Email is a vital tool for business

Keeping your email system running smoothly is essential for your productivity. But times are changing: starting from March 2024 many major players (including HMG, Microsoft, Google (GDOCS), Yahoo etc.) are starting to refuse inbound email from poorly configured non-compliant senders. And this will spread, and get stricter, over time. If your email server isn’t properly configured then your outgoing emails may well end up being silently deleted prior to delivery. So your invoices, quotes, POs etc. will just vanish without trace.

What’s being addressed by compliance?

A bit of explanation is probably called for. You might be surprised to know is that it’s simple & quick to generate emails that claim to come from anybody you can think of. A couple of lines of code and I could be sending emails claiming to come from The Pope or Guy Fawkes or Chairman Mao or anyone I wanted. And they’d look pretty good too. This is called “spoofing”. More worryingly for you, it’s equally easy to pretend to be your Head of Accounts, HR Director or MD. You don’t need much imagination to work out the problems that could cause! Suffice it to say that around 80% (or more) data breaches can be traced back to a dodgy email, with spoofing way up the listings.

The response.

These issues are not new: they are well understood, and the ‘powers that be’ have taken steps to reduce the impact of spoofing. It is, as usual, a multi-pronged effort. And they revolve around the information you publish in your public electronic persona – known as your DNS. This is part of your domain (often part of your web hosting package). Entries in your DNS tell the world how you want your email to be treated – specifically the receiving server can check back with your DNS to ensure that everything is OK. So, what are these?

1. SPF – this is a simple list of email servers that you have authorised to send your mail. The recipient server will be able to see the entire history of the email it receives, and check that it came from a server on your list.
2. DKIM – this is a digital signature applied to your email when you send it. To make it work you need to enable ‘DKIM signing’ in your mailserver & publish the matching validation record in your DNS. The receiving server will check that the DKIM signature is valid and applied by your server, and the email hasn’t been interfered with in transit.
3. DMARC – this is a policy that ties it all together. Your published DMARC policy record tells the receiving server what to do if the checks fail. If you don’t publish this record it’ll just take casual note of the forgeries and pass them on to the recipient as a normal email – not what you want at all! The same will happen if you publish a DMARC with policy set to ‘none’ (p=none), so that’s pointless. The policy should be set to reject non-compliant email (p=reject).
   If you have an interest in the details, it can also instruct the system where to send detailed logs, so you can monitor the performance of your emails – and the attempts to spoof you!
4. BIMI – this is a new system that allows your company logo to be displayed in the recipients’ email client. It’s new and expensive and only currently used by large companies. But it’ll get cheaper and more widespread in time.
5. MTA-STS & TLS-RPT – is to do with you receiving – rather than sending – emails. They are records you publish that tell the world that you will only receive emails that meet the current minimum standards for compliance.

Most this is quick and easy (and inexpensive) to get right, so there’s no excuse not to do it. And, as an added incentive, mail compliance is becoming mandated/recommended by some professional bodies (e.g. The Law Society) and is compulsory for some activities (e.g. CNP card processing).