Cybersecurity threats through email have reached alarming levels, with 90% of attacks now occurring via this channel. Major providers like Gmail and Yahoo started blocking emails in 2024 from businesses that lack proper protection protocols to positively identify the actual sender. Gmail had to take these actions to protect users against unsafe bulk mail. The 2024 Verizon Data Breach Investigations Report shows that over 40% of successful social engineering attacks were Business Email Compromise.
DMARC stands for Domain-based Message Authentication, Reporting, and Conformance. It is an email authentication protocol that protects against spoofing and other email attacks.
Email spoofing is a cyberattack where a scammer fakes the "From" address in an email to make it look like it's coming from a trusted source - such as a business or individual - when it's actually from someone else. This technique is commonly used in phishing scams to deceive recipients into sharing sensitive information or clicking malicious links.
Your business reputation and client trust depend on preventing criminals from impersonating your domain through email fraud. DMARC email authentication adds a proven layer of protection that stops things like fake invoices and maintains your ability to communicate with clients. PCI compliance rules start March 31st, making DMARC implementation a requirement for processing credit card payments. This guide shows you how to protect your business communications and prevent losses through smart email security.
Email Security Foundations: Understanding DMARC Protection
DMARC, which stands for Domain-Based Message Authentication, Reporting, and Conformance, is a powerful cybersecurity measure that combines two email security protocols - SPF (Sender Policy Framework) and DKIM (DomainKeys Identified eMail) to prevent unauthorized use of business email domains. As PCI compliance standards advance, demonstrating DMARC compliance will become mandatory for businesses processing credit card payments starting March 31st.
Protecting Your Business Beyond Credit Card Transactions
Even if your business does not accept credit cards, implementing DMARC is essential to protect your brand reputation and client trust. Consider a scenario where a cybercriminal spoofs an email from your domain, sending a fake invoice to one of your clients. If the client pays the criminal instead of you, it could strain your client relationship and damage your revenue.
How DMARC Works
DMARC informs other mail servers about who is authorized to send emails on your behalf. It combines two key components:
- Sender Policy Framework (SPF): Helps prevent email spoofing
- Domain Keys Identified Mail (DKIM): Ensures email authenticity
By setting up DMARC, you can specify whether unauthorized emails should be allowed, quarantined, or blocked. You may at first think this is kind of funny because of course only you should be able send emails from you, right? But if you think for a bit about this, you may have a Customer Relationship Management (CRM) system that sends out updates from your company, or perhaps a quoting or billing platform that sends emails on your behalf. Perhaps you send a weekly newsletter like we do. These are all legitimate sending sources, but technically they are "spoofed" mail, but mail that you have actually authorized.
Compliance and Reporting
To comply with DMARC regulations, you must not only set up the initial authentication but also implement reporting. This involves updating your DNS records whenever, for example, your marketing department introduces new email platforms, ensuring that your emails are deliverable and increasing the likelihood of them being read by recipients. This is not a "set it and forget it" task. "Reporting" is in the name of the requirement.
The Importance of DMARC Adoption
Major email providers like Yahoo and Gmail have already started blocking emails that do not have DMARC security in place. As more recipients implement stricter security measures, your email deliverability may decrease if you do not comply with DMARC rules. This could impact your ability to communicate effectively with clients and your community. Your big fundraising event for your non-profit? If your email isn't configured properly, your audience may not receive those emails.
Enhancing Cybersecurity Resilience
Implementing DMARC protection is a proactive step towards enhancing your overall cybersecurity resilience. Many local businesses may not accept credit card payments, so they won't immediately be required to meet the PCI compliance standard, but the security measure really should be implemented. As security insurance companies increasingly inquire about DMARC compliance, adopting this measure will become even more important for businesses of all sizes.
The Bottom Line
Security is a bit of a "cat and mouse game". As businesses build cyber defenses, criminals think of new tricks to break through. DMARC is a powerful tool that combines SPF and DKIM to prevent email spoofing, protect your brand reputation, and ensure PCI compliance. By setting up DMARC and implementing regular reporting, you can demonstrate your commitment to safeguarding your clients, employees, and community, ultimately differentiating your business as a trusted and secure entity in your industry.
PCI Compliance Integration with DMARC
Starting on March 31st, PCI DSS, the payment card industry, will start requiring DMARC implementation. You won't be able to pass your compliance test if you don't have this in place. However, it goes beyond that. If you look at the NIST Cybersecurity Framework and the accompanying Trustworthy eMail guidelines, you will see DMARC mentioned throughout there.
Securing Email
There are many things that need to happen to secure email in the context of comprehensive email security protection. DMARC is just one facet of email security.
First and foremost, we strongly advise, and Microsoft is starting to lock down on this, using multi-factor authentication. With multi-factor authentication, if somebody were to get your email password, they wouldn't be able to access your account without the multi-factor authentication code. The would need something you know (password), and something you have (an additional code). This could be through:
- Microsoft Authenticator
- A hardware token
- A six-digit code
Remember, multi-factor authentication is an absolute must for email security.
Setting Up DMARC Security
When we work with businesses to set up DMARC security, we run reports to determine who is trying to send emails on their behalf. We typically see emails coming from legitimate sources Microsoft 365, HubSpot, or Constant Contact, as examples.
However, sometimes we discover other unauthorized senders. Those are the attempts we want to block. Ongoing reporting is crucial to monitor any attempts to send mail on your behalf and ensure they are properly blocked on the recipient side. This protects your reputation.
Ongoing Reporting
With ongoing reporting, you might find that your marketing department decides to make a change, such as switching from MailChimp to Constant Contact or HubSpot. They need to have a conversation about updating your DMARC, SPF, and DKIM records to ensure mail deliverability. Otherwise, their wonderful marketing communications or invoices from your accounting department might not get delivered.
While there are many acronyms to remember, if set up properly, DMARC can be implemented in a simple way. It provides ongoing surveillance of mail to identify legitimate senders and maintain a record of any failed attempts.
We expect that if insurance companies aren't already asking about DMARC compliance on their renewal forms, they will be very soon, following the lead of the Payment Card Industry's compliance requirement for March 31st. Local businesses should have cyber insurance as part of their overall business, and its important to put the pieces in place to become insurable.
Cybersecurity Defense Against Email Spoofing
As cybercrime continues to grow at a rapid pace, it's important to understand that the underlying reason for this is the significant financial payoff for cybercriminals. According to the Verizon Data Breach Incident Report, an estimated 90% of all cybercrime happens through email. Cybercriminals use various tactics, such as sending phishing emails with malicious links or engaging in business email compromise (BEC) attacks. Brands are impersonated all the time such as all those fake messages you're probably receiving about package delivery delays. On the inbound side, a strong email security Gateway and email filtering are also important facets of protection.
Business Email Compromise and Account Takeovers
In a BEC attack, a cybercriminal can either spoof an email to make it appear as if it's from you or, in some cases, gain access to your actual email account through an account takeover. To protect against these threats, it's essential to monitor Microsoft 365 environments for adverse behavior, such as suspicious forwarding rules that could indicate a compromise.
The financial losses from email compromise are staggering, reaching billions of dollars. Consider this scenario: a cybercriminal sends a fake invoice to your client, impersonating your business. Without a DMARC policy in place, your client may accidentally pay the invoice, losing money and damaging their trust in your company for not implementing proper security measures.
Essential Email Security Measures
To enhance email security, here are some crucial steps to take:
- Implement strong passwords and multi-factor authentication wherever possible, especially for small businesses
- Follow the NIST Cybersecurity Framework's "Identify, Protect, Detect, Respond, Recover" approach
- Monitor activities within your email environment, such as the creation of new forwarding rules, which could indicate a compromise
DMARC Compliance and Monitoring
DMARC compliance is a vital component of email security and is increasingly required by regulations. A real-world example is a local law firm that discovered through a DMARC report that some senders were still using an old email platform, even after switching to a new website and bulk email provider. Regular monitoring and reporting of DMARC compliance are necessary to maintain a secure email environment.
PCI Compliance and Financial Transactions
If your business processes credit cards, PCI compliance will require DMARC implementation by March 31st. A Document Library for PCI can be found here. However, even if you don't process credit cards, it's crucial to consider the risks associated with financial transactions via email. Failing to secure your email domain can lead to financial losses for your clients if they pay an invoice to the wrong party or expose them to phishing crimes impersonating your business.
Cybersecurity Frameworks and Guidelines
The NIST Cybersecurity Framework and the Center for Internet Security (CIS) Controls provide valuable guidance on implementing various security measures, with email security prominently featured in both. By following these guidelines and prioritizing email security, you can significantly reduce the risk of falling victim to the vast majority of cybercrime that originates from email-based attacks.
DMARC Email Security Monitoring and Reporting
Many people think that setting up the SPF record, DKIM record, and creating the DMARC record is all that's needed for DMARC email security compliance. However, it's important to understand that the security requirement also involves ongoing reporting.
Insights from DMARC Reports
DMARC reports provide clear insights about email authentication and potential cybersecurity threats. You can see:
- The volume of email that's sent legitimately
- The messages that get blocked from people attempting to send email on your behalf
Therefore, it's extremely important to remember that reporting is required in addition to the initial setup.
Keeping DMARC Settings Up to Date
The setup of DMARC, SPF, and DKIM is not a static process because the different programs used by your business may change over time.
Consider these examples:
- You may have a proposal platform that sends email proposals
- A payment platform that sends emails to customers
- Your marketing and sales departments will likely have platforms that send email
For deliverability and PCI compliance, you need to ensure that the list of authorized senders is up to date. You also want to be able to spot trends and assess risks.
Analyzing DMARC Reports
In a DMARC report, we look in detail at:
- Authentication results
- Sending sources
- Message volume patterns
An abnormal spike in message volumes could be an early warning indication that something suspicious is happening. It's similar to the concept of detect and respond, like having motion detectors or a security alarm in your house.
For email, you want to have strong passwords and multi-factor authentication, which are like the locks on your doors and windows. But in terms of reporting, you also want to ensure that you're monitoring it.
Imagine this scenario: if a criminal somehow bypasses the lock and the window alarm doesn't go off, a motion detector inside your house can alert you to their presence. Similarly, DMARC reporting can provide an early warning if criminals are lurking within your email systems, which is extremely important for detecting and removing bad actors.
Responding to DMARC Reports
With any reporting, it's crucial to have a mechanism in place to respond. If something unusual is found in the DMARC report, you need to take action to shut it down. It might be an old system that needs to be decommissioned.
If you're not measuring, reporting, analyzing, and acting on the data, you could have a significant problem that goes undetected for a long time. You might only discover the issue when a customer tells you they paid an invoice reminder to a criminal impersonating your business, even though they had already paid you weeks ago.
The Importance of Incident Response Planning
Incident response planning is a term that often intimidates many local small businesses. We were called in to help a law firm after they had a security incident, and much of the stress and personal pain that everyone went through could have been alleviated if they had a simple plan in place.
Here's the key takeaway: if you discover on a DMARC report that somebody is trying to impersonate you, having an action plan in place allows you to detect it early and stop it.
Staying Ahead of Cybercriminals
Cybercriminals are engaged in a cat and mouse game. As small businesses and all organizations do more to protect themselves against threats, criminals will develop new and more sophisticated techniques. It's important to keep up with the latest trends in cybersecurity because if you don't, you become like the unlocked car in the parking lot that's most likely to be stolen.
The Eye-Opening Nature of DMARC Reports
When we run initial DMARC reports for anyone we work with in our community, it's often an eye-opener. They might say things such as:
- "We haven't used that program in 10 years"
- "Wait a second, what's happening here? We don't have any business in this country"
It's important not to be intimidated by DMARC reporting because the more you do, the more you can improve your chances of staying safe online.
Email Deliverability and Business Impact
Email deliverability is a key factor to consider when implementing DMARC for your organization's cybersecurity and PCI compliance. You want to prevent bad actors from impersonating your company and causing damage to your reputation, customers, and employees. At the same time, you need to ensure that legitimate emails from your organization reach their intended recipients.
Stricter Guidelines and Marketing Challenges
As more mail recipient servers implement stricter guidelines, such as Google's recent requirement for DMARC compliance, your marketing department may face challenges in reaching prospective and existing clients. Without proper DMARC implementation, your emails may not be delivered, hindering your ability to:
- Grow your customer base
- Increase brand awareness
- Introduce new products
Imagine your company is planning a significant fundraiser and sending out emails to promote the event. You've worked with local businesses in the Boston area and have a great communication plan in place. However, you later discover that many people didn't receive your emails. This can be frustrating and detrimental to your fundraising efforts.
Reasons for Non-Delivery and Cybersecurity
There are various reasons why an email may not be delivered, such as the presence of a suspicious link or other factors. A comprehensive cybersecurity program must be multi-faceted to address these issues.
PCI compliance dictates certain requirements, and it's likely that similar compliance standards will be implemented for organizations that accept ACH payments. Insurance companies may also require adherence to these standards.
Importance of Email Deliverability
The importance of email deliverability extends beyond compliance. Your marketing department needs to understand the effectiveness of their campaigns and customer retention rates. If they invest significant time and effort into creating helpful tips and advice for customers, they want to ensure that these emails are actually being received.
The NIST trusted email document provides well-documented guidelines for cybersecurity, including DMARC email security. By implementing these guidelines and prioritizing email deliverability, your organization can:
- Maintain effective communication with customers
- Protect your reputation
- Comply with essential cybersecurity standards
Integrated Email Security Architecture
When developing a comprehensive cybersecurity program, it's important to remember that small businesses are just as vulnerable to threats as large corporations. In fact, half of all cyber threats target small businesses. To protect your business, you need an integrated cybersecurity program that includes DMARC security and PCI compliance.
How the Protocols Work Together
The protocols work together in a unified system:
- Sender Policy Framework (SPF) verifies the sender IP addresses and specifies who is authorized to send email on your behalf, such as your mail server, marketing platform, accounting platform, and quoting platform. No one else is authorized to send email on your behalf.
- DomainKeys Identified Mail (DKIM) adds digital signatures to the email, which many platforms like MailChimp use for verification.
Multiple security checkpoints are in place to identify, catch, and respond to various threats. Recipient mail services are increasingly challenging incoming email due to the high volume of cybercrime committed through email. If you don't pay attention to this, your mail may become undeliverable.
Small businesses often think they don't need to worry about this or can address it in the future, but when Google stops accepting mail without DMARC compliance, your emails to Gmail accounts won't be delivered.
The Importance of an Incident Response Plan
Developing an incident response plan is crucial. DMARC security reporting shows the mail volume being sent, allowing you to see if there is a large volume of unauthorized mail being sent out. You can quickly stop this by tightening up your rules. As the saying goes, you can't manage what you don't measure.
Consider this example: a local manufacturing company moved from G Suite to Microsoft 365 and wanted to ensure that Google was removed from their SPF record to reduce the chances of anyone spoofing mail on their behalf.
Local businesses shouldn’t feel overwhelmed by this. An incident response plan can be as simple as a one-page document outlining key steps. Gather your team and talk through what you’d do in a real scenario. In a crisis, no one reads a 100-page plan—but a clear, actionable strategy makes all the difference.
Consider practical aspects like having phone numbers for everyone on your team. If you're locked out of your computer systems, do you have everyone's personal cell phone in a document that you could access if needed? This is especially important if you become a victim of a ransomware attack and lose access to your office phones, email, and documents.
We recommend keeping insurance policies offline, as cybercriminals have been known to target ransomware attacks based on an organization’s coverage limits to maximize their payout demands.
The Consequences of Not Having a Plan
Imagine this scenario: after a serious cybersecurity incident at a local law firm, we discovered that many employees didn't know what was going on because there was no communication plan in place. Without an incident response plan, employees thought the business was failing and the computers had died. Some even confidentially asked leaders if they should start looking for new jobs.
If you haven't been through an incident that, you may not know what to do. Talk to others and develop a plan for how you will respond if a DMARC report shows a high volume of unknown email. You need to investigate and shut it down quickly.
Cybersecurity Compliance and Trust Building
The NIST Cybersecurity Framework, established in response to a presidential executive order around 2013, aims to get everyone on the same page about what good security looks like. In response to rising cyber threats, especially against critical infrastructure, the framework provides best practices to improve security, resilience, and risk management.
Navigating Compliance Requirements
When talking to local businesses, people often ask if DMARC is specifically required. The challenge with different protocols is that they don't always tell you exactly how to implement something. The NIST Cybersecurity Framework serves as a general framework, while CIS Controls delve into more specifics with their 18 controls.
As of March 31st, the payment card industry mandates DMARC compliance for anyone processing credit cards. This affects numerous local businesses that accept credit card payments. Even those who don't accept credit cards due to processing fees should be aware that the NACHA compliance organization for ACH payments will likely follow suit, as they tend to align with the PCI industry's practices. With Google and Yahoo's bold statement for 2024, compliance is on the horizon, even if it's not immediate.
Insurance Policies and Audits
It's wise to review insurance policies, as they often have detailed questions about what they expect you to do, based on data from those who have experienced cybersecurity incidents. Having DMARC conformance with reporting in place allows you to have documentation ready for an audit if needed.
Building Trust with Clients
Earning client trust has never been more important. Customers increasingly ask about the security measures you have in place to protect their data, making cybersecurity a key part of your business strategy.
Some small businesses worry that customers may hesitate to work with them, assuming they lack the resources to keep information secure. However, a strong cybersecurity program doesn’t have to be costly - it just needs to be effective, proactive, and well-implemented to build confidence and credibility.
Communicating to your clients and local community about the steps you're taking to keep their data safe and your commitment to protecting your employees, clients, and community can significantly boost your reputation. This can set you apart from competitors, especially for small businesses that may feel overshadowed by larger companies with substantial budgets. Remember, even the biggest companies with the most resources can still fall victim to a cyber incident. While you can't eliminate the risk entirely, all small businesses should explore these measures.
The Importance of Monitoring and Reporting
In the NIST cybersecurity framework, they identify five key areas:
- Identify
- Protect
- Detect
- Respond
- Recover
People easily understand protection, like locking doors and windows, but often overlook the importance of detection and response. Without monitoring, you won’t know if someone is trying to breach your systems - until it’s too late and a serious incident occurs.
Monitoring is incredibly important, and small businesses shouldn't be afraid to implement it. There may be some hesitancy to know, but being aware allows you to drastically reduce the dwell time for a cybercriminal. If someone manages to get through your defenses, which is always a possibility, you want to ensure it's detected and remediated quickly.
A comprehensive cybersecurity plan must include PCI compliance and DMARC email security to effectively protect your business and customers. By taking these steps, you can strengthen your security posture and build trust with your clients.
DMARC Implementation Strategy
When creating a DMARC implementation plan for your local business, you may be tempted to immediately jump to blocking all mail. While that's the ultimate goal, it's important to start with a monitoring period. This allows you to see what your mail volume looks like and identify any potential issues, such as your marketing department changing email marketing platforms without informing you.
Monitoring and Adjusting Policies
After monitoring for a while and making necessary adjustments, like removing outdated entries from your SPF record, work towards full enforcement. Set a clear timeline, such as meeting PCI compliance by the March 31st deadline. Gain a basic understanding of what DMARC compliance requires. You'll want to set your non-complying mail to "Quarantine" or "Reject".
There are many smart and affordable cybersecurity measures small businesses can implement to strengthen their security posture, achieve PCI compliance, and implement DMARC email security:
- Monitoring email volume and sources
- Adjusting SPF records
- Setting clear compliance timelines
- Understanding DMARC requirements
Acting on DMARC Reports
To make the most of your DMARC reports, act on the information they provide. Ensure your records are clean, with no unknown entries, and understand potential signs of compromise, like a sudden influx of mail from an unknown source. Remember, DMARC prevents spoofing, but a comprehensive cybersecurity program requires additional protections to prevent account breaches.
Balancing Convenience and Security
Many local businesses feel overwhelmed by security requirements, but cybersecurity isn’t optional - it’s a fundamental part of doing business. Cutting corners can lead to serious risks.
In a recent conversation with a local business about email security, we discussed the difference between gateway email security and Microsoft Defender for email. While checking two places may seem inconvenient, the added protection against phishing, malware, and spoofing far outweighs the hassle.
This reflects a common cybersecurity them - just like multi-factor authentication, a small inconvenience can make a big difference in keeping your business safe.
Implementing DMARC for a Local Business
Last week, while working with a local business, we started by putting their domain into monitoring mode to assess their current situation. This monitoring period can reveal surprises and missing records. We provide monthly reports (or more frequently if desired) for their records.
Having evidence of good faith efforts to implement recommended cybersecurity measures can be invaluable for a small business in the event of an incident.
Don't Ignore Cybersecurity Requirements
Don't ignore cybersecurity requirements or assume they don't apply to you. Even if you don't process credit cards due to high processing rates, consider the potential impact on your business reputation if a fake invoice is sent to one of your clients. Such incidents happen frequently, even if they don't make national news.
Partner with Experts to Secure Your Business Future
DMARC protection helps your business stay ahead of email threats while building client trust. Our team specializes in implementing email security that aligns with PCI compliance standards and blocks fraud attempts. We walk you through DMARC setup with clear steps and ongoing support.
Ready to protect your brand and keep your email communications secure? Contact us today to schedule a consultation. Our team will outline practical steps to defend your business against email fraud while meeting compliance requirements.
About the author:
Ann Westerheim, PhD is the Founder and President of Ekaru, a Technology Service Provider of cybersecurity and IT services for small and medium businesses in the greater Boston area. Ann is an accomplished technology innovator and leader with three engineering degrees from MIT. She has twenty years of high tech experience in research, advanced development, product development, and as an entrepreneur. Her career has spanned a vast range of technology endeavors including research in thin film semiconductors and superconductors, microprocessor fabrication, development of early Internet medical applications, and now focusing on the application of technology in business. She has an avid focus on the "last mile" of technology and decreasing the digital divide.
https://www.linkedin.com/in/annwesterheim/