DMARC Requirements for 2024

Key Concern

Gmail, Yahoo and others are making big changes in February 2024 that might prevent your customers from receiving marketing material and even invoices if your domain isn't correctly set up and managed.

ThreeShield's Approach

Our managed clients are all prepared for the new requirements because we:

• Define a list of services that send email on their behalf
  (SPF and DKIM, which are discussed in more length below).
• Monitor reports from email recipients to learn if any legitimate messages were sent on their behalf from other providers
  (DMARC, which is discussed in more length below).
• Filter out known scammers and work with our clients to verify others, then quickly update the authorized list.
• Lock down the authorized list and tell email recipients to quarantine or block scams that appear to come from our clients' domains.
• Continually monitor the reports for any changes.

Technical Background

The Domain Name System (DNS) translates your domain (e.g. threeshield.ca) to the numbers that computers use to find their way around the Internet. A few years ago, the Internet community used this system to decrease spam and improve your email reputation to improve the chances that emails you send to your customers and prospects make it past the Spam or Junk Mail folders.

The key elements for this are SPF, DKIM, and DMARC.

SPF tells other servers what services are allowed to send email on your behalf. You can also use it to tell email recipients how confident you are in your list and instruct them to treat others with suspicion or completely block them.
This is an example:

v=spf1 include:spf.protection.outlook.com ip4:1.1.1.1/32 ~all

The above example says that email servers that Microsoft has added to spf.protection.outlook.com or from 1.1.1.1 can send email on behalf of the domain that set this up.
The tilde (~) before all in ~all means that they aren't 100% confident, so don't automatically block emails from other sources. In contrast -all would show a strong confidence level and block all others.

DKIM allows your email provider to sign emails to give an additional confidence level that the messages are actually yours and haven't been tampered with from when they left your mail server to when they reached your recipient.
Typically, your service provider will provide this to you to add to your DNS.

DMARC brings this all together: it allows other email servers to report emails that it receives from service providers that aren't authorized in your DKIM or SPF. It also allows you to instruct email recipients to reject or quarantine messages from other email providers.
There are a few companies that process DMARC records. However, we became frustrated with the limited amount of information that they provided. Some would give the domain, some would give the host, but none seemed to dig deep into the country, ISP, host, and give us statistics on which seemed to be malicious and which weren't -- so we built our own.
This internal tool has been essential for us to make sure that our clients can confidently signal higher levels of confidence in their SPF and DMARC records to reduce the likelihood that their emails would get quarantined or fall into the spam folder.
As of February 2024, Google is just requiring DMARC records. They do not have to have to be set to block or quarantine messages. However, they are making the change to quarantine and block internally and will likely be enforcing it as a next step, so it's important to get your ducks lined up in advance.

February 2024

• Align SPF or DKIM with all emails. This will allow "relaxed" mode in DMARC. Some services don't provide good SPF results, but do provide DKIM and vice-versa.
• Configure DMARC. They're currently allowing p=none, which means that you don't have to give quarantine or block instructions; however, these improve the likelihood of emails skipping spam.
• Email server requirements. This doesn't apply to most people who use third parties for email; however, if you host your own email, Google requires PTR records, ARC and List-id headers (for forwarded email), and TLS connections.
• Google has specified a maximum spam rate below 0.1% and Yahoo! requires under 0.3%. This requires some vigilance. We use the Google Postmaster Tools to monitor spam rates.
• One-click unsubscribe for subscribed messages (Yahoo is requiring unsubscribes within 2 days).

What about MSPs?

Given that our internal DMARC tool gathers statistics and flags potentially harmless and harmful email providers, the more organizations using the tool, the more powerful it is.
As such, we're making it available to accredited MSPs who want to use the same powerful technology with their clients through our Lavawall® platform.

Contact us to use the Lavawall® DMARC tool.