2024: The year of DMARC as a business imperative

I can say with confidence that the world does not need more security predictions for 2024. But as we head into the new year, it is important to have conversations about security strategy to inform our business priorities and our road maps. 

As I talk to our Red Sift customers, our partners, and the thought leaders of our technical advisory board, one thing is clear: more DMARC and domain authentication requirements are on the way, and they will be here soon. 

It’s easy for me to tout the benefits of DMARC: better deliverability, protection against BEC and phishing, the ability to deploy BIMI… the list goes on and on. 

But one thing that is becoming clear is in 2024, DMARC is no longer a nice to have. It will be a business imperative. 

What’s changing with DMARC in 2024?

As we head into 2024, there are already announced requirements for DMARC that most security leaders in the industry are at least aware of. They range from those from email providers like Google and Yahoo, to those from governments, to those from security rating and cyber insurance companies. 

Google and Yahoo requirements for bulk senders

The most notable 2024 requirement for DMARC is the joint requirement set from Google and Yahoo that applies to all organizations sending over 5,000 emails a day. To stop email from not being delivered as expected or being delivered as spam, organizations will need to: 

  1. Authenticate their domain. This requires at minimum a DMARC record with a policy of p=none, SPF and DKIM records, SPF or DKIM alignment and FCrDNS. 
  2. Make it easy for receivers to unsubscribe. Organizations that currently have an unsubscribe link in commercial email have until June 1, 2024 to implement one-click unsubscribe.
  3. Keep spam rates low. Organizations need to keep spam rates reported in Postmaster Tools below 0.3%.

In our research, we discovered that as of December 2023, at least 33% of large organizations globally will fail these requirements, with companies in Korea, Japan, Austria and Germany being particularly underprepared. 

Organizations that do not address this will see dwindling delivery rates and messages being sent to spam folders. For businesses that rely on email marketing to generate leads and revenue, the impacts of this could be monumental.

Use Red Sift’s Investigate tool to see if your DMARC, DKIM, SPF, and BIMI protocols are correctly set up and get actionable steps on how to fix them, if applicable.

Check your readiness now

At Red Sift, we see these requirements as foreshadowing to email providers requiring DMARC enforcement. By requiring DMARC, SPF and DKIM records and SPF or DKIM alignment, the providers are laying the groundwork for stricter DMARC enforcement policies. Organizations should be more aggressive in their DMARC configuration than is required come February 1, 2024, as their domains will also benefit from spoofing and impersonation protection by implementing stronger DMARC policies. 

CISA recommendations

In October of 2023, CISA (Cybersecurity & Infrastructure Security Agency) put forth new Phishing Guidance. This document was released in coordination with the NSA, the FBI, and the Multi-State Information Sharing and Analysis Center (MS-ISAC) to outline phishing techniques and provide guidance for defenders. 

In the guidance, the agency puts forth tailored recommendations to stop phishing attacks focused on obtaining login credentials and installing malware.

To mitigate these attacks, the agency recommends many baseline protections including enabling DMARC, SPF, and DKIM, and making sure that your DMARC enforcement is set to p=reject.

PCI DDS 4.0

On March 31, 2022, the PCI Security Standards Council (PCI SSC) released DSS v4.0. While these requirements for payment processors do not go into effect until March 31, 2025, the majority of organizations are using this year to make sure they are completely compliant. 

One of the new requirements in PCI DDS v4.0 is phishing protection. Req 5.4.1 requires “automated mechanisms” to detect and protect against phishing attacks. Though this requirement is for “processes and mechanisms” and does not point to a specific solution, best practices would point to implementing DMARC, SPF, and DKIM.

Security ratings requirements

While no formal updates for DMARC have been announced from the security ratings companies, we are hearing early feedback from our customers that DMARC is becoming a higher priority in the eyes of these entities.

For example, SecurityScorecard currently accounts for SPF configuration in its grading system. It is not inconceivable that they will soon be looking at DMARC and DKIM as part of their rating algorithm as well. 

Existing DMARC mandates

Everything we have covered so far is additive to the existing DMARC requirements and recommendations put forth by governing bodies around the globe. While the list is not exhaustive, it shows the global attention on protecting against phishing, business email compromise (BEC) and exact domain impersonation. 

StatusAffected GeographyIssuing bodyNameDescriptionMandate typeIssuance/update dateEnforcement dateLearn More
UpcomingGlobalGoogle & YahooNew requirements for bulk sendersThose sending over 5,000 emails a day must authenticate email-sending domains with TLS, DKIM, SPF, DKIM, or SPF alignment and have a DMARC policy of p=none.Private sector mandateOctober 3, 2023February 1, 2024Here
UpcomingGlobalPCI DDSPCI DDS v4.0 Req 5.4.1“Automated mechanisms” must be deployed to detect and protect against phishing attacks. Though this requirement is for “processes and mechanisms” and does not point to a specific solution, best practices would point to implementing DMARC, SPF, and DKIM.Compliance mandateMarch 2022March 31, 2025Here
CurrentUKGDSGovernment Cybersecurity Policy Handbook Principle: B3 Data SecurityGovernment departments shall have DMARC, DKIM, and SPF records in place for their domains. This shall be accompanied by the use of MTA-STS and TLS Reporting. This requirement originated from the 2018 Minimum Cybersecurity Standard.Mandate for government agenciesApril 6, 2023April 6, 2023Here
CurrentUnited StatesCISABinding Operational Directive 18-01: Enhance Email and Web SecurityRequires all federal agencies to bolster web security with STARTTLS, SPF, DKIM, and DMARC with a policy of p=reject.Mandate for government agenciesOctober 16, 2017September 20, 2018Here
CurrentUnited StatesNISTNIST Special Publication 800-177Revision 1: Trustworthy emailRecommends implementing SPF, DKIM, and DMARC, among other controls to enhance trust in email.GuidanceFebruary 2019Here

See the full list of mandates and recommendations for DMARC here.

Getting ready for changing DMARC requirements

Given that email remains the number one attack vector and business email compromise alone accounted for $2.7 billion in losses in 2022, it’s not surprising that we continue to see an increasing number of regulations, requirements, and recommendations for better email security. 

To see if your organization is prepared, make sure to check out Red Sift Investigate where you can see if your organization’s DMARC, SPF, DKIM, and other important email security protocols are set up correctly.

Check your readiness now

PUBLISHED BY

Rahul Powar

23 Jan. 2024

SHARE ARTICLE:

Categories

Recent Posts

VIEW ALL
Cybersecurity

Your guide to the SubdoMailing campaign

Billy McDiarmid

A significant number of well-known organizations have been attacked as part of what’s being called the SubdoMailing (Subdo) campaign that has been going on since at least 2022, research by Guardio Labs has revealed.   The scale of execution of this attack is staggering, and the impact is hugely damaging, but the goal is simple…

Read more
Certificates

A confident deployment guide for TLS and PKI

Ivan Ristic

Our journey to better network transport security has been quite the ride, filled with ups and downs. Back in the ’90s, when SSL and the Netscape browser were just taking off, things were pretty hard. We were dealing with weak encryption, export restrictions on cryptography, and computers that couldn’t keep up. But over the…

Read more
DMARC

Red Sift OnDMARC: The best Agari alternative for DMARC

Francesca Runger-Field

Looking for an alternative to Agari DMARC Protection that helps you safely and efficiently stop unauthorized use of your email-sending domains? You’re in the right place.  Here is your definitive comparison guide for Agari and Red Sift OnDMARC – one of the most popular Agari alternatives on the market.  Red Sift OnDMARC overview Red…

Read more
DMARC

Red Sift OnDMARC: The best Valimail alternative for DMARC

Francesca Runger-Field

Looking for an alternative to Valimail that helps you safely and efficiently stop unauthorized use of your email-sending domains? You’re in the right place.  Here is your definitive comparison guide for Valimail and Red Sift OnDMARC – one of the most popular Valimai alternatives on the market.  Red Sift OnDMARC overview Red Sift OnDMARC…

Read more