Email Technology
With Google and Yahoo transitioning several long-standing best practices to enforced sender requirements, we created the following guide to ensure you understand where you can find evidence of delivery issues and begin to understand what additional steps you need to take in order to ensure you are sending according to their guidelines. What are error codes? Email error codes and bounce strings are generated when one email server attempts delivery to another email server that results in a failure. Error codes are also commonly referred to as bounce codes, SMTP errors, or Delivery Status Notifications (DSN). You can use the messages and codes to help understand the underlying reason and attempt to troubleshoot them. Most often, the source sending emails on your behalf will have developed software to handle errors in an automated fashion for you. Where some email sources may expose these errors to you through their interface, the
Recent discussions in the email security ecosystem have highlighted a security loophole concerning Google’s handling of emails sent to a Google Group. This issue arises particularly when the emails come from a domain with a DMARC policy set to p=quarantine or p=reject. Google Groups functions similarly to a mailing list. When a group address receives an email, Google forwards a copy to each group member, retaining the original From: header. This From: header is crucial, as it’s what recipient systems use to determine which domain to check against for DMARC compliance. In essence, when Google forwards these emails, it’s as if Google is spoofing the domain being forwarded. This becomes problematic with domains like AOL or Yahoo, where the receiving system will reject the email, recognizing that Google isn’t authorized to send on their behalf. How scammers exploit Google Groups’ email forwarding Domain Acquisition: Scammers start by acquiring a new
The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), Federal Bureau of Investigation (FBI), and Multi-State Information Sharing and Analysis Center (MS-ISAC) have released Phishing Guidance—Stopping the Attack Cycle at Phase One to provide guidance in the ever-waging battle against phishing exploits. The guidance is relevant to all organizations, though it may pose challenges for those with limited resources. To address this, the guide incorporates a section with customized suggestions tailored for small- and medium-sized businesses that may lack the resources for a dedicated IT staff to consistently combat phishing threats. For software manufacturers, the emphasis is on adopting secure-by-design and default strategies. The guidance encourages software companies to create and deliver software that is resistant to common phishing threats, ultimately enhancing the cybersecurity resilience of their customers. In the phishing mitigation guidance for all organizations, CISA, NSA, FBI, and MS-ISAC recommend organizations implement DMARC and other controls
Starting February, 2024, long established email authentication best practices will become a requirement. It’s as simple as that, folks. This news may be alarming to you for a variety of reasons; you may have previously interpreted these guidelines as being optional or didn’t understand the related technical complexities. Or maybe you trusted that your email service provider, or IT Department was taking care of this for you. Whichever camp you may be in, the responsibility is yours to ensure you are compliant and have the proper visibility to maintain that favorable status from that point forward. As abuse continues to mature, so must the controls that have been implemented to secure the email channel. We applaud Google and Yahoo for ushering this new reality in much of the same way that dmarcian has always taken a standards and best practices approach. Our mission has been to spread DMARC across the
Ransomware, Act I The first documented ransomware attack was delivered by the postal service in 1989 when 20,000 floppy discs loaded with malware were sent to AIDS researchers across the globe with the promise of advancing research. When loaded in computers, the discs installed malware and displayed a ransomware message demanding payment to restore data and systems. The attacker, an AIDS researcher himself, took advantage of other researchers to capitalize on the urgency and uncertainty of the AIDS epidemic. Cybercriminals continue to employ similar scare tactics today, using coercion, matters of necessity and social engineering to dupe unsuspecting people. Instead of using snail mail, cybercriminals use unprotected domains to send spoofed emails for deploying ransomware. What is Ransomware? The Cybersecurity and Infrastructure Security Agency (CISA) defines ransomware as a type of malware “cyber actors use to deny access to systems or data. The malicious cyber actor holds systems or data
Our Single Sign-On (SSO) support leverages Security Assertion Markup Language (SAML) version 2 for Enterprise users. This expedites access to your dmarcian account by letting you sign in with your existing corporate credentials, which means one less password to keep track of. With our SSO, you can easily manage SSO access and user permissions to all of your accounts in dmarcian centrally while adhering to your organization’s security and access policies. Before getting into the details for SSO configuration, let’s first talk about some basic concepts and terminology: Authentication Authentication defines how the user is identified in a system—usually through a login process. Traditionally, a user registers for an account providing authentication credentials (username and password) and uses them to log in moving forward. In the past, this has been sufficient, but it does have limitations. For example, what happens if you have a several employees at your company that you want to grant access
Here’s some long-time-coming news from Microsoft, one of the world’s largest mailbox providers: they have started rolling out changes to honor DMARC policies as published in a domain’s DNS. Microsoft will now be treating the p=reject policy as intended; email failing DMARC authentication will not be delivered. Microsoft had been treating the DMARC policies of p=quarantine and p=reject the same way; email failing DMARC with a p=reject policy was delivered to the spam folder. Microsoft said they had operated this way “because some legitimate email may fail DMARC. For example, a message might fail DMARC if it’s sent to a mailing list that then relays the message to all list participants. If Microsoft 365 rejected these messages, people could lose legitimate email and have no way to retrieve it. Instead, these messages will still fail DMARC but they’ll be marked as spam and not rejected.” Microsoft signaled the change to
Why Is SPF Flattening Relevant? SPF has a limit of 10 DNS Lookups; any mechanism (entry) requiring a lookup after the lookup limit will not be evaluated and will fail authentication. In some cases, people turn to SPF flattening tools to work around the 10 DNS lookup limit. When you add a new mechanism in your record, you require a new DNS lookup. The more services and third-parties that send on your behalf, the more complicated and bloated your record can become. SPF record flattening can be an easy answer, but is not the safest route. How Does SPF Flattening Work? In SPF Flattening, hostnames are converted to IP addresses, which don’t count in the DNS lookup tally. Then you create your SPF records using the IP addresses instead of the hostnames. dmarcian developed SPF flattening as an experiment to work around the DNS lookup limit. In IETF’s RFC 7208
This guide describes the process for configuring Sendinblue to send DMARC compliant messages. You will need to configure this source, and others you authorize, before advancing your DMARC policies to a more restrictive state, e.g., quarantine and/or reject. To bring this source into DMARC compliance, you will need access to Sendinblue’s administrative account and the domain’s DNS management console. From time to time, these instructions change with very little advance notice. Please always refer to documentation hosted by Sendinblue for the most complete and accurate information. General informationSendinblue provides a platform to send transactional and marketing emails. It is often used to send B2C (business-to-consumer) and B2B (business-to-business) emails. Many areas in your organization may use this service, including marketing, sales, and finance. Sendinblue supports DMARC compliance through DKIM and SPF alignment. DKIMTo configure DKIM, you will need to access the domain’s settings. There are two ways to do this:
This guide describes the process for configuring Mailgun to send DMARC-compliant messages. You will need to configure this source, and others that send on your behalf, before advancing your DMARC policies to a more restrictive state, e.g., quarantine and/or reject. To bring this source into DMARC compliance, you will need access to the Mailgun administrative account and the domain’s DNS management console. From time to time, these instructions change with very little advance notice. Please always refer to documentation hosted by Mailgun for the most complete and accurate information. General informationMailgun provides an email delivery service that allows developers to integrate email into applications through APIs and SMTP. Many departments may use this service in your organization, but it is often managed by an application development team. Mailgun supports DMARC compliance through SPF and DKIM alignment. SPF & DKIMTo configure SPF and DKIM: In the Mailgun console, navigate to Sending>Overview