Google and Yahoo have both announced that they will require all incoming email to be authenticated with verification and security protocols starting in February 2024. This is a huge endorsement of best practices from two of the largest email service providers, and a critical moment for every organization to set up SPF, DKIM, and DMARC protocols properly and monitor them for compliance.
First, let’s get the jargon out of the way:
- SPF (Sender Policy Framework) is a protocol for letting the world know what outgoing mail servers are allowed to send email on behalf of your domain. When someone sends malicious email and spoofs an email address that belongs to your domain, having a properly configured SPF record lets recipients know that email is spam.
- DKIM (Domain Keys Identified Mail) is a protocol that proves an email that says it came from your outgoing mail server really did. A public/private key pair stamps your message with a signature that only your mail provider can verify. Email without this signature can be regarded as spam.
- DMARC (Domain-based Message Authentication Reporting and Conformance) is a protocol that leverages SPF and DKIM to produce detailed reporting on all email associated with your domain name, and then lets you send specific instructions to recipients’ mail servers about what to do with invalid email. A DMARC reporting service also lets you monitor the health of your domain’s email, confirm deliverability, and further tighten your security policy to make sure that any email spoofing gets rejected as spam.
Configured properly, used together, and then monitored and adjusted over time, these tools can greatly reduce cybersecurity risks and increase deliverability for legitimate email.
Every service your organization uses to send email needs to be accounted for — not only your primary email service, but also any marketing and CRM services you may use to send mail. You may need to create SPF and DKIM records for Google, Mailchimp, and Salesforce, for example, if you use all three services to send legitimate email with your domain. Missing any one of these will compromise deliverability and increase the chance of your domain getting spoofed.
What’s really going on?
The basic protocols for sending email were developed decades ago, before the internet was called the internet, and are still in use. At the time, security and verification were not priorities, and the result has been a host of spam, spoofing, and phishing that is hard to counter without taking additional steps.
SPF, DKIM, and DMARC are layers of security protocols that have been developed over the years to mitigate the inherent vulnerabilities in email. Having major email providers enforce the adoption of these protocols is a major win for security and usability. But since these additional protocols are not automatic, anyone using their own domain name (i.e. not just @gmail.com or @me.com) has some work to do.
SPF, DKIM and DMARC are all relatively straightforward to set up if you are sufficiently familiar with domain name service (DNS) records. But the real power of DMARC comes in monitoring deliverability reports over time and adjusting DMARC settings to continually produce the best results. Ongoing DMARC management requires an additional service to process deliverability reports and flag vulnerabilities; it also requires an understanding of how these services interact, and time to review and adjust DMARC settings.
What can you do?
Our recommendation is clear: set up SPF and DKIM for every mail service your organization uses, then configure and manage DMARC on an ongoing basis. Any organization that relies on email — which is every organization — needs to take these steps in order to comply with the rules that Google and Yahoo are enforcing starting in February.
Bulk senders need to be particularly focused on correctly setting up and monitoring DMARC. If your organization’s business relies on sending marketing emails or newsletters to customers on a regular basis, ongoing DMARC adjustments are the only way to maintain your domain’s good reputation and avoid the junk folder.
Macktez Domain Management
Macktez has been managing domain health and security for decades, and can help your organization as well. Our Domain Management subscription was designed for email and domain security, and includes all the protocols and ongoing maintenance described above. In addition to setting up and monitoring SPF, DKIM, and DMARC, we’ll make sure your domain is registered at a reputable registrar, and that your DNS is hosted with a secure and reliable service — all of which will minimize the ability of malicious actors to use your domain for phishing while providing email recipients greater confidence that messages from you are authentic. We monitor DMARC reports and gradually tighten your DMARC policy, making DNS adjustments as needed.