Even if you think ‘No’, read on - this article might be relevant to you.
First, let's talk about spoof emails. Spoof emails are emails that are not sent by the authorised sender, they are definitely spam and generally malicious. Google and Yahoo have recently been in the news for taking bold action towards blocking spoof emails by requiring (for some senders) technologies called DKIM, DMARC, SPF. Their action has been enthusiastically encouraged - possibly heavy-handedly - by cloud providers providing email services. If you've seen any of these emails then you may have wondered what all this means. If so, read on, and you'll find out why that question about spam emails - and spoofing - might still apply to you.
The question is, "What are spam emails?". One answer might be that anything that is trapped by a spam filter is spam. And this includes spoof emails. We’ve all seen genuine-looking messages from delivery companies and HMRC, these organisations are being spoofed. These days, cyber criminals are increasingly proficient at making emails look genuine, so spam filters are becoming more sophisticated and aggressive at blocking suspicious emails.
Sender Guideline to Limit Spam Emails
Billions of emails are sent every day and 45-50% are unsolicited. The majority are just nuisance but a high proportion are spoofed and malicious - real threats. Either way, spam emails fill our inboxes and increase the risk that we'll be a victim. As a result, tools have been developed to help organisations verify their emails as genuine - a 'badge of authenticity' - against the spammy background.
Spam Emails, Spoofing and Cyber Threats
To address the growing security risk, Google and Yahoo have created new Sender Guidelines. Initially, enforcement of these guidelines impacts businesses sending 5,000+ emails a day. However, while there is currently no obligation, the writing is on the wall: spam filters will start to look for compliance with the Sender Guidelines from all senders and start to filter out emails that don't comply. Whether you like it or not, you might be sending spam emails, simply because the filters say you do. The message is clear: get compliant, protect your brand, don't be guilty of sending spam emails (even when you're not).
As an email sender, the Sender Guidelines are your friend and best practice is to follow them. If not, you risk your legitimate communications being blocked because filters start to identify non-compliant senders as spoofing, sending spam emails.
Understanding The Technical Terms
The Sender Guidelines include setting up DKIM or SPF to authenticate all email sending domains. It also mentions DMARC compliance. You may not have come across these terms before, so let’s briefly explain.
What is DNS?
DNS underpins the operation of pretty much everything in cyberspace - email and web browsing included. It is a system that allows the authorised owner of a domain to advertise to the rest of the internet how to handle cyber-traffic using their domain. All of the other services described here rely on and use DNS.
What is DKIM?
DKIM is a 'badge of authenticity' on your outbound messages so that receiving servers (and their filers) can confirm two things:
- The email came from a sender authorised to send emails from that domain
- The email hasn't been changed ‘in-flight’
So, if you send an email from your account, it will be verified. However, if someone else attempts to use your email address, it won’t be.
What is SPF (and we’re not talking suncream!)?
SPF stands for Sender Policy Framework. It publicly lists the servers that are allowed to send emails from your email account. Receiving email servers use SPF to verify authorised servers or mark unverified emails as spam.
What is DMARC?
DMARC is a reporting framework which provides rules to a receiving server on messages received.
DMARC monitoring helps to reduce spam. Equally, the reports make it easier to spot valid emails from platforms that are incorrectly configured. These are typically third-party platforms used by the business, such as Hubspot or Mailchimp that are overlooked in the SPF/DKIM set-up process.
The Benefits of DMARC Compliance
DMARC Compliance is a set of measures that bring the following benefits:
- Ensuring that your important communications aren’t marked as spam
- Reducing the risk of your business communications being impersonated
- Protecting your customers and employees from malicious messages
- Preventing your emails from being intercepted and altered for criminal gains
- Heightening cyber security
If your email-sending domains are not compliant, communications sent to Google and Yahoo accounts may be blocked or sent to a spam folder. In the same vein, Apple has introduced a new Best Practice Guide for iCloud email. And we expect other email providers to adopt similar practices in due course. And then the spam filters will expect it, so anything non-compliant will fail.
How To Achieve DMARC Compliance
You don’t want your important communications to be blocked, so, how do you achieve DMARC Compliance?
Either, follow the Google* or Yahoo** Sender Guidelines which include:
- Setting up & configuring SPF or DKIM email authentication for all email-sending domains (including accounting, newsletter and e-commerce platforms)
- Ensuring all sending domain IPs have a valid forward & reverse DNS record
- Using Postmaster Tools to ensure spam rate reporting remains below 0.10%
- Including a visible, one-click, email unsubscribe option in the email body text
Many businesses find a real challenge in taking these particular steps correctly, in the right sequence, without tripping up. It's all acronyms, weird non-English words, and very susceptible to the odd typo. Flex IT can help here, we understand the whole process and can lead you through to a perfect performance.
Or, speak to us about our DMARC Audit service. This IT solution checks that you have everything in place to ensure unblocked deliverability. Our audit will list required actions and a plan to put things right. We are also happy to advise on the DMARC reporting system.
What Happens if Your Organisation Doesn’t Comply?
From February 2024, bulk senders that haven’t taken action will start to receive SMTP protocol-level error codes for some of their emails. These temporary errors are a first warning, aimed to help identify gaps in compliance, so these can be met.
From April 2024, the process of blocking messages will begin. If your business is a non-compliant bulk sender, look for other methods of communication, as there is no guarantee that your emails will be delivered.
Although enforcement starts with bulk senders, it will be gradually rolled out to all senders. That may not take effect for some time. However, we encourage you to take action and follow best practices now.
Keeping Pace with Technology
So, back to our original question – are you sending spam emails? Maybe spam filters think you are. Is someone else sending spoofed emails, possibly malicious, using your domain? Even if you are confident that the answer is a clear ''No', what about next month or next year? In the world of IT and cybersecurity, standing still is not enough.
We appreciate that keeping pace with technology adds another task to an already long list. However, following the Sender Guidelines is an important step in your cyber security plan. Secondly, if your business communications are being impersonated or tampered with, they are less likely to reach your customers, employees and suppliers. In turn, this can save them from malicious messages, which could impact your business reputation.
If you have any questions about DMARC compliance, get in touch: 0333 101 7300. We’ll make it easier to keep pace with technology.