Does your organization send more than 5000 emails per day to Gmail, Yahoo or Apple recipients? If so, and you haven’t setup DMARC records for your domains, you have some work to do! Even if you don’t send that many emails to recipients on this services, you still have some work to do. You can read more about the requirements at these links:
Google: https://support.google.com/mail/answer/81126#zippy=%2Crequirements-for-sending-or-more-messages-per-day%2Crequirements-for-all-senders
Yahoo: https://blog.postmaster.yahooinc.com/post/730172167494483968/more-secure-less-spam
Apple: https://support.apple.com/en-us/102322
The short version is, if you don’t send 5000 emails per day to these domains, you will need to set up at least one of either SPF or DKIM authentication records for the domains and be sure your emails are sent according to those records. You also must send the emails using TLS.
If you send 5000 or more emails per day to these domains, you also are required to have both SPF and DKIM records, along with a DMARC record published to DNS and send your emails so they line up with these records. Your email also needs to be sent using TLS encryption.
There are additional requirements such as one-click opt-out options and other details of the messages you send. Be sure to read the requirements and review your email servers and DNS records to ensure your emails sent to these domains are delivered as you expect. These companies will begin the initial enforcement of these requirements in February and they’ll be fully enforcing them by June.
According to analysis performed by Proofpoint, 27% of Forbes Global 2000 companies have no DMARC policy and 69% do not have a DMARC reject policy. This is shocking that there are this many companies that don’t take the security of their email domains seriously. Remember, this is not just to ensure delivery of your emails. This is also ensuring that your customers don’t fall prey to scammers posing as your company.
While I don’t have all the details of what happened and whether DMARC could have helped the situation but enough of the details line up with incidents I’ve investigated to believe that had Hollywood personality Andy Cohen’s bank had DMARC implemented, he might not have been scammed out of “a signficant” sum of money. I can attest to an incident that I was involved with that could have resulted in a bank customer losing $250,000 in one take, which never would have had a chance to happen had his email provider enforced DMARC. Yes. DMARC is that important. DMARC can save your company and your customers money. Not fully using DMARC can cost you! And soon, not using DMARC will prevent your emails from being delivered at all. Get going on DMARC if you haven’t already.