Email remains the main communication channel for organizations and the preferred means of communication for consumers. And wherever people go, threat actors follow. Cybercriminals continue to exploit email to deliver phishing, email fraud, spam, and other scams. But Google, Yahoo!, and Apple are fighting back with new email authentication requirements designed to prevent threat actors from abusing email. While this major change is great news for consumers, organizations do not have much time to prepare—Google, Yahoo! and Apple will begin enforcing their new requirements in the first quarter of 2024.
With only weeks left until these rules begin to take effect, more than one-quarter (27%) of the Forbes Global 2000 are not ready for these new requirements; this can significantly impact their ability to deliver email communications to their customers in a timely fashion and puts their customers at risk of email fraud and scams. In fact, our 2023 State of the Phish Report revealed that 44% global consumers think an email is safe if it merely includes familiar branding.
Proofpoint’s analysis of the Forbes Global 2000 and their adoption of the open protocol DMARC (Domain-based Message Authentication Reporting and Conformance), a widely used authentication protocol that helps guarantee the identity of email communications and protects website domain names from being spoofed and misused, shows:
- More than one-quarter (27%) of the Global 2000 have no DMARC record in place at all, indicating they are unprepared for the upcoming email authentication requirements.
- A staggering 69% are not actively blocking fraudulent emails from reaching their customers; less than one-third (31%) have implemented the highest level of protection to reject suspicious emails from reaching their customers’ inboxes.
- 27% have implemented a monitor policy, meaning unqualified emails can still arrive in the recipient’s inbox; and only 15% have implemented a quarantine policy to direct unqualified emails to spam/junk folders.
Email authentication has been a best practice for years. DMARC is the gold standard for protecting against email impersonation, a key technique used in email fraud and phishing attacks. But, as our analysis of the Global 2000 reveals, many companies have yet to implement it, and those that lag in DMARC adoption will now need to catch up quickly if they wish to continue sending emails to their customers. Organizations that don’t comply could see their emails routed directly to customers’ spam folders or rejected altogether.
Implementation, however, can be challenging, as it requires a variety of technical steps and ongoing maintenance. Not all organizations have the resources or knowledge internally to meet the requirements in a timely manner. You can take advantage of resources such as Proofpoint’s technical brief and email authentication kit to help you get started. Proofpoint also offers a tool to check your domain’s DMARC and SPF records, as well as create a DMARC record for your domain. This tool is part of a comprehensive Email Fraud Defense solution, which provides hosted SPF, hosted DKIM, and hosted DMARC features to simplify deployment and maintenance while increasing security. The solution also includes access to highly experienced consultants to guide you through implementation workflows for DMARC and the new Google, Yahoo!, and Apple requirements. For applications or third-party SaaS senders that are unable to pass the DMARC standard, Secure Email Relay is also a good option that protects trusted domains from being abused.
Like any security tool, DMARC is not a silver bullet, but it adds another layer of protection to fortify your overall defenses. The new email requirements are a great opportunity for your organization to fill in the gaps in email security. You do not have to face this journey alone — tap into the experts and resources available to you to ensure you are addressing email threats holistically.