BLOG ARTICLE
DMARC’s vital role in email authentication and domain security is in the limelight now more than ever, as phishing attacks surge, and enterprises and regulatory bodies make implementation mandatory.
DMARC is a global email authentication standard that interrogates and verifies the source of an email and ensures that every email received from a domain is the real thing. It allows organizations to see when cybercriminals are using their domain without authorization, while also helping to ensure that legitimate emails make it to the intended recipient’s inbox.
The work to establish DMARC as a global standard was started in 2011 by a group of high-profile organizations, including Google, Facebook, Yahoo! Mail, and PayPal to name a few. A draft DMARC specification was published in January 2012 and by March 2013 it was being circulated publicly.
This means that for over a decade, organizations and regulatory bodies have recognized a need for this global best practice, but it’s only in recent years that adoption has truly taken off. That’s because phishing attacks have grown by 150 percent per year since 2019 and in the last few years, the number of brand names that have been spoofed in phishing attacks has almost doubled.
By spoofing a trusted brand’s email domain, cybercriminals can create sophisticated emails that trick victims into installing malware or handing over sensitive information or money. This makes it unsurprising that organizations are increasingly looking to authenticate emails with DMARC to safeguard their brands against impersonation.
As a result, DMARC adoption is steadily increasing every year, with the number of valid policies up by a massive 84% in 2021. But with less than 6 million DMARC records existing worldwide as of 2022, there’s still a long way to go.
Encouragingly, the predicted Compound Annual Growth Rate (CAGR) of DMARC is 37.53% in the next five years and by 2028, the global market size is expected to reach $1.72 billion, up from only $254.56 million in 2022.
This is likely because organizations, regulatory bodies, and governments are now either strongly recommending the adoption of DMARC or making it mandatory, which will almost certainly contribute to a boost in the implementation of the protocol.
1. Google and Yahoo’s bulk sender requirements
From February 2024, Google and Yahoo began to monitor bulk email senders, ahead of their June deadline for organizations to implement DomainKeys Identified Mail (DKIM), Sender Policy Framework (SPF), and DMARC, if they send over 5 000 emails at once or within a 24 hour period, to Gmail or Yahoo addresses.
With some senders already seeing temporary errors for unauthenticated email, organizations need to prioritize having properly configured DMARC records. This will not only prevent cybercriminals from spoofing their domains and launching phishing attacks on customers, partners, employees, or any other stakeholders, but will also help ensure that legitimate emails are always delivered.
In 2022, almost 49% of emails worldwide didn’t make it to the inbox, and in 2023 that number is still shockingly high at almost 46%. Many of these are legitimate emails sent from a company’s domain, but because the organizations don’t have a DMARC policy in place, authentic emails are often marked as spam and never reach the intended recipient’s inbox. Now, Google and Yahoo have upped the ante, with sender rules aimed at preventing spam and ensuring user safety by mandating having a DMARC record.
So, no matter what email platform an organization uses, it needs to take the required steps to ensure uninterrupted delivery to Gmail and Yahoo users. Microsoft has also started issuing alerts in customer dashboards, warning users that they need to ensure authentication records are set or they will run into deliverability issues when emailing third-party accounts.
Although it’s true that Microsoft “does DMARC”, its two primary roles are to send reports and enforce DMARC, which isn’t sufficient for a domain owner to achieve DMARC compliance. Users who don’t yet have the right authentication in place should look to seamlessly integrate a comprehensive DMARC solution into their Microsoft 365 environment to ensure full compliance.
By spoofing a trusted brand’s email domain, cybercriminals can create sophisticated emails that trick victims into installing malware or handing over sensitive information or money. This makes it unsurprising that organizations are increasingly looking to authenticate emails with DMARC to safeguard their brands against impersonation.
2. Anti-phishing required and DMARC strongly recommended by PCI DSS v4.0
Version 4.0 section 5.4 of the Payment Card Industry Data Security Standard (PCI DSS), has made implementing anti-phishing mechanisms a requirement for any business that stores cardholder information and processes credit card payments. In its implementation guidance, the PCI Security Standards Council recommends anti-spoofing controls such as DMARC, to stop phishers from spoofing your domain. Organizations have until March 2025 to implement processes and mechanisms to detect and protect against phishing, or they could face fines and potentially even lose their right to process payments.
3. Governments across the world have made DMARC mandatory
Many countries have made DMARC compulsory for government departments. The UK led the charge in 2016 and other countries have followed suit in recent years, with Canada and Denmark being the latest to make having a DMARC policy mandatory. These governments have implemented these measures to safeguard citizens from phishing emails and false information and ultimately maintain the trust of the public.
All this has shone a spotlight on DMARC implementation as the simplest and most effective way to protect senders and recipients against domain spoofing. We expect to see the number of regulatory bodies and organizations making email authentication mandatory continue to expand.
DMARC adoption isn’t only about complying with new regulations, but about protecting the people and organizations you do business with, as well as maintaining your business’s good reputation.
Embracing DMARC needs to be an organization-wide effort, as not having the correct email authentication standards in place impacts your ability to continue doing business. All departments need to have a firm understanding of how DMARC – or a lack thereof – affects their work:
If an organization doesn’t have the right email authentication protocols in place as per Google and Yahoo’s new requirements, legitimate emails coming from service providers will be rejected or land in Spam folders, meaning important information may not be delivered to key stakeholders. And to add fuel to the fire, Google and Yahoo both count spoofed emails towards the cap of 5 000 emails allowed to be sent to their users in a day.
A comprehensive DMARC solution is essential to helping prevent fraudulent email activity or deliverability disruption as well as complying with the rules highlighted in this article. Sendmarc is a leading email security expert that provides seamless DMARC integration and threat detection that won’t disrupt your business’s email flow. We also offer detailed reports of who is doing what in your email environment. Being able to deliver these reports helps with compliance audits, as you’re able to prove you had full visibility into any changes made and that you had the right measures in place to prevent your domain from being spoofed.
Think your domain might be vulnerable? Test its risk here or contact us to see how we can ensure only real emails are delivered from your domain and in turn, help your business comply with new mandates.
LATEST ARTICLES
Why SSO Is Essential for the Modern Business
Understanding DMARC policies – p=none, p=quarantine, p=reject
Protect Against Holiday Cybersecurity Threats