MSP, Email security

How MSPs Can Use DMARC to Boost Email Security

Concept of cyber crime, hand using laptop and show malware screen that comes with email, hack password and personal data.

The greatest threat to a customer’s cybersecurity could be sitting in an employee’s inbox right now in the form of a spoofed email. In fact, just last week the National Security Agency (NSA) joined the Federal Bureau of Investigation (FBI) and the U.S. Department of State in releasing a Cybersecurity Advisory (CSA) that stated, "North Korean Actors Exploit Weak DMARC Security Policies to Mask Spearphishing Efforts,’ warning organizations about the threat posted by Democratic People’s Republic of Korea (DPRK, aka North Korea) techniques that allow emails to appear to be from legitimate journalists, academics, or other experts in East Asian affairs…”

Whether from North Korea or closer to home, if you're an MSP or MSSP and want to decrease the chances that spoofed email makes its way into your -- or your cutomers’ -- inboxes in the first place, DMARC is one way to do so.

DMARC, which stands for “Domain-based Message Authentication, Reporting and Conformance”, is an email authentication policy, and reporting protocol. It builds on the widely-deployed sender policy framework (SPF) and domain keys identified message (DKIM) email authentication protocols, adding linkage to the author (“From:”) domain name, published policies for recipient handling of authentication failures, and reporting from receivers to senders, to improve and monitor protection of the domain from fraudulent email.

According to the Kaseya Security Survey Report 2023, the most common vector for a ransomware attack is via email. And one way cyberattackers make their email incursions more effective is via spoofing – impersonating a legitimate email sender’s address to increase the chances an unsuspecting user will open the email and interact with it in the way the attacker needs them to.

DMARC is an open standard, and until recently, its use has been sporadic and optional. But in October 2023, Google and Yahoo announced that bulk senders will be subject to more stringent requirements for authentication of the mail sent to these two mailbox providers, said Kevin Dunne, COO of hosted DMARC and DMARC-as-a-Service provider Valimail.

With such a big push from two of the biggest email providers, there's a major opportunity for MSPs to help secure customers' email against spoofing and phishing, Dunne said.

"A lot of organizations think, 'Oh, I use G-suite or Microsoft for my email, so they automatically protect against this stuff,' and that's not necessarily the case," Dunne said. "They are thinking about receiving, not necessarily sending, which is the difference."

What Google requires for bulk senders includes:

  • Set up DMARC email authentication for your sending domain. Your DMARC enforcement policy can be set to none.
  • Set up SPF and DKIM email authentication for your domain and
  • For direct mail, the domain in the sender’s From: header must be aligned with either the SPF domain or the DKIM domain. This is required to pass DMARC alignment.

In plainer language, Dunne said, this means that any business that sends a lot of emails must make sure they are in alignment with these requirements or their emails won't make it to their recipients. That can be bad for business, especially if your customer uses email marketing or sends newsletters to a large group -- which is nearly everyone, Dunne added.

When the news was first announced, the guidance was simply that email senders who send marketing emails to 5,000 or more inboxes per day would be impacted, according to a Valimail blog. But recently, Google and Yahoo updated the guidance, and any sender who has sent 5,000 messages in a day at least once in the past is now permanently classified as a bulk sender, Dunne said.

"So, even if you're Suzy's Yogurt Shop with a small storefront and two employees, if you did a bulk mail and sent a coupon to your community, you are counted as a bulk sender and need to comply with the rules," he said. If you’re wrongly classified as a bulk sender, according to Valimail, Google hinted that there could be a process for getting off that list. However, Dunne cautioned, these requirements are a signal for the future, and these best practices will be required for all senders at some point. It’s best to start the process now, regardless of whether you’re a bulk sender or not. 

"That means it's prime time for MSPs to help customers solve this. If customers don't address this, they may not even have to worry about spoofing, because their emails won't even make it to the inboxes!" Dunne said.

Valimail's DMARC-as-a-Service offering is a model for how MSPs can deliver on helping customers maintain compliance with this open standard, he said. In addition to other email security solutions, MSPs can help customers make the required DNS changes, set up their SPF and DKIM and monitor for compliance.

The service is also available through the Pax8 Marketplace, Dunne said, and Valimail has seen a major spike in interest over the last six months since the changes were first announced. Since the deadline for compliance April 30, he said customers and fellow service providers have reported an uptick in complaints about emails not getting through and delivery failures.

"And that's a great segue into starting the conversation about how to help customers with DMARC, why it's happening, why it's important, what you can do about it and why turning to an MSP or service provider like Valimail is the right move," he said. While there are existing requirements like PCI-DSS 4.0 that already require DMARC, it has been piecemeal and inconsistent.

"People ignore it until it affects them, and sure, you can get there on your own. But it's challenging, and it's a huge process to make sure things don't break if email configuration changes," Dunne said. "We're like an 'Easy button' for DMARC compliance -- generally, DIYers have below a 50% success rate and it takes over a year to get there. We have about a 95% success rate, and we can get there in a few months; for some smaller customers, it can be days."