Google, Yahoo Push DMARC, Forcing Companies to Catch Up

  /     /     /  
Publicated : 23/11/2024   Category : security


Google, Yahoo Push DMARC, Forcing Companies to Catch Up


The move means that DMARC, already in use by half of enterprises, will become table stakes for anyone using email for marketing.



By February 2024, any company sending more than 5,000 email messages through Google or Yahoo will have to start using an authentication technology known as Domain-based Message Authentication Reporting and Conformance (DMARC).
The requirements — announced by
Google
and
Yahoo
this week — will reach much further than marketers, however, forcing all companies lagging behind in their adoption of the trio of security technologies to catch up. Enterprises using Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) will gain protection against impersonation through better authentication, while DMARC creates a notification channel back to the domain-name owner to collect information on whether their email is being spoofed.
The requirements by two large providers should push more companies to adopt DMARC until adoption reaches a level at which more effective security measures become possible, says Neil Kumaran, group product manager for Googles Gmail Security & Trust group.
By adopting DMARC in the ways that were asking, senders start getting a lot of intelligence back that will help them identify issues with their configuration [and] things they may want to change, he says. So theres a material benefit to the sender to adopt DMARC and to think about these things collectively.
The trio of email security technologies have seen accelerated adoption in recent years — especially during the coronavirus pandemic, when companies were forced into remote operations. As a result, about half of email senders have a DMARC record, but only 14% have set DMARC to enforce a strict policy of quarantine or reject — widely considered the end goal, according to data from Valimail, a DMARC service provider. About half of all companies have set their DMARC record to enforce a strict policy. However, only
1% of nonprofit domains
have DMARC set up.
Googles and Yahoos requirements are a good start, and the market is not ready for more stringent requirements. But Seth Blank, chief technology officer at Valimail, hopes major email providers will raise the bar quickly.
I think this is absolutely fantastic, but I think it doesnt go far enough, he says. Im excited for them to raise the bar, but what we have now are a bunch of industry best practices that are inconsistently applied. Youve got a couple of the major-volume senders doing it well, and then youve got everyone else, which is why the abuse is so rife in the ecosystem.
In its blog post, Google outlined its requirements, including both SPF and DKIM records for authenticating email-sending domains, a DMARC record for the domain, and a From header that matches either the SPF or DMARC record, known as alignment. In addition, marketers must have spam rates below 0.3% and provide the ability to unsubscribe with a single click.
Google will apply the new rules to those who send more than 5,000 messages to Gmail addresses in a given day. Yahoo will apply the requirements to bulk senders, but its blog post does not define what constitutes a bulk sender. The requirements will need to be met by February for Google and in the first quarter of 2024 for Yahoo.
Googles announcement, along with Yahoos matching move, means that DMARC adoption is no longer a suggestion, wrote Len Shneyder, vice president of industry relations at Twilio SendGrid, an email marketing service, in
a blog about the news
.
[W]ith Yahoos news as well, you can consider this the new normal, he wrote. The new requirements mark a change in how the industry views email authentication and best practices: what was once a set of recommendations is now becoming an enforceable set of requirements.
Google expects that the requirements will lead to a near-complete adoption of email authentication on its platform. Currently the company processes about 15 billion emails every day, and the number of unauthenticated messages has declined 75% since the company required that every message have some form of authentication.
The goal of the DMARC requirements is to ensure that all legitimate email has set DMARC records with their DNS service, providing authentication information to check against the headers of any received email messages. Almost every email provider will report back information about DMARC alignment to the authoritative owner of a domain.
For this reason, better identification of sources and stronger identification of messages are key to improving email technology, Googles Kumaran says.
Authentication itself is not a silver bullet to stopping spam, but what it does is it allows everybody to get a better understanding of the email that is flowing, he says. I expect filters will start to pick up on those patterns, take the benefits of authentication, and do a better job. We should see the impacts across the board.
Once sender authentication is in place, security vendors and email providers can better filter out the bad traffic, says Valimails Blank.
Youre in control of whos authorized to send as you, which means by the time the message goes to any mailbox provider, the world over, the authentication is in place, and theyre able to take advantage of DMARC, he says. Spoofed or authenticated messages never make it to users inboxes, and so we get this herd immunity and protection at scale, far outside of just Google and Yahoo, where the requirements are.
While the requirements will likely get all legitimate marketing firms to tune up their email security configurations, companies should expect that bad actors will still find ways to send spam, phishing, and malware, says Raf Marconi, managing senior consultant at Bishop Fox.
A malicious actor can either stay below the thresholds or use legitimate services to avoid being affected by the requirements, he says. These new requirements should have some effect on the level of spam and phishing, but it is hard to gauge how much before the requirements have been implemented, and is also dependent on proper implementation of DKIM, SPF, and DMARC.
In a recent report, Internet services firm Cloudflare found that
89% of messages blocked as spam
had correct SPF, DKIM, or DMARC information, underscoring that the technologies are part of the equation but not the entire solution, says Oren Falkowitz, field CSO at Cloudflare.
For this reason, it is futile to solely rely on standards that track sender information in order to detect and stop campaigns, he says. In order to solve real damages, security teams must identify and have controls for payloads — the files, links, and malicious requests that comprise phishing and that cause damages.
Valimails Blank reinforced that point.
Bad actors tend to be the first people to follow best practices, he says. The assumption that having SPF, DKIM, or DMARC means the mail is good is wrong. What these mean is we know who the mail came from, and thats critical to making reputational decisions.

Last News

▸ Beware EMV may not fully protect against skilled thieves. ◂
Discovered: 23/12/2024
Category: security

▸ Hack Your Hotel Room ◂
Discovered: 23/12/2024
Category: security

▸ Website hacks happened during World Cup final. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Google, Yahoo Push DMARC, Forcing Companies to Catch Up