When it comes to email security, most of the focus is on what happens when a malicious email is received. Optimally, a multi-layered approach will help filter out phishing emails and other attacks via technology and user training.
But some of that pressure on receivers could be relieved if it weren’t so easy for attackers to spoof legitimate domains. This month, Google (along with Yahoo and AOL) hopes to address that problem with new requirements for email senders around domain authentication.
The new Google/Yahoo requirements will codify some basic email best practices that MSPs should be encouraging anyway. Under the new provisions, senders must publish SPF and DKIM records and DMARC policies for all domains. Senders must have valid forward and reverse DNS records published for their mail servers. They must also use a TLS connection for transmitting mail. In addition, senders must keep spam complaints below a designated threshold and provide one-click unsubscribe processes for mass emails like newsletters and marketing messages.
New sender requirements explained
Google will now require the use of Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) for all sender domains and Domain-based Message Authentication, Reporting, and Conformance (DMARC) protection for all sender domains that send 5,000 messages or more per day to recipients in either GMAIL or any Google Workspace hosted e-mail domain. Otherwise, those emails will be rejected and marked as spam. For entities that leverage third-party email service providers to send large volumes of mail using their sender domain, that could lead to legitimate mail being treated as a domain-spoofing phishing attack.
And a lot of companies are ill-prepared for the change. According to data presented in a recent Barracuda webinar on the subject, DMARC utilization is fairly limited. Only less than half of those with DMARC in place are using an automated reporting tool to help manage reporting and enforcement.
For senders, manually managing these requirements can be a big lift. Automated solutions like Barracuda Domain Fraud Protection can help senders meet these requirements. It can also reduce the volume of spoofed domains and fraudulent emails. However, by strengthening authentication standards, some senders may face difficulties in using third-party email marketing partners or with email forwarding. Hence, companies need to understand the best approaches for compliance. This represents another opportunity for MSPs to address a critical need for existing clients.
Email best practices become requirements
DMARC is an email authentication standard that provides domain-level protection for your emails. It gives receivers a way to verify that the domain in the ‘from’ address is actually the domain from which the email originated.
DMARC addresses gaps in SPF and DKIM standards. Sender Policy Framework (SPF) acts as a method to announce allowed senders and lets ISPs like Gmail and Yahoo verify that a specific mail server is authorized to send mail from an associated domain. However, SPF only validates the envelope address, so to speak; it does not validate the visible address of the sender. On the other hand, DKIM (DomainKeys Identified Mail) validates that the email content has not been altered. Individually, neither of these protocols fully protects against spoofed domains or malicious content. To make matters worse, both SPF and DKIM are simply recommendations. It’s up to the receiving server to decide how to interpret these signals. DMARC gives authoritative control back to the sender domain to control who is allowed to impersonate the sender domain legitimately.
To comply, senders must:
- Establish a DMARC record that is then published in their DNS.
- Enable DMARC monitoring
- Ensure their messages align in DKIM (which is more friendly to email forwarding) or implement proper SPF alignment
- If they maintain their own mail servers, companies should validate that each IP address has a corresponding PTR record in the DNS
- When using an email vendor, companies should confirm that the vendor is DMARC compliant and follow the vendors’ -hopefully- published instructions to align this vendor in DNS properly.
Alignment
The key concept here is alignment – the “from” domain should equal the domain visible on the message. Each legitimate service using your domain must be aligned in SPF and DKIM. Most major email service providers have these processes documented already. Once you have ensured all email sources are aligned, you can enforce DMARC.
The reporting piece, however, can quickly overwhelm IT administrators. That is where automated tools like Barracuda Domain Fraud Protection come into play. Barracuda offers DMARC reporting as part of its email bundle and as a stand-alone reporting tool.
This DMARC reporting solution can help users set up a DMARC record in their DNS and then analyze reports. This will help email administrators determine which email senders are legitimate. They can then configure email authentication policies (i.e., DKIM and SPF) on all mail systems to properly recognize legitimate senders.
From there, users can leverage DMARC’s enforcement capability to automatically reject emails not sent from legitimate mail systems. This works towards preventing attackers from spoofing your domain.
These new requirements are fixing security shortcomings in email that have been festering for decades. In addition to ensuring senders will not experience disruptions in their operations, it will also help protect receivers against phishing attacks. It can even help IT administrators root out any shadow IT/email services that individual departments may have deployed or contracted with without the knowledge of the IT department.
To learn more about how MSPs can quickly deliver domain spoofing protection to their clients, check out the latest Barracuda MSP webinar, “Help Your Clients Comply with New Google and Yahoo Requirements.”
Note: This was originally published by XaaS Journal
Photo: Billion Photos / Shutterstock