In February 2024, Google and Yahoo! announced that they would be tightening the verification of emails sent to their services. Companies that send more than 5,000 emails per day to these providers’ addresses will now be required to implement the DMARC process in addition to the already familiar SPF and DKIM security protocols. Alinto takes this as an opportunity to highlight the benefits and real impact of DMARC on email security.
DMARC: What is it?
DMARC, also known as Domain-based Message Authentication, Reporting and Conformance, is an email authentication protocol. It enables email administrators to prevent hackers from hijacking the identity of their organisation and domain.
Simply put, DMARC enhances email control and determines how to handle emails from unknown sources – which may indicate an attempt at spoofing. There are three possible solutions:
- Reject the email (the safest option);
- Quarantine for investigation before distribution or rejection,
- The decision is left to the recipient’s spam protection.
However, DMARC is still not widely used. This is confirmed by an AFNIC study carried out in March 2023, according to which less than 10% of .fr domain names have implemented the DMARC method.
How do the DMARC, SPF and DKIM protocols work together?
DMARC is only truly effective in combination with SPF and DKIM. Together, these protocols protect the sender and recipient from fraudulent email in the same way that DMARC does. So let’s have a look at the SPF and DKIM protocols first.
Firstly, the SPF protocol. This is a mechanism for authenticating the origin of email. It allows administrators of sending domains to specify which IP addresses are authorised to send email on their behalf. When an email is received, the recipient’s mail server can check whether the sender’s IP address is authorised by the originating domain to send email. If this is the case, the email is considered legitimate.
DKIM is designed to verify the authenticity of the sending domain and the integrity of an email. It enables email service providers to verify that incoming emails actually originate from the domain specified and have not been altered in transit.
For an email to pass DMARC validation, it must be authenticated using SPF and DKIM. The implementation of DMARC therefore requires the use of the SPF and DKIM protocols.
DMARC: a real benefit of a marketing ploy?
Google and Yahoo! are tightening authentication controls for emails sent to their platforms to combat spam.
However, given the role played by the SPF and DKIM protocols, some may wonder if the DMARC method is really necessary. At Alinto, we also see it as a marketing ploy by the two tech giants for several reasons:
- Firstly, the DMARC method is ineffective without the SPF and DKIM protocols. These two act as the first filter to identify the origin of the email. And often DMARC adds nothing, as SPF can achieve the same effect, especially if it is set to reject all emails from dubious origin.
- In most cases, organisations configure their DMARC to p=none, leaving the control of permissions and blocking to the recipient’s anti-spam solution. So to be properly protected, you still need a phishing security solution, using anti-spam software that now benefits from AI and continuous improvements in filtering techniques.
Nevertheless, DMARC remains important for reputation, especially for domains that are often the target of identity theft (large companies, public services, financial services, …).
At Alinto, we believe that too much of a good thing is not a bad thing, and we advise our customers to implement a DMARC policy. We also remind you that the best security and authentication policy, in response to the Google and Yahoo! guidelines, is above all the correct implementation of the SPF and DKIM protocols, as well as the quality of the anti-spam software used.
