How to protect against email spoofing: DMARC records and why they matter

Introduction

In February 2024 Google and Yahoo will introduce new rules requiring organisations which send bulk emails to authenticate their domain and set DMARC records in their domain's DNS settings.

The changes are designed to protect their users and crack down on unsolicited and unwated emails with implications for many NB clients, especially those with large email subscriber lists – Google describes bulk email as any list inlcuding over 5,000 Gmail addresses. It is also crucial for ecommerce organisations using Shopify to prepare for the change to retain branded emails.

Our web developers have been investigating the changes and discovering how organisations should prepare for the new email requirements.

What are DMARC records and DNS settings?

To protect against spoofing and phishing attacks and help prevent messages from being marked as spam, it is recommended that domain owners set DMARC records in their domain's DNS settings.

In the National Cyber Security Centre's (NCSC) 'Email security and anti-spoofing - A guide for IT managers and systems administrators' they advise:

"All of your domains, including parked domains, should have DMARC records in place, regardless of whether the domain is used for email or not".

This is part of a wider set of recommendations to help secure organisations’ email systems and keep emails safer for all users.

There are three main issues for clients to consider...

1. Bulk email senders must look into implementing email deliverability best practices due to Google and Yahoo's new requirements.
2. Shopify users must add DMARC records in order for their stores to continue sending branded emails, again due to Google and Yahoo's new requirements.
3. All clients with domain names should use DMARC, DKIM, SPF, to help "protect both senders and recipients from activities like phishing, spamming, and spoofing", as recommended by the National Cyber Security Centre.

What are email spoofing and phishing scams?

Email spoofing is the creation of email messages with a forged sender address.

Phishing is when criminals use scam emails, text messages or phone calls to trick their victims. The aim is often to make recipients visit a website, which may download a virus onto your computer, or steal bank details or other personal information. The NCSC has more information about phishing scams.

See: https://www.ncsc.gov.uk/collection/phishing-scams

Why do DMARC records matter?

DMARC – Domain-based Message Authentication Reporting and Conformance – is a method of authenticating email messages.

A DMARC policy tells a receiving email server what to do after checking a domain's Sender Policy Framework (SPF) and Domain Keys Identified Mail (DKIM) records, which are additional email authentication methods.

There are various settings and policies which can be configured using DMARC records. Initially, it's important to know there are three different policy settings:

• p=none - Allows emails that fail to still go through. A DMARC policy of 'none' will give you time to understand whether you have configured DKIM and SPF correctly.
• p=quarantine - Indicates that email servers should "quarantine" emails that fail DKIM and SPF — considering them to be potentially spam.
• p=reject - Instructs email servers to block emails that fail.

Why is immediate action needed?

From February 1, 2024, Gmail and Yahoo will require bulk email senders to authenticate their domain, and have a DMARC record, to send emails to their users' email addresses.

Google advise they will enforce the requirements to "senders who send 5,000 or more messages a day to Gmail accounts".

Many of our clients have email subscriber lists over this benchmark, meaning that immediate action is recommended to ensure that email traffic continues to get through to the intended recipients.

How does this affect organisations which send bulk emails?

If no action is taken there is a risk that emails sent by an organisation won't reach the end users as intended. If you aren't already following email deliverability best practices, you need to do so now.

The three main steps to follow are

1. Authenticate emails – bulk email senders must use standard protocols to verify their sender identities. In practice, this means using DMARC, SPF and DKIM.
2. Make unsubscribing easy – if your emails don't already include a single-click unsubscribe button you will need to add that functionality so that recipients can easily opt out of receving future emails.
3. Only send emails your users want – even if 1 & 2 in this list are implemented you need to ensure emails you send don't exceed a spam rate threshold. Google and Yahoo will be toughening up spam monitoring so you should only send emails to a schedule and on subjects your subscribers expect.

How does this affect Shopify stores?

Shopify has been emailing store owners who do not have a DMARC record, advising that "If you take no action, we will rewrite your sender email to [email protected] to meet the minimum requirements so that you can continue sending emails to your customers with no interruption."

In theory, taking no action wouldn't break the Shopify store, but for branding purposes it would be best to setup DMARC, so that the store can continue to use their own 'branded email address' using their own domain name.

Shopify has provided more details with this announcement for Shopify Merchants.

What's the business case for implementing these changes?

When you implement anti-spoofing measures and secure your email while in transit, you:

• Help protect the individuals and organisations you do business with by making it difficult for cyber criminals to spoof your email address
• Help protect your brand and reputation
• Reduce the costs of service down-time and time spent on dealing with the consequences of email fraud

List from: https://www.ncsc.gov.uk/collection/email-security-and-anti-spoofing

Having robust authentication protocols in place makes sense because it helps identify that emails sent by your organisation are genuine. Setting up DMARC and DKIM ensures cryptographic identifiers are added to your emails, allowing service providers including Google and Yahoo to confirm the domain records and allow the email to reach the end users – your subscribers.

Complying with anti-spam measures does pose challenges, but it is worth the effort. If email service providers are weeding out more spam messages then legitimate ones like yours which make it through have a better chance of delivering results.

• Digital security is more important than ever – Check out our tips on how to keep your business safe from phishing scams.