only reported numbers and just from the American public. 2023 Internet Crime Overview Business Email Compromise: There were 21,489 BEC reports with over $2.9 billion in losses. The IC3 notes a trend of criminals using financial custodial accounts for crypto exchanges, third-party processors and phishing. Investment Fraud: The losses from investment scams increased from $3.31 billion in 2022 to $4.57 billion in 2023. With this 38% increase, investment fraud became the crime with the heaviest reported losses. Cryptocurrency
Ash Morin, our Director of Deployment, joined Mailgun’s Email’s Not Dead podcast crew to discuss Google and Yahoo’s DMARC sender requirements, which they began enforcing on February 1, 2024. Ash was a guest on Email’s Not Dead S2 E7—Spoofing, Phishing and for the Love of DMARC and on S3 E5—Implementing DMARC. In S5 E4, faithful hosts Jonathan Torres and Eric Trinidad asked Ash to join them and provide an overview of what he’s seen and what he predicts with the new email authentication standards update from Yahoo and Google. “Immediately after the announcement we started getting a lot of questions coming in. Not only questions from our existing customer base, but also in ecosystems,” Ash said. “There’s been a lot of ‘what does that mean?’ And almost immediately following, they were asking, ‘does that change anything about the standards? If not, what’s my current state? Am I actually good?’ Even
Google and Yahoo’s DMARC requirements will be enforced in February 2024 for higher volume senders. We have resources to help you prepare for DMARC and other sender requirements to ensure your email delivery won’t be disrupted. Why DMARC now? There are few mechanisms that prohibit bad actors from sending an email pretending to be you. DMARC is the main control for fighting domain abuse. It’s a free and open technical specification that authenticates emails with SPF and DKIM. By publishing a DMARC record in your domain’s DNS, you can fight business email compromise, phishing and spoofing. DMARC, SPF and DKIM aren’t newcomers to the email authentication scene—they’ve been around for over a decade and have grown to become a best practice. Email is involved in more than 90% of all network attacks; without DMARC, it can be hard to tell if an email is real or fake. Because of the
With Google and Yahoo transitioning several long-standing best practices to enforced sender requirements, we created the following guide to ensure you understand where you can find evidence of delivery issues and begin to understand what additional steps you need to take in order to ensure you are sending according to their guidelines. What are error codes? Email error codes and bounce strings are generated when one email server attempts delivery to another email server that results in a failure. Error codes are also commonly referred to as bounce codes, SMTP errors, or Delivery Status Notifications (DSN). You can use the messages and codes to help understand the underlying reason and attempt to troubleshoot them. Most often, the source sending emails on your behalf will have developed software to handle errors in an automated fashion for you. Where some email sources may expose these errors to you through their interface, the
UPDATES: December 26, 2023: The Department of Defense published for comment a proposed rule for the Cybersecurity Maturity Model Certification (CMMC) 2.0 program. December 7, 2022: DMARC and other specs dropped from CMMC 1.0 have been sent to NIST to be included in future revisions of NIST SP 800-171, which CMMC is based upon. For more recent updates, you can visit the Department of Defense Chief Information Officer webpage. The following was published September 20, 2021. The Cybersecurity Maturity Model Certification (CMMC) is a cybersecurity framework being developed by the Department of Defense (DoD) to protect defense contractors from cyber threats. CMMC measures cybersecurity maturity with five levels consisting of security controls, practices and continual improvement to stop the theft of intellectual property, proprietary information and credentials that threaten economic and national security. When an organization sets out to achieve a particular CMMC level, it must also meet the preceding
Recent discussions in the email security ecosystem have highlighted a security loophole concerning Google’s handling of emails sent to a Google Group. This issue arises particularly when the emails come from a domain with a DMARC policy set to p=quarantine or p=reject. Google Groups functions similarly to a mailing list. When a group address receives an email, Google forwards a copy to each group member, retaining the original From: header. This From: header is crucial, as it’s what recipient systems use to determine which domain to check against for DMARC compliance. In essence, when Google forwards these emails, it’s as if Google is spoofing the domain being forwarded. This becomes problematic with domains like AOL or Yahoo, where the receiving system will reject the email, recognizing that Google isn’t authorized to send on their behalf. How scammers exploit Google Groups’ email forwarding Domain Acquisition: Scammers start by acquiring a new
The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), Federal Bureau of Investigation (FBI), and Multi-State Information Sharing and Analysis Center (MS-ISAC) have released Phishing Guidance—Stopping the Attack Cycle at Phase One to provide guidance in the ever-waging battle against phishing exploits. The guidance is relevant to all organizations, though it may pose challenges for those with limited resources. To address this, the guide incorporates a section with customized suggestions tailored for small- and medium-sized businesses that may lack the resources for a dedicated IT staff to consistently combat phishing threats. For software manufacturers, the emphasis is on adopting secure-by-design and default strategies. The guidance encourages software companies to create and deliver software that is resistant to common phishing threats, ultimately enhancing the cybersecurity resilience of their customers. In the phishing mitigation guidance for all organizations, CISA, NSA, FBI, and MS-ISAC recommend organizations implement DMARC and other controls
Starting February, 2024, long established email authentication best practices will become a requirement. It’s as simple as that, folks. This news may be alarming to you for a variety of reasons; you may have previously interpreted these guidelines as being optional or didn’t understand the related technical complexities. Or maybe you trusted that your email service provider, or IT Department was taking care of this for you. Whichever camp you may be in, the responsibility is yours to ensure you are compliant and have the proper visibility to maintain that favorable status from that point forward. As abuse continues to mature, so must the controls that have been implemented to secure the email channel. We applaud Google and Yahoo for ushering this new reality in much of the same way that dmarcian has always taken a standards and best practices approach. Our mission has been to spread DMARC across the
Updated July 17, 2023 to reflect new statistics from the SBA. dmarcian’s MSP Program Manager, Joe Garner, offers his thoughts on MSPs and their ever increasing role in protecting small and medium businesses from digital attacks. COVID shows the importance of MSPs as a vital touchpoint with the cybersecurity world There was a time in the not-too-distant past when most small businesses didn’t need any IT expertise beyond setting up printers and configuring accounting software, as most of their business was in real-time and in person. As COVID transformed the world, these businesses began adopting digital strategies for the first time to handle operations like digital commerce and remote workforces, and widespread digital transformation began. According to Salesforce’s 2021 “Small and Business Trends” report, 71% of growing small- and medium- sized businesses (SMBs) survived the pandemic by going digital, and 66% say their businesses could not have survived the pandemic