Something is broken in the land of email
Everyone relies on email, and organisations probably even more than individuals. Marketing and Communications teams in particular are hugely reliant on email to reach their audience. But something is broken in the land of email, and many organisations seem to be oblivious to it. Unlike many cyber security issues which only effect the organisation when a breach happens, this is hurting them right now, because their email isn’t being delivered.
Background
As anyone who works in or adjacent to cyber security knows, email is still the primary delivery method for threats whether that’s phishing, malware or fraud like Business Email Compromise. Securing email is a top priority for any service provider or internal IT/blue team, and over the last few years an anti-spoofing protocol called DMARC has become widely adopted.
I’m not going to write an explanation of how DMARC works (check out this UK Gov guide, or the implementation guides from Microsoft and Google) but basically it allows your mail server to check whether sending mail servers are authorised to send email for a specific domain. It’s not perfect, but it does make it a lot harder for cyber-criminals to deliver phishing or malware to your users.
Organisations like the one I work for are on top of this, using DMARC in our anti-spam and anti-phishing policies, and that has proven really effective at blocking attacks which might otherwise have gone undetected.
The problem – DMARC only works if you configure it
We’ve found we’re blocking email from partners, suppliers and funders, not because we’ve configured our email wrong, but because the sending organisation hasn’t configure DMARC at all. To be specific, they haven’t configured SPF records, a DKIM signature and DMARC for their domain, so some of the email they’re sending (which is legitimate) will be flagged as ‘spoofed domain’ by the receiving server and quarantined or blocked.
The vast majority of email I see caught in this trap comes from mailing list service like MailChimp or SendGrid where the sending organisation hasn’t updated their mail configuration as per the instructions from MailChimp, SendGrid et al.
I originally assumed this was just a resource/capability issue typical in small organisations, but I’ve had to setup allow list exceptions to our anti-spoofing protections for a Russell Group University, a political party and a moderate sized SaaS provider. I suspect the issue is that mailing list services are Marketing driven and almost ‘shadow IT’, not because they’re setup without due authority, but they are setup without appropriate engagement with IT or managed service partners, which compromises planning, documentation and testing.
The race is on
Whilst this has mostly been an issue sending email to organisations this now effects individuals. In June 2023 I saw my first email to a Gmail address blocked because the sending server had no DMARC setup.
Earlier this month Google announced that from February 2024 they will require all organisations sending email to Google email addresses to set up SPF or DKIM email authentication for their domain, and bulk senders will have to setup DMARC.
The solution – fix your SPF, DKIM and DMARC
This really isn’t difficult to do, and you owe it to your colleagues and customers to get it right. As I said above, I’m not going to write a guide to configuring DMARC when email providers have done that for you.
One tip for any organisation in the UK public sector, education or charities which is to use the free NCSC Mail Check service, which includes a monitoring tool which you might otherwise have to pay for.
If you’re not in one of those sectors then you’ll need to subscribe to a monitoring service to make sure that you’ve captured all the services which are authorised to send email on your organisation’s behalf. I’ve not tried it, but Postmark do a free DMARC Monitoring tool which is probably worth a try.