consigliere of your IT administrationABOVE IT
Subscribe to our newsletter

Communication Security Part 1

In this two-part blog post, we will cover: what every organization should consider today to protect their email domains from misuse, how to improve the delivery of their messages, and what should be taken into account regarding phishing and malicious message protection for incoming messages.

In this first part, we focus on message hygiene, i.e., how we protect our organization’s email addresses from misuse and improve the chances of our messages being delivered, so they don’t end up as spam or even get blocked entirely at the recipient’s end. In the second part, to be published later, we will focus on how we can best protect our users from phishing and malicious messages.

Email is utilized in many different ways

Every organization uses email for different purposes. For example, we communicate with various stakeholders through it. The marketing department uses it to send marketing messages, and in some organizations, it is strongly integrated into the enterprise resource planning system to act as a messaging channel between different systems. There are numerous other use cases as well. Throughout history, the problem with email has been verifying the identity of the sender. In practice, even today, anyone can send email messages on our behalf, for better or worse.

The most common protection mechanisms we use to tell others from which services emails are sent on our behalf are SPF, DKIM, and DMARC. DMARC is the latest of these and acts as a “confirming lock” for SPF and DKIM settings, which without DMARC are actually easily circumvented. For this reason, its use is now increasingly required, as has already happened with Google and Yahoo. I personally believe that this is just the beginning, and requirements will become even stricter in the future.

Google and Yahoo are tightening their requirements

Google and Yahoo announced last fall that they would require DMARC usage from entities sending more than 5000 messages per day to their service. This setting came into effect in their services at the beginning of February. However, the setting requirement for DMARC is still moderately in reporting mode (Policy=none), the implementation of which does not jeopardize the delivery of organizations’ messages in situations where all email protection mechanisms (such as SPF and DKIM) may not yet be fully in order. I have received many inquiries about this when various providers have communicated about the requirements for implementing DMARC policy. My answer is that it can be safely turned on in this mode. However, it is not enough to protect the organization’s email domain from misuse. A good first step, nonetheless.

What should be done regarding protections?

Every organization should now, at the latest, make it their agenda to find out: from which systems emails are sent on behalf of their organization, how protection mechanisms are implemented for them, and whether they support the tightening requirements of DMARC. This mapping is done by first putting DMARC in reporting mode and setting up a service to collect RUA reports for more detailed analysis. There are several DMARC report analysis services on the market, available at very reasonable costs. With these reports and services, we can find out from which services emails have been sent on behalf of our organization and whether their protection mechanisms are in order. Once possible deficiencies have been corrected and it has been ensured that the services from which messages should be sent are in order with their settings, DMARC can be taken to a genuinely protective level, i.e., Reject or Quarantine mode.
If you currently don’t know whether your organization’s emails are in order at the required level, or if SPF, DKIM, and DMARC are all Greek to you, it’s advisable to get an expert to help, to ensure that your organization’s emails are not blocked by recipients or misused now or in the future. The same measures also help prevent messages from ending up as spam. This should also be done to protect against reputational damage, where in the worst case, phishing or malicious messages have been spread using your organization’s email addresses.

We, the experts at Above IT, have carried out numerous email communication improvement measures for both small and large organizations, with several years of experience.

Get in touch! Book a time directly from my calendar at the bottom of the page, and let’s discuss in more detail how we could help you with this matter.

Wishing you secure communication,
Mika, consigliere

Hae sivuilta:

Search site: