2024: The year of DMARC as a business imperative

I can say with confidence that the world does not need more security predictions for 2024. But as we head into the new year, it is important to have conversations about security strategy to inform our business priorities and our road maps. 

As I talk to our Red Sift customers, our partners, and the thought leaders of our technical advisory board, one thing is clear: more DMARC and domain authentication requirements are on the way, and they will be here soon. 

It’s easy for me to tout the benefits of DMARC: better deliverability, protection against BEC and phishing, the ability to deploy BIMI… the list goes on and on. 

But one thing that is becoming clear is in 2024, DMARC is no longer a nice to have. It will be a business imperative. 

What’s changing with DMARC in 2024?

As we head into 2024, there are already announced requirements for DMARC that most security leaders in the industry are at least aware of. They range from those from email providers like Google and Yahoo, to those from governments, to those from security rating and cyber insurance companies. 

Google and Yahoo requirements for bulk senders

The most notable 2024 requirement for DMARC is the joint requirement set from Google and Yahoo that applies to all organizations sending over 5,000 emails a day. To stop email from not being delivered as expected or being delivered as spam, organizations will need to: 

  1. Authenticate their domain. This requires at minimum a DMARC record with a policy of p=none, SPF and DKIM records, SPF or DKIM alignment and FCrDNS. 
  2. Make it easy for receivers to unsubscribe. Organizations that currently have an unsubscribe link in commercial email have until June 1, 2024 to implement one-click unsubscribe.
  3. Keep spam rates low. Organizations need to keep spam rates reported in Postmaster Tools below 0.3%.

In our research, we discovered that as of December 2023, at least 33% of large organizations globally will fail these requirements, with companies in Korea, Japan, Austria and Germany being particularly underprepared. 

Organizations that do not address this will see dwindling delivery rates and messages being sent to spam folders. For businesses that rely on email marketing to generate leads and revenue, the impacts of this could be monumental.

Use Red Sift’s Investigate tool to see if your DMARC, DKIM, SPF, and BIMI protocols are correctly set up and get actionable steps on how to fix them, if applicable.

Check your DMARC record and other key protocols now

At Red Sift, we see these requirements as foreshadowing to email providers requiring DMARC enforcement. By requiring DMARC, SPF and DKIM records and SPF or DKIM alignment, the providers are laying the groundwork for stricter DMARC enforcement policies. Organizations should be more aggressive in their DMARC configuration than is required come February 1, 2024, as their domains will also benefit from spoofing and impersonation protection by implementing stronger DMARC policies. 

CISA recommendations

In October of 2023, CISA (Cybersecurity & Infrastructure Security Agency) put forth new Phishing Guidance. This document was released in coordination with the NSA, the FBI, and the Multi-State Information Sharing and Analysis Center (MS-ISAC) to outline phishing techniques and provide guidance for defenders. 

In the guidance, the agency puts forth tailored recommendations to stop phishing attacks focused on obtaining login credentials and installing malware.

To mitigate these attacks, the agency recommends many baseline protections including enabling DMARC, SPF, and DKIM, and making sure that your DMARC enforcement is set to p=reject.

PCI DDS 4.0

On March 31, 2022, the PCI Security Standards Council (PCI SSC) released DSS v4.0. While these requirements for payment processors do not go into effect until March 31, 2025, the majority of organizations are using this year to make sure they are completely compliant. 

One of the new requirements in PCI DDS v4.0 is phishing protection. Req 5.4.1 requires “automated mechanisms” to detect and protect against phishing attacks. Though this requirement is for “processes and mechanisms” and does not point to a specific solution, best practices would point to implementing DMARC, SPF, and DKIM.

Security ratings requirements

While no formal updates for DMARC have been announced from the security ratings companies, we are hearing early feedback from our customers that DMARC is becoming a higher priority in the eyes of these entities.

For example, SecurityScorecard currently accounts for SPF configuration in its grading system. It is not inconceivable that they will soon be looking at DMARC and DKIM as part of their rating algorithm as well. 

Existing DMARC mandates

Everything we have covered so far is additive to the existing DMARC requirements and recommendations put forth by governing bodies around the globe. While the list is not exhaustive, it shows the global attention on protecting against phishing, business email compromise (BEC) and exact domain impersonation. 

Status
Affected Geography
Issuing body
Name
Description
Mandate type
Issuance/update date
Enforcement date
Learn More
Upcoming
Global
Google & Yahoo
New requirements for bulk senders
Those sending over 5,000 emails a day must authenticate email-sending domains with TLS, DKIM, SPF, DKIM, or SPF alignment and have a DMARC policy of p=none.
Private sector mandate
October 3, 2023
February 1, 2024
Upcoming
Global
PCI DDS
PCI DDS v4.0 Req 5.4.1
“Automated mechanisms” must be deployed to detect and protect against phishing attacks. Though this requirement is for “processes and mechanisms” and does not point to a specific solution, best practices would point to implementing DMARC, SPF, and DKIM.
Compliance mandate
March 2022
March 31, 2025
Current
UK
GDS
Government Cybersecurity Policy Handbook Principle: B3 Data Security
Government departments shall have DMARC, DKIM, and SPF records in place for their domains. This shall be accompanied by the use of MTA-STS and TLS Reporting. This requirement originated from the 2018 Minimum Cybersecurity Standard.
Mandate for government agencies
April 6, 2023
April 6, 2023
Current
United States
CISA
Binding Operational Directive 18-01: Enhance Email and Web Security
Requires all federal agencies to bolster web security with STARTTLS, SPF, DKIM, and DMARC with a policy of p=reject.
Mandate for government agencies
October 16, 2017
September 20, 2018
Current
United States
NIST
NIST Special Publication 800-177Revision 1: Trustworthy email
Recommends implementing SPF, DKIM, and DMARC, among other controls to enhance trust in email.
Guidance
February 2019

See the full list of mandates and recommendations for DMARC here.

Getting ready for changing DMARC requirements

Given that email remains the number one attack vector and business email compromise alone accounted for $2.7 billion in losses in 2022, it’s not surprising that we continue to see an increasing number of regulations, requirements, and recommendations for better email security. 

To see if your organization is prepared, make sure to check out Red Sift Investigate where you can see if your organization’s DMARC, SPF, DKIM, and other important email security protocols are set up correctly.

Check your DMARC record and other key protocols now

PUBLISHED BY

Rahul Powar

23 Jan. 2024

SHARE ARTICLE:

Categories

Recent Posts

VIEW ALL
News

Winter wins: Red Sift OnDMARC wraps up 2024 as a G2 DMARC…

Francesca Rünger-Field

The season of giving has brought us another reason to celebrate! Red Sift OnDMARC continues its winning streak in G2’s Winter 2025 report, earning Leader status in the DMARC category for another consecutive season. This recognition reflects our strong market presence and the unwavering satisfaction of our customers. Cheers to wrapping up 2024 on…

Read more
AI

Text classification in the age of LLMs

Phong Nguyen

As natural language processing (NLP) advances, text classification remains a foundational task with applications in spam detection, sentiment analysis, topic categorization, and more. Traditionally, this task depended on rule-based systems and classical machine learning algorithms. However, the emergence of deep learning, transformer architectures, and Large Language Models (LLMs) has transformed text classification, allowing for…

Read more
Security

How to drive cybersecurity as a top business priority

Jack Lilley

Everyone has a role to play in protecting the enterprise. Whether you’re shaping strategy or implementing solutions, aligning efforts to mitigate critical risks ensures a stronger, more resilient enterprise. If you missed Red Sift’s recent webinar on “From Data to Buy-In: Driving Cybersecurity as a Top Business Priority” we’ve got you covered. The session…

Read more
DMARC

BreakSPF: How to mitigate the attack

Red Sift

BreakSPF is a newly identified attack framework that exploits misconfigurations in the Sender Policy Framework (SPF) a widely used email authentication protocol. A common misconfiguration involves overly permissive IP ranges, where SPF records allow large blocks of IP addresses to send emails on behalf of a domain. These ranges often include shared infrastructures like…

Read more