What is DMARC and Why Is It Suddenly Important?
It’s no secret that cybersecurity incidents and breaches have increased dramatically in the last few years. Yet it wasn’t that long ago that when we talked about the importance of cybersecurity with our clients, we generally got blank stares and bored looks. Almost all of them told us that their business was too small, too anonymous on the Internet and too insignificant for hackers to go after them. They believed even though we told them that on the web, all organizations are equally at risk.
Fast forward to today, and everyone we talk with is very much aware of the threats and the need to protect themselves and their businesses from becoming victimized by cyber criminals. The reality is all of us are one degree of separation from someone who experienced a cyber incident or breach.
Recently, much of the emphasis on cybersecurity is a result of insurance carriers trying to limit their exposure to cyber incidents by forcing their customers to improve their cyber hygiene and invest in security.
Starting in 2024, many insurance carriers have set their sights on an email security protocol called DMARC (domain-based message authentication, reporting, and conformance) which is an advanced email protocol that enhances SPF (sender policy framework) and DKIM (domain keys identified mail) by linking them to the email sender’s domain and setting policies for handling authentication failures.
Why is DMARC suddenly important? To put it simply, DMARC helps prevent email spoofing and impersonation. DMARC is implemented as part of the Domain Name System (DNS), the Internet’s navigation system, allowing us to find websites and send email without worrying about the complex technology that makes it work.
DNS ensures that when you type in www.alvareztg.com in a browser, you get to the right website. It also ensures that when you send an email to [email protected], it gets to the intended destination – you hope.
That’s where DMARC comes in. Specific DKIM and SPF records for your email domain are created in DNS and the DMARC policies set up so that emails from your domain are verified; after DMARC is set up, cyber criminals trying to spoof your domain will have their emails rejected.
DMARC is also becoming a requirement for compliance with the Payment Card Industry (PCI) standard version 4. To achieve compliance, companies that handle credit cards and other forms of payment must implement DMARC by 2025.
If that is not enough motivation to implement DMARC, Google and Yahoo upped the ante late last year when they announced that they would start enforcing DMARC in 2023 for sending bulk emails, like newsletters, offerings, and the like. By April 2024, organizations need to implement and enforce DMARC, or risk emails being blocked. Keep in mind that together, Google and Yahoo represent more than 75 percent of all email destinations, so this is a big deal.
Implementing DMARC can be complicated and ensuring that DMARC is enforced takes active monitoring and maintenance, so it’s not a set-it-and-forget-it situation. It also takes time to implement and verify, so waiting until the last minute is not an option. Talk to your IT team or service provider to make sure they are aware of the DMARC requirements and start the process today, or you may find yourself out of compliance with your insurance policy requirements and, worse yet, your emails getting rejected.
