How to comply with Google and Yahoo’s requirements for bulk email senders

An image generated by the Midjourney AI 6.0 alpha model using the prompt: An envelope sealed with a wax seal embossed with the word "DMARC"

To help protect their customers from malicious and junk emails, Google and Yahoo have announced that they will begin to enforce additional requirements for emails from bulk email senders in February 2024. Failure to meet these requirements will result in emails being placed in the spam folder instead of the inbox, or possibly not being delivered at all. This includes both personal and business inboxes. Other email providers are expected to follow suit, so any application that sends email should work towards adhering to these requirements, regardless of recipients or message volume.

Update: Google has begun to reject messages from bulk senders that do not comply with authentication requirements.

Read more

Proofpoint is requiring their customers to pay for Email Fraud Defense to get aggregate DMARC data from their gateways

A redacted screenshot of the Proofpoint Email Fraud Defense dashboard

I have written extensively about the DMARC email security standard, including publishing a comprehensive guide on how to implement it, with or without additional third-party vendors.  I also do a little consulting on DMARC deployment best practices. One of those consulting clients uses Proofpoint for their email gateway. They also use Dmarcian, a reasonably priced DMARC report analytics service that also publishes a ton of public content for the good of the community. We were considering moving the client’s DMARC policy from monitor only (p=none) to an enforced state (p=reject) after many hours of steadily improving the SPF and DKIM alignment of their email sources. As I took another look at the aggregate (rua) DMARC data in Dmarcian, I noticed something odd: Dmarcian was getting aggregate reports from all of the expected third-party email recipients, like Google, Yahoo, Comcast, and the client’s industry partners, but I didn’t see any reporting from the client’s own Proofpoint Secure Email Gateway (SEG).

Read more

Demystifying DMARC: A guide to preventing email spoofing

A screenshot of a premade aggreate/summary DMARC dashboard in ELK using data from pardeemarc

DMARC can stop spoofed spam and phishing from reaching you and your customers, protecting your information security and your brand. However, complexity and misconceptions deter many organizations from ever deploying it. Part mythbusting , part implementation guide, this post explains the shortcomings of SPF and DKIM, what DMARC is, how to deploy DMARC properly, and how to respond to DMARC reports – all without the need for an additional vendor, thanks to open source software!

Read more

Lessons Learned from the US Federal Government’s Ongoing Deployment of SPF and DMARC

Two soldiers process mail in a US Army Forward Operating Base Mailroom

SPF and DMARC are standards that describe how the origins of email messages should be verified, to prevent email spoofing. I spent some free time over the past few weeks creating checkdmarc , a Python 3 module and command-line interface that can validate and troubleshoot SPF and DMARC records across multiple domains, with the intent of building it into a web application that will process DMARC reports. The Department of Homeland Security recently launched an initiative to deploy SPF, DMARC, and other best practices on most federal agency domains by issuing BOD 18-01. This created the perfect case study of common challenges and mistakes when deploying SPF and DMARC across very large organizations, and even a few small ones.

2018-01-30 update: I have made many improvements to my script, corrected a few of my own misconceptions about DMARC I had in this post, and switched to updated results from 2018-01-28.

Read more