Google’s adoption of DMARC is a huge step in right direction for global DMARC deployment and a mark of stability in DMARC in general. While Yahoo previously announced this same policy, having Google, as the largest email provider in the world, moving to “reject” is a huge endorsement.
What does this mean for financial services and other companies, looking to ensure they are not adversely affected by these changes? Based on our experience helping customers fully deploy DMARC on the sender side, combined with recommendations from BITS (The Financial Services Roundtable), here are the five steps we recommend, to make sure your organization is DMARC ready before these changes take place.
- Audit: Create an inventory of your organization’s email domains, email streams, and email types, including all domains actively sending email as well as inactive domains registered for defensive or brand protection purposes. Active domains can contain multiple email streams originating from different groups or vendors. DMARC-provided data and/or the Trusted Email Registry can augment in-house research and reduce the cost of discovering email streams.
- Detect: Compare and contrast real-world data against your stated email authentication implementation strategy.
- Remediate: Resolve any email authentication implementation issues or operational issues uncovered during the Audit or Detect phases.
- Secure: Implement blocking policies for both active and inactive domains. Publishing a blocking policy allows participating ISPs to either quarantine or reject unauthenticated email on your behalf.
- Monitor: Continue to look for new signs of abuse, operational issues, changes in network topology, and other anomalies. Aggressively pursue takedowns to gain a reputation for being a ‘hard target’.
DMARC is a useful authentication standard, that will help reduce the amount of spam delivered worldwide. While many organizations have been dragging their feet on adoption, Google’s move to a strict reject policy means that no company wanting to communicate with their clients can continue to ignore it.[su_box title=”Daniel Ingevaldson, CTO, EasySolution” style=”noise” box_color=”#336588″]
With over 15 years of experience protecting some of the world’s biggest organizations from next-generation threats, Daniel is our guru when it comes to developing fresh approaches to online security and fraud. As our CTO, he defines and executes the strategies for researching and creating the next phase of Total Fraud Protection® products.[/su_box]
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.