I can say with confidence that the world does not need more security predictions for 2024. But as we head into the new year, it is important to have conversations about security strategy to inform our business priorities and our road maps.
As I talk to our Red Sift customers, our partners, and the thought leaders of our technical advisory board, one thing is clear: more DMARC and domain authentication requirements are on the way, and they will be here soon.
It’s easy for me to tout the benefits of DMARC: better deliverability, protection against BEC and phishing, the ability to deploy BIMI… the list goes on and on.
But one thing that is becoming clear is in 2024, DMARC is no longer a nice to have. It will be a business imperative.
What’s changing with DMARC in 2024?
As we head into 2024, there are already announced requirements for DMARC that most security leaders in the industry are at least aware of. They range from those from email providers like Google and Yahoo, to those from governments, to those from security rating and cyber insurance companies.
Google and Yahoo requirements for bulk senders
The most notable 2024 requirement for DMARC is the joint requirement set from Google and Yahoo that applies to all organizations sending over 5,000 emails a day. To stop email from not being delivered as expected or being delivered as spam, organizations will need to:
- Authenticate their domain. This requires at minimum a DMARC record with a policy of p=none, SPF and DKIM records, SPF or DKIM alignment and FCrDNS.
- Make it easy for receivers to unsubscribe. Organizations that currently have an unsubscribe link in commercial email have until June 1, 2024 to implement one-click unsubscribe.
- Keep spam rates low. Organizations need to keep spam rates reported in Postmaster Tools below 0.3%.
In our research, we discovered that as of December 2023, at least 33% of large organizations globally will fail these requirements, with companies in Korea, Japan, Austria and Germany being particularly underprepared.
Organizations that do not address this will see dwindling delivery rates and messages being sent to spam folders. For businesses that rely on email marketing to generate leads and revenue, the impacts of this could be monumental.
| Use Red Sift’s Investigate tool to see if your DMARC, DKIM, SPF, and BIMI protocols are correctly set up and get actionable steps on how to fix them, if applicable. Check your DMARC record and other key protocols now |
At Red Sift, we see these requirements as foreshadowing to email providers requiring DMARC enforcement. By requiring DMARC, SPF and DKIM records and SPF or DKIM alignment, the providers are laying the groundwork for stricter DMARC enforcement policies. Organizations should be more aggressive in their DMARC configuration than is required come February 1, 2024, as their domains will also benefit from spoofing and impersonation protection by implementing stronger DMARC policies.
CISA recommendations
In October of 2023, CISA (Cybersecurity & Infrastructure Security Agency) put forth new Phishing Guidance. This document was released in coordination with the NSA, the FBI, and the Multi-State Information Sharing and Analysis Center (MS-ISAC) to outline phishing techniques and provide guidance for defenders.
In the guidance, the agency puts forth tailored recommendations to stop phishing attacks focused on obtaining login credentials and installing malware.
To mitigate these attacks, the agency recommends many baseline protections including enabling DMARC, SPF, and DKIM, and making sure that your DMARC enforcement is set to p=reject.
PCI DSS 4.0
On March 31, 2022, the PCI Security Standards Council (PCI SSC) released DSS v4.0. While these requirements for payment processors do not go into effect until March 31, 2025, the majority of organizations are using this year to make sure they are completely compliant.
One of the new requirements in PCI DSS v4.0 is phishing protection. Req 5.4.1 requires “automated mechanisms” to detect and protect against phishing attacks. Though this requirement is for “processes and mechanisms” and does not point to a specific solution, best practices would point to implementing DMARC, SPF, and DKIM.
Security ratings requirements
While no formal updates for DMARC have been announced from the security ratings companies, we are hearing early feedback from our customers that DMARC is becoming a higher priority in the eyes of these entities.
For example, SecurityScorecard currently accounts for SPF configuration in its grading system. It is not inconceivable that they will soon be looking at DMARC and DKIM as part of their rating algorithm as well.
Existing DMARC mandates
Everything we have covered so far is additive to the existing DMARC requirements and recommendations put forth by governing bodies around the globe. While the list is not exhaustive, it shows the global attention on protecting against phishing, business email compromise (BEC) and exact domain impersonation.
Status | Affected Geography | Issuing body | Name | Description | Mandate type | Issuance/update date | Enforcement date | Learn More |
Upcoming | Global | Google & Yahoo | New requirements for bulk senders | Those sending over 5,000 emails a day must authenticate email-sending domains with TLS, DKIM, SPF, DKIM, or SPF alignment and have a DMARC policy of p=none. | Private sector mandate | October 3, 2023 | February 1, 2024 | |
Upcoming | Global | PCI DSS | PCI DSS v4.0 Req 5.4.1 | “Automated mechanisms” must be deployed to detect and protect against phishing attacks. Though this requirement is for “processes and mechanisms” and does not point to a specific solution, best practices would point to implementing DMARC, SPF, and DKIM. | Compliance mandate | March 2022 | March 31, 2025 | |
Current | UK | GDS | Government Cybersecurity Policy Handbook Principle: B3 Data Security | Government departments shall have DMARC, DKIM, and SPF records in place for their domains. This shall be accompanied by the use of MTA-STS and TLS Reporting. This requirement originated from the 2018 Minimum Cybersecurity Standard. | Mandate for government agencies | April 6, 2023 | April 6, 2023 | |
Current | United States | CISA | Binding Operational Directive 18-01: Enhance Email and Web Security | Requires all federal agencies to bolster web security with STARTTLS, SPF, DKIM, and DMARC with a policy of p=reject. | Mandate for government agencies | October 16, 2017 | September 20, 2018 | |
Current | United States | NIST | NIST Special Publication 800-177Revision 1: Trustworthy email | Recommends implementing SPF, DKIM, and DMARC, among other controls to enhance trust in email. | Guidance | February 2019 |
See the full list of mandates and recommendations for DMARC here.
Getting ready for changing DMARC requirements
Given that email remains the number one attack vector and business email compromise alone accounted for $2.7 billion in losses in 2022, it’s not surprising that we continue to see an increasing number of regulations, requirements, and recommendations for better email security.
| To see if your organization is prepared, make sure to check out Red Sift Investigate where you can see if your organization’s DMARC, SPF, DKIM, and other important email security protocols are set up correctly. Check your DMARC record and other key protocols now |
