The Basic Email Security Tool Most SMBs Should Use — But Don’t
One basic email security fix is an effective weapon against phishing attacks on your SMB. It also protects your company’s brand and reputation by stopping scammers from imitating (or “spoofing”) your company’s email addresses to launch phishing attacks or spam campaigns.
It’s called DMARC (Domain-based Message Authentication, Reporting & Conformance).
DMARC isn’t a product; it’s an email authentication tool. It includes a set of rules you can program your email system to follow for all emails sent from your company. Chances are you’re probably not using it. Less than 18% of U.S. companies surveyed in 2019 had implemented it.
A sample from the 2019 survey by 250ok, showing how many organizations still aren’t using DMARC:
* Best overall — large global law firms: 43%
* U.S. Financial Services: 71.7%
* U.S. average: 82.4%
* Worst in U.S. — non-profits: 91.4%
I’ll get more into the technical stuff later, but first, here are the main benefits your SMB can get from setting up DMARC:
1. Fight fake internal emails
DMARC stops bad guys from sending phishing emails to someone in your company that appear to be from you or someone else in your company. They usually try to convince the recipient to click on a link that installs malware, transfer money to a fraudulent account, or reveal account login/passwords.
2. Fight fake external emails
Crooks can spoof your company’s emails to attempt the same phishing tactics with your clients, vendors, prospects, financial providers, etc.
3. Stop spam from going out in your name
Spammers leverage your SMB’s name to get people to open emails and click on links, so the spammers will reap advertising revenue.
4. Establish your domain as a legitimate source
DMARC interacts with servers that process incoming emails, giving them evidence that your domain name hasn’t been hijacked. Some email recipients may even require senders to use DMARC-compliant emails in certain situations.
5. Improve results for email vendors/partners
If you use email services such as MailChimp or Constant Contact — or any other partners to send emails on your company’s behalf — DMARC should be configured to give these emails the same level of legitimacy as those you send yourself.
This is the first of a good series of videos from dmarcian on DMARC basics.
How DMARC Works
DMARC — and email authentication in general — is very complicated, but basically, DMARC is a set of instructions from email senders to the servers that receive emails. DMARC code prompts the receivers to test for certain authentication settings that you’ve set up for your domain.
You can configure DMARC to tell the receiver servers what to do with emails that fail the test:
- Send them through to recipients for now, but monitor it
- Direct them to the recipient’s spam folder
- Don’t deliver them at all
How to Implement DMARC
The best way to create a DMARC record for your domain depends on how your company uses email, and how much you want to get out of DMARC’s capabilities. Consider these three options:
Set up DMARC yourself
Many companies offer free tools for setting up DMARC and other email authentication features, including Agari and dmarcian. This option is probably only best for one- to two-person shops that just use email for basic business communication.
Set it up through an experienced vendor
If you work with a general IT services provider, find out whether email authentication, including DMARC, has been set up for your company. When I’m working with a new TechGen client, I look at the firm’s email authentication settings and recommend adjustments if necessary.
If you have more than a few employees and you use email extensively — especially if you use a vendor or two that sends emails on your behalf — it’s best to have expert assistance.
For some excellent articles, videos, and presentations about DMARC, go to DMARC.org.
Have a vendor set it up and monitor it for you, if necessary
Once DMARC is enabled on your domain, you can get reports from most major email providers that show you all sources of email from your domain. Some external sources may have your permission, such as a marketing partner. Other sources may be bots or criminals.
Monitoring DMARC reports makes full use of this powerful tool. It especially makes sense if your SMB depends on extensive email marketing campaigns.
If you don’t have the in-house expertise to run and interpret DMARC reports, you can work with a vendor.
Send Only Emails the Recipients Want and Trust
It’s critical for the people and businesses you email to trust that they’re not receiving harmful or unwanted content from your company. And once you’ve lost an email recipient’s trust, you may never get it back.
That’s why it’s worth your time to at least look into DMARC and other methods of email authentication.