Is Your Business DMARC Compliant? The Consequences of Ignoring Email Security Standards
Two things are going to happen to you if you don’t take action:
Your emails will start to go into junk folders
– Irrespective of whether you’ve emailed that person for the last ten years, this will start to happen.
– That is all emails from your domain, most importantly invoices, which won’t get noticed and/or paid if they start going to junk
Your domain could be spoofed by hackers.
– ie. copied, where hackers would have the ability to legitimately use your domain
– This could then be used to mount attacks against your customers and suppliers impersonating your organisation
– On the topic of invoices, hackers could send invoices out from you with amended banking details so your customers pay into their bank instead of your own
The reason that these two things will happen are because of the upcoming changes around DMARC.
What changes have and will happened?
Google has announced that from February 2024, it will require email authentication to be in place for all senders when sending emails. Yahoo and Apple have also taken the same stance with Microsoft likely to join them soon. They are doing this for good reason, it’s to make it harder for hackers to impersonate email domains.
So, it will be a requirement to have certain standards for email authentication for email to flow seamlessly from any organisations domain into the desired inbox when they send an email.
There are three main types of email authentication methods that have been put in place to try to prevent unauthorised parties from sending emails on behalf of a domain they do not own. They are:
Sender Policy Framework (SPF)
- SPF is a way for a domain or set of domains to list all the servers they send emails from
Domain Keys Identified Mail (DKIM)
- DKIM is a digital signature that uses cryptography to mathematically verify that an email came from the domain that it says it does, as proof of legitimacy
Domain-based Message Authentication, Reporting and Conformance (DMARC)
- DMARC tells mail servers what to do when there’s a failure or concern relating to of either DKIM or SPF of an email/domain/sender
- Failure often means that one of the following will happen to an email.
– Marked as spam and placed into junk
– Still delivered regardless depending on the failure
– Rejected altogether
What is DMARC?
DMARC stands for Domain-based Message Authentication, Reporting, and Conformance. It is an email authentication protocol that helps prevent email spoofing and phishing attacks by verifying that the sender’s domain is legitimate. It is the standard that all organisations need to comply with to have seamlessly email flow from their domain.
What can we do?
There’s two things every organisation needs to do:
1 – Test their domain
-
EquiTech Group can help with this. We have some tools we can utilise to test your domain and score it for compliance with DMARC standards.
2 – Remediation
-
Once step one is complete, we’ll know if any remediation is needed and if so what. For some this can be a minor journey for others, there’s lots of work to be done
What if we do nothing?
If you do nothing then your emails will start to go to junk folders or not be delivered, or the worst could happen. Your domain could be spoofed by a hacker to mount attacks on your customers or suppliers, or stakeholders that interact with you. This would all be under the guise of your legitimate domain, which is terrifying to say the least.
But not just this, they could mount an impersonation attack on your staff. They could:
-
Spoof your domain and impersonate a key individual, that could be a director, manager, finance personnel
-
The email sender and information would look completely legitimate
-
They could be using the legitimate email address, name, signature everything
-
-
Then the hacker could mount a more harrowing/sophisticated attack
-
Asking for a transfer of funds
-
Request to share sensitive information
-
Demand actions to compromise security further such as “Can you install this malicious software (ransomware)”
-
Take the latter. If an email of this nature was sent impersonating a director, to a new member of staff who is more junior, would they fall for it? Chances are they would.
Call to Action
Many organisations don’t have a lot of time to act on this. If you’d like to assess your domain score in line with DMARC standards, or look at remediation steps to become compliant then speak to one of our consultants at EquiTech Group to see where we can help:
Phone – 01604 346 444
Email – info@etg365.co.uk