Businesses risk having customer emails rejected if they fail to implement anti-impersonation security standards by February as Google and Yahoo move towards rejecting emails from high-volume senders who don’t take protections against spammers.
Google’s automated filters already block over 15 billion spam emails every day but the crackdown by the two companies – whose email services together carry around 30 per cent of global emails – means that any business sending over 5,000 messages per day to customers of their email services, such as targeted newsletters or mass mailouts about special offers, will see their messages blocked unless they meet several requirements.
Google’s new policy requires bulk email senders to “strongly authenticate their emails following well-established best practices” – with guidelines mandating use of standards including SPF (Sender Policy Framework), DKIM (Domain Keys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting and Conformance).
“As basic as it sounds, it’s still sometimes impossible to verify who an email is from given the web of antiquated and inconsistent systems on the Internet,” Google said in outlining requirements that will also force bulk email senders to offer one-click unsubscription, process unsubscribe requests within two days, and enforce spam rate thresholds “to ensure Gmail recipients aren’t bombarded with unwanted messages”.
New requirements by Yahoo, which joined Google to announce similar changes, could threaten global email marketing revenues estimated at more than $16.7 billion (US$10.9 billion) per year – with 80 per cent of companies using email marketing newsletters and email carrying 63 per cent of all automated marketing messages.
Cyber criminals are equally enamoured with email: fully 90 per cent of respondents to a recent GetApp survey, of 561 Australian employees and managers, had received a phishing attack at work via email – with impersonation of a company (49 per cent), bank (40 per cent), package delivery company (37 per cent) and government agency (24 per cent) the most common types of attacks.
Heads in the sand no more
The threat of mass email blocks means that companies can no longer afford to ignore DMARC – a decade-old standard that is implemented within the domain name service (DNS) servers that serve as the Internet’s address book.
DMARC, which controls how emails are processed if their header information doesn’t match the domain of the email server they are sent from, prevents cyber criminals from manipulating email headers to make phishing and spam messages look legitimate.
It offers three levels of strictness – ‘none’, ‘quarantine’, and ‘reject’ – but has been ignored or deferred by many companies who either worry DMARC is a blunt instrument that could block important communications, or cannot implement it because other parties control their DNS records.
One recent “extremely worrying” SendLayer study, for example, found 88 per cent of Fortune 500 companies using DMARC but just 35 per cent of government domains, and 34 per cent of the Top 5,000 global companies, doing the same.
SendLayer also found that 41 per cent of banking industry domains had no DMARC protection – an Achilles’ heel for an industry that is particularly targeted by scammers and phishing attacks and has already been flagged for having “inadequate” cyber security.
Although the technical process of implementing DMARC is not overly complex, the implications of inaction are considerable as current email standards are dangerously exposed to manipulation, particularly as malicious generative AI tools facilitate the creation of near-perfect fakes.
“This is one of the key aspects when customers ask us to do a red-teaming exercise,” warns Louay Ghashash, director and principal of cyber security consultancy Spartans Security and chair of the ACS Cyber Security Committee.
“We find that customers that don’t have a DMARC record are so easy to impersonate, and we can easily send emails pretending to be the CEO or CFO and requesting employees send money or click on a link. It’s just so easy.”
Squeezing out email impersonation
Companies must get on the front foot to manage this exposure, Ghashash said, noting that in the short term Google and Yahoo will allow companies to use a ‘none’ setting to evaluate their exposure to scammers and cyber criminals.
One customer, Ghashash said, has spent nearly 12 months auditing its email usage and found its reliance on email was even broader than it had realised.
“Marketing and finance and HR have all got a myriad of systems that they haven’t told IT about,” Ghashash explained.
“Suddenly you find general business processes linked to those email systems – and when you try to implement DMARC in ‘reject’ mode, they start finding all those emails failing to arrive.”
Email providers will likely tighten the screws, Ghashash said, mandating increasingly strict DMARC policies in an echo of industry efforts to push customers from insecure HTTP to secure HTTPS technology.
By 2025, he believes DMARC REJECT policies could be table stakes, and bulk emails from any non-compliant company will be unceremoniously dumped.
“It’s a long journey,” Ghashash said. “It’s not a hard exercise to do, but it’s going to take a lot of time to put it in audit mode, collect metrics about your systems, and then eventually put it in REJECT mode.”
“That’s why these things need to be taken gradually: you need 6 to 12 months, at least, based on the size of your organisation, to understand what is being sent on your behalf.
“But a lot of customers still don’t understand what DMARC is.”