Email is a prevalent form of communication for organizations and the preferred communication channel for consumers. Consequently, malicious actors are exploiting this universal tool to deliver phishing, business email compromise (BEC), spam, and other scams.
But Google and Yahoo are fighting back with new email authentication requirements designed to prevent threat actors from abusing email. While this major change is great news for consumers, organizations do not have much time to prepare for it — both Google and Yahoo will begin enforcing their new requirements in the first quarter of 2024.
Email authentication has been a best practice for many years. For example, the open protocol DMARC, or Domain-based Message Authentication Reporting and Conformance, has been available for a decade and is the gold standard for protecting against email impersonation, a key technique in BEC and phishing attacks. But many companies are yet to implement it, and those that lag in adoption will now need to catch up quickly if they wish to continue sending emails to Gmail and Yahoo addresses.
Implementation, however, can be challenging as it requires a variety of technical steps and ongoing maintenance. Not all organizations have the resources or knowledge internally to meet the requirements in a timely manner.
What the new requirements mean for your organisation
Phishing and BEC pose a tremendous threat for businesses across every industry. Proofpoint research shows that 84% of surveyed organizations faced at least one successful phishing attack last year, while the FBI calls BEC “the $26 billion scam” due to the tremendous financial losses that victims suffer. Email authentication provides protection against these threats by breaking the attack chain in email-based attacks.
DMARC and its associated authentication mechanisms —Sender Policy Framework (SPF) and Domain Key Identified Mail (DKIM) protocols — work together to secure email and prevent techniques such as email spoofing, which is a common tactic in phishing attacks. SPF, for instance, enables the receiving email server to verify whether the incoming email comes from an authorized IP address for your organization. This verification prevents a threat actor from impersonating your brand, providing a level of protection to both your employees and your customers.
If you communicate with customers via Gmail and Yahoo and have not yet implemented email authentication protocols such as SPF, DKIM and DMARC, the biggest challenge you face is time. Rollout takes multiple steps for each protocol and can be tricky, especially if you have several domains. Once you have the protocols in place, you face additional challenges, as you must maintain your DMARC, SPF, and DKIM records over time.
One way to simplify the process is by exploring tools that integrate with your existing workflows, streamlining implementation. Collaborating with a security partner also provides you with access to highly experienced resources that you may not have in-house.
How to get ready for the Google and Yahoo authentication rules
The new requirements are a little different between Google and Yahoo. Google also has additional prerequisites for organizations that send bulk email (5,000 or more per day). It is a good idea, however, to implement email authentication best practices beyond what these email providers are specifying. Adopting best practices will only further boost your security posture and help you mitigate email risks.
Although you may be pressed to launch email authentication by the Google and Yahoo deadlines, ultimately, adopting this practice will help you protect your people, teams and stakeholders across the entire organization. While Google and Yahoo wish to protect their users, email authentication does much more for your organization because the impact of harmful emails goes far beyond your customers. That is why you should view these new requirements as a catalyst for strengthening your overall defenses against email threats.
Consider working with a trusted security partner who has email authentication experts to guide you along the implementation process and help simplify it. These experts can walk you through the technical steps as well as ensure that you are meeting best practices and are defending against email fraud holistically.
You can also take advantage of resources such as Proofpoint’s technical brief and email authentication kit to help you get started. Proofpoint also offers a tool to check your domain’s DMARC and SPF records as well as create a DMARC record for your domain. This tool is part of a comprehensive Email Fraud Defense solution, which provides hosted SPF, hosted DKIM, and hosted DMARC features to simplify deployment and maintenance while increasing security. Additionally, the solution includes access to highly experienced consultants to guide you through implementation workflows for DMARC and the new Google and Yahoo requirements.
Boosting your defenses with the right technology
People remain the weakest link in your attack chain, and human error is the main cause of cyber incidents. While user awareness and education play an important role in hardening your human layer, technical controls such as DMARC are extremely important in protecting your organization against email-based attacks and fraud.
Like any security tool, DMARC is not a silver bullet, but it adds another layer of protection to fortify your overall defenses. The Google and Yahoo email requirements are a great opportunity for your organization to fill in the gaps in email security. You do not have to face this journey alone — tap into the experts and resources available to you to ensure you are addressing email threats holistically.
Rob Holmes is group vice president and general manager of sender security and authentication at Proofpoint, Inc.