Bulk email sending - are we there yet?
What’s the fuss all about?
Google and Yahoo handle a lot of email. Google alone delivers over 100 billion every day, an eye-watering number. So when these players change the rules about how those messages are delivered, we should probably pay attention.
The issue is phishing and spoofing emails, and how your domain can be used to provide apparent authenticity to them. Or looked at the other way round, how someone else’s domain can provide authenticity to an email you, or one of your staff, then go on to open.
To put some further perspective on this, more than 3 billion phishing emails are sent each day.
Countering the danger
There are three key technologies to help provide protection against malicious emails, handily named SPF, DKIM and DMARC - and they’ve been in place for years.
- DMARC is like setting rules for your email security guard to follow when checking IDs. It tells the guard what to do if someone's ID doesn't match their claimed identity.
- DKIM, on the other hand, is like putting a seal on each email envelope. This seal ensures the email hasn't been tampered with and confirms who sent it.
- SPF is like a guest list for emails. Is the sender’s server on the guest list of the sender's domain?
These technologies interplay and if managed well, provide a high degree of protection.
The rules have changed
As of the beginning of this year, Google and Yahoo have decided to enforce these protocols harder than before. The result will be a safer world for all of us as we work our way through our inbox in the morning. But such a huge change to how email is handled has other implications that we need to understand and manage…
Are you bulk sending emails?
Whoever you are, maybe an e-commerce store, maybe a membership organisation, if you are bulk sending emails (for perfectly legitimate reasons) the changes brought into place by Google and Yahoo could mean that your emails never arrive.
To make sure your mail delivery gets through, you need to ensure your mail servers are configured correctly - especially in relation to DMARC records. The good news is that this is not hard to do, and has other benefits too - DMARC lets you know when someone tries to send an email pretending to be you.
Put simply, DMARC ensures your email gets delivered and is also like a security guard reporting back to you about who tried to get in using your name. Your emails arrive and your brand is protected.
Time to take action
Many organisations already have SPF and DKIM in place on their mail servers - many have yet to deploy DMARC.
Here’s a checklist of what you need to do:
- Check your email setup: Make sure you are already set up with SPF and DKIM.
- Create a DMARC record: If you haven’t already got this in place, this needs to be added to your DNS records. You can set rules for how your emails should be handled and specify what to do if an email doesn't pass authentication.
- Review reports: Look at the DMARC report data regularly to see if any unauthorised emails are getting through.
- Adjust settings: Gradually tighten the rules based on what you see in the reports. Eventually, you can start blocking suspicious emails.
- Keep it up: Check in regularly and update your rules as needed to keep your email secure.
Yes, this is yet another thing to do - but we have no choice if we want mail delivered, and our reputations protected.
If you want help with implementing these changes - get in touch.
