If you haven’t heard about DMARC then it won’t be too long before you do. Here’s some background to why as a CEO you need to know about this email authentication protocol as it will touch every aspect of your organization.
What is DMARC and How Does it Work?
The Zulu eDM Blog Post will explain DMARC in detail (a good blog post on Zulu eDM will explain further), ensuring the recipient of your emails can trust that you (or an authorized user) sent the email. The Wikipedia definition (opening section) which is a good technical business overview but it doesn't explain the far reaching effects DMARC will have on all aspects of your business.
More than 90% of the Worlds email servers now check for a DMARC record which means that when your domain is set to a protected status, it can not be used illegally or in an unauthorised manner. Therefore preventing SPOOFing of your domain. The quick facts below will give you some further indication as to why and how implementing / not implementing DMARC will affect your business.
Quick DMARC Facts
- DMARC implementation is now required by Governments and major email platforms. Failure to implement DMARC will result in email failing and potential legal and contractual issues.
- Any business unit that uses email will be effected in someway. Applications that send email must authenticate. Invoices, responders, notifications, email campaigns, everything!
- DMARC makes the domain accountable for email behavior. ALL emails are monitored by global feedback loops and blacklists.
- Organisations sending less than 1.5 million emails per month are more volatile to email reputation issues than larger organisations.
- If email is is relied upon and your suppliers / customers are not authenticated then your agreements must reflect liability issues that arise from missing emails, SPOOF / Phishing attacks.
- Your IT team will reluctantly implement DMARC as it puts the onus of burst or campaign email back on their list of responsibilities as opposed to marketing.
- Most implementations do not protect staff from SPOOF attack. Implementing tools to identify trusted email senders in your network is essential. Educating staff, suppliers and all stakeholders is recommended.
- Marketing and franchisees will effect your email reputation and could have you blacklisted forever.
The following items are the 5 key aspects to preparing an organization for DMARC Anti-SPOOF compliance and include:
- Internal awareness: making staff and key stakeholders aware of business email compromise attacks, what to look out for and what steps you are taking to protect the organisation internally and the steps being taken to external
- External communication: split into project and post project tasks.
- Contracts, terms of trade, conditions of use, commercial agreements, franchise agreements and any other process that email is attached to must be thought through and then formalised. For example, contract termination in writing (via email).If the third party is not compliant and therefore their email fails to reach your email servers, who is responsible and what will the outcome be?
- Tools for staff to be able to understand which domains that regular business is conducted with, are protected or not. What are the procedures and actions that must take place if a client or member of the public is attacked with your domain during the DMARC Compliance Project. Indeed what and how do you communicate to people that claim they have been attacked after you become compliant.
- Turning on inbound protection (checking for DMARC). Google’s GSuite and Microsoft’s Outlook have Anti-SPOOF settings which allows you to configure your inbound email protection against SPOOF and Phishing email. This is referred to as inbound protection.
For franchising the task is even more difficult however the rewards can be far greater when it comes to centralising some technology needs, brand control and other systems that franchisees tend to take upon themselves to create or implement.
If you email application (could be accounts, ERP, CRM, Manufacturing notices) is not sending compliant email then it will fail once you are compliant.