2024: The year of DMARC as a business imperative

I can say with confidence that the world does not need more security predictions for 2024. But as we head into the new year, it is important to have conversations about security strategy to inform our business priorities and our road maps. 

As I talk to our Red Sift customers, our partners, and the thought leaders of our technical advisory board, one thing is clear: more DMARC and domain authentication requirements are on the way, and they will be here soon. 

It’s easy for me to tout the benefits of DMARC: better deliverability, protection against BEC and phishing, the ability to deploy BIMI… the list goes on and on. 

But one thing that is becoming clear is in 2024, DMARC is no longer a nice to have. It will be a business imperative. 

What’s changing with DMARC in 2024?

As we head into 2024, there are already announced requirements for DMARC that most security leaders in the industry are at least aware of. They range from those from email providers like Google and Yahoo, to those from governments, to those from security rating and cyber insurance companies. 

Google and Yahoo requirements for bulk senders

The most notable 2024 requirement for DMARC is the joint requirement set from Google and Yahoo that applies to all organizations sending over 5,000 emails a day. To stop email from not being delivered as expected or being delivered as spam, organizations will need to: 

  1. Authenticate their domain. This requires at minimum a DMARC record with a policy of p=none, SPF and DKIM records, SPF or DKIM alignment and FCrDNS. 
  2. Make it easy for receivers to unsubscribe. Organizations that currently have an unsubscribe link in commercial email have until June 1, 2024 to implement one-click unsubscribe.
  3. Keep spam rates low. Organizations need to keep spam rates reported in Postmaster Tools below 0.3%.

In our research, we discovered that as of December 2023, at least 33% of large organizations globally will fail these requirements, with companies in Korea, Japan, Austria and Germany being particularly underprepared. 

Organizations that do not address this will see dwindling delivery rates and messages being sent to spam folders. For businesses that rely on email marketing to generate leads and revenue, the impacts of this could be monumental.

Use Red Sift’s Investigate tool to see if your DMARC, DKIM, SPF, and BIMI protocols are correctly set up and get actionable steps on how to fix them, if applicable.

Check your DMARC record and other key protocols now

At Red Sift, we see these requirements as foreshadowing to email providers requiring DMARC enforcement. By requiring DMARC, SPF and DKIM records and SPF or DKIM alignment, the providers are laying the groundwork for stricter DMARC enforcement policies. Organizations should be more aggressive in their DMARC configuration than is required come February 1, 2024, as their domains will also benefit from spoofing and impersonation protection by implementing stronger DMARC policies. 

CISA recommendations

In October of 2023, CISA (Cybersecurity & Infrastructure Security Agency) put forth new Phishing Guidance. This document was released in coordination with the NSA, the FBI, and the Multi-State Information Sharing and Analysis Center (MS-ISAC) to outline phishing techniques and provide guidance for defenders. 

In the guidance, the agency puts forth tailored recommendations to stop phishing attacks focused on obtaining login credentials and installing malware.

To mitigate these attacks, the agency recommends many baseline protections including enabling DMARC, SPF, and DKIM, and making sure that your DMARC enforcement is set to p=reject.

PCI DDS 4.0

On March 31, 2022, the PCI Security Standards Council (PCI SSC) released DSS v4.0. While these requirements for payment processors do not go into effect until March 31, 2025, the majority of organizations are using this year to make sure they are completely compliant. 

One of the new requirements in PCI DDS v4.0 is phishing protection. Req 5.4.1 requires “automated mechanisms” to detect and protect against phishing attacks. Though this requirement is for “processes and mechanisms” and does not point to a specific solution, best practices would point to implementing DMARC, SPF, and DKIM.

Security ratings requirements

While no formal updates for DMARC have been announced from the security ratings companies, we are hearing early feedback from our customers that DMARC is becoming a higher priority in the eyes of these entities.

For example, SecurityScorecard currently accounts for SPF configuration in its grading system. It is not inconceivable that they will soon be looking at DMARC and DKIM as part of their rating algorithm as well. 

Existing DMARC mandates

Everything we have covered so far is additive to the existing DMARC requirements and recommendations put forth by governing bodies around the globe. While the list is not exhaustive, it shows the global attention on protecting against phishing, business email compromise (BEC) and exact domain impersonation. 

Status
Affected Geography
Issuing body
Name
Description
Mandate type
Issuance/update date
Enforcement date
Learn More
Upcoming
Global
Google & Yahoo
New requirements for bulk senders
Those sending over 5,000 emails a day must authenticate email-sending domains with TLS, DKIM, SPF, DKIM, or SPF alignment and have a DMARC policy of p=none.
Private sector mandate
October 3, 2023
February 1, 2024
Upcoming
Global
PCI DDS
PCI DDS v4.0 Req 5.4.1
“Automated mechanisms” must be deployed to detect and protect against phishing attacks. Though this requirement is for “processes and mechanisms” and does not point to a specific solution, best practices would point to implementing DMARC, SPF, and DKIM.
Compliance mandate
March 2022
March 31, 2025
Current
UK
GDS
Government Cybersecurity Policy Handbook Principle: B3 Data Security
Government departments shall have DMARC, DKIM, and SPF records in place for their domains. This shall be accompanied by the use of MTA-STS and TLS Reporting. This requirement originated from the 2018 Minimum Cybersecurity Standard.
Mandate for government agencies
April 6, 2023
April 6, 2023
Current
United States
CISA
Binding Operational Directive 18-01: Enhance Email and Web Security
Requires all federal agencies to bolster web security with STARTTLS, SPF, DKIM, and DMARC with a policy of p=reject.
Mandate for government agencies
October 16, 2017
September 20, 2018
Current
United States
NIST
NIST Special Publication 800-177Revision 1: Trustworthy email
Recommends implementing SPF, DKIM, and DMARC, among other controls to enhance trust in email.
Guidance
February 2019

See the full list of mandates and recommendations for DMARC here.

Getting ready for changing DMARC requirements

Given that email remains the number one attack vector and business email compromise alone accounted for $2.7 billion in losses in 2022, it’s not surprising that we continue to see an increasing number of regulations, requirements, and recommendations for better email security. 

To see if your organization is prepared, make sure to check out Red Sift Investigate where you can see if your organization’s DMARC, SPF, DKIM, and other important email security protocols are set up correctly.

Check your DMARC record and other key protocols now

PUBLISHED BY

Rahul Powar

23 Jan. 2024

SHARE ARTICLE:

Categories

Recent Posts

VIEW ALL
News

Red Sift Recognized on Deloitte’s EMEA Fast 500™ List

Francesca Rünger-Field

We’re thrilled to share that Red Sift has been included in Deloitte’s 2023 EMEA Fast 500 list. This recognition stems from 389% revenue growth over three years, $54 million in Series B funding, acquiring ASM innovator Hardenize, and introducing the Red Sift Pulse Platform. Read the press release here. About the award The Deloitte Technology Fast…

Read more
Brand Protection

The vital role of cybersecurity for Nonprofits: A deep dive 

Sean Costigan

Save the Children, a beacon of hope and change, has been dedicated to improving the lives of children for over a century. Founded in London, it now has a presence in 29 nations, employing 844 staff members in the UK alone and engaging over 3600 formal volunteers. As charities and nonprofits like Save the…

Read more
News

Red Sift brings DMARC data to the SOC with new Cisco XDR…

Rebecca Warren

Today, we’re thrilled to announce that we’re extending our partnership by joining the Cisco Security Technical Alliance and integrating Red Sift OnDMARC with Cisco XDR. This integration builds on the Domain Protection partnership we announced in November 2023 to bring visibility of business email compromise into the SOC (security operations center). At release, Red…

Read more
Certificates

Preventing certificate related violations in cybersecurity frameworks:  A guide to certificate monitoring…

Rebecca Warren

TLS is one of the most widely adopted security protocols in the world allowing for unprecedented levels of commerce across the internet.  At the core of the TLS protocol is TLS certificates. Organizations must deploy TLS certificates and corresponding private keys to their systems to provide them with unique identities that can be reliably…

Read more