Email is a prevalent form of communication for organisations and the preferred communication channel for consumers. Consequently, malicious actors are exploiting this universal tool to deliver phishing, business email compromise (BEC), spam, and other scams.
But Google and Yahoo are fighting back with new email authentication requirements designed to prevent threat actors from abusing email. While this major change is great news for consumers, organisations do not have much time to prepare for it — both Google and Yahoo are enforcing their new requirements within this year’s first quarter.
Email authentication has been a best practice for many years. For example, the open protocol DMARC, or Domain-based Message Authentication Reporting and Conformance, has been available for a decade and is the gold standard for protecting against email impersonation, a key technique in BEC and phishing attacks.
But many companies are yet to implement it, and those that lag in adoption will now need to catch up quickly if they wish to continue sending emails to Gmail and Yahoo addresses. Implementation, however, can be challenging as it requires a variety of technical steps and ongoing maintenance. Not all organisations have the resources or knowledge internally to meet the requirements in a timely manner.
What the new requirements mean for your organisation
Phishing and BEC pose a tremendous threat to businesses across every industry. Proofpoint research shows that among the UAE organisations that experienced attempted email-based phishing attacks last year, 86% faced at least one successful phishing attack. Email authentication provides protection against these threats by breaking the attack chain in email-based attacks.
DMARC and its associated authentication mechanisms —Sender Policy Framework (SPF) and Domain Key Identified Mail (DKIM) protocols — work together to secure email and prevent techniques such as email spoofing, which is a common tactic in phishing attacks. SPF, for instance, enables the receiving email server to verify whether the incoming email comes from an authorised IP address for your organisation. This verification prevents a threat actor from impersonating your brand, providing a level of protection to both your employees and your customers.
If you communicate with customers via Gmail and Yahoo and have not yet implemented email authentication protocols such as SPF, DKIM, and DMARC, the biggest challenge you face is time. Rollout takes multiple steps for each protocol and can be tricky, especially if you have several domains. Once you have the protocols in place, you face additional challenges, as you must maintain your DMARC, SPF, and DKIM records over time.
One way to simplify the process is by exploring tools that integrate with your existing workflows, streamlining implementation. Collaborating with a security partner also provides you with access to highly experienced resources that you may not have in-house.
How to get ready for the Google and Yahoo authentication rules
The new requirements are a little different between Google and Yahoo. Google also has additional prerequisites for organisations that send bulk email (5,000 or more per day). It is a good idea, however, to implement email authentication best practices beyond what these email providers are specifying. Adopting best practices will only further boost your security posture and help you mitigate email risks.
Although you may be pressed to launch email authentication by the Google and Yahoo deadlines, ultimately, adopting this practice will help you protect your people, teams and stakeholders across the entire organisation.
While Google and Yahoo wish to protect their users, email authentication does much more for your organisation because the impact of harmful emails goes far beyond your customers. That is why you should view these new requirements as a catalyst for strengthening your overall defenses against email threats.
Consider working with a trusted security partner who has email authentication experts to guide you along the implementation process and help simplify it. These experts can walk you through the technical steps as well as ensure that you are meeting best practices and are defending against email fraud holistically.
Boosting your defenses with the right technology
People remain the weakest link in your attack chain, and human error is the main cause of cyber incidents. While user awareness and education play an important role in hardening your human layer, technical controls such as DMARC are extremely important in protecting your organisation against email-based attacks and fraud.
Organisations in the UAE and KSA are leading the way in acknowledging the significance of protocols like DMARC, positioning themselves ahead of their global counterparts in adopting the highest standards of DMARC protection. Proofpoint’s latest research, assessing fraud preparedness among Forbes 2000 publicly listed companies across 56 countries, reveals that 57 per cent of organisations in KSA and 43% in the UAE have embraced the DMARC protocol, asserting the region’s commitment to fortifying their defenses against email-based threats and fraud.
Like any security tool, DMARC is not a silver bullet, but it adds another layer of protection to fortify your overall defenses. The Google and Yahoo email requirements are a great opportunity for your organisation to fill in the gaps in email security. You do not have to face this journey alone — tap into the experts and resources available to ensure you address email threats holistically.
