Email is a vital tool for business
Keeping your email system running smoothly is essential for your productivity. But times are changing: starting from March 2024 many major players (including HMG, Microsoft, Google (GDOCS), Yahoo etc.) are starting to refuse inbound email from poorly configured non-compliant senders. And this will spread, and get stricter, over time. If your email server isn’t properly configured then your outgoing emails may well end up being silently deleted prior to delivery. So your invoices, quotes, POs etc. will just vanish without trace.
What’s being addressed by compliance?
A bit of explanation is probably called for. You might be surprised to know is that it’s simple & quick to generate emails that claim to come from anybody you can think of. A couple of lines of code and I could be sending emails claiming to come from The Pope or Guy Fawkes or Chairman Mao or anyone I wanted. And they’d look pretty good too. This is called “spoofing”. More worryingly for you, it’s equally easy to pretend to be your Head of Accounts, HR Director or MD. You don’t need much imagination to work out the problems that could cause! Suffice it to say that around 80% (or more) data breaches can be traced back to a dodgy email, with spoofing way up the listings.
The response.
These issues are not new: they are well understood, and the ‘powers that be’ have taken steps to reduce the impact of spoofing. It is, as usual, a multi-pronged effort. And they revolve around the information you publish in your public electronic persona – known as your DNS. This is part of your domain (often part of your web hosting package). Entries in your DNS tell the world how you want your email to be treated – specifically the receiving server can check back with your DNS to ensure that everything is OK. So, what are these?
- SPF – this is a simple list of email servers that you have authorised to send your mail. The recipient server will be able to see the entire history of the email it receives, and check that it came from a server on your list.
- DKIM – this is a digital signature applied to your email when you send it. To make it work you need to enable ‘DKIM signing’ in your mailserver & publish the matching validation record in your DNS. The receiving server will check that the DKIM signature is valid and applied by your server, and the email hasn’t been interfered with in transit.
- DMARC – this is a policy that ties it all together. Your published DMARC policy record tells the receiving server what to do if the checks fail. If you don’t publish this record it’ll just take casual note of the forgeries and pass them on to the recipient as a normal email – not what you want at all! The same will happen if you publish a DMARC with policy set to ‘none’ (p=none), so that’s pointless. The policy should be set to reject non-compliant email (p=reject).
If you have an interest in the details, it can also instruct the system where to send detailed logs, so you can monitor the performance of your emails – and the attempts to spoof you! - BIMI – this is a new system that allows your company logo to be displayed in the recipients’ email client. It’s new and expensive and only currently used by large companies. But it’ll get cheaper and more widespread in time.
- MTA-STS & TLS-RPT – is to do with you receiving – rather than sending – emails. They are records you publish that tell the world that you will only receive emails that meet the current minimum standards for compliance.
Most this is quick and easy (and inexpensive) to get right, so there’s no excuse not to do it. And, as an added incentive, mail compliance is becoming mandated/recommended by some professional bodies (e.g. The Law Society) and is compulsory for some activities (e.g. CNP card processing).
Cyber Security & Mail Solutions Company Worcestershire
Our services:
Some of these are inter-dependant, some stand-alone. Please phone to discuss.
- If you want to know the current state of your own system we offer a free service to all. Simply send an email (content unimportant) to our compliance checker &Â we’ll send back a compliance report for your domain.
- Monitoring email traffic: an optional system that will log every email in & out of your system, providing incontrovertible proof of what has & hasn’t been sent or received. Which can be very useful!
- Email compliance statistics: your outbound emails logged and compliance performance recorded, with monthly reports emailed to you. Very interesting to see how many times people have tried to pretend to be you…
- Cloud-based spam filtering: an optional system that uses a configurable filter that will sift out spam emails before they even reach your server.
- DKIM signing: for customers running their own mail servers that do not have built-in DKIM signing we can DKIM sign all your outgoing mail, without the need to buy & configure an expensive plug-in for your system.
- Configuration of SPF records: if you’re not sure just ask us & we’ll do it for you.
- DMARC configuration: we’ll do your DMARC record – especially if you require the compliance reports.
- MTA-STS & TLS-RPT & BIMI: we can host the records required for these services.
To make it easy, we offer an inexpensive all-in-one package that includes:
- DMARC aggregator with graphic reporting & monthly emailing of statistics showing the state of your compliance.
- Creation & hosting of a basic BIMI record (not including a VMC).
- Creation & hosting of the TLS-RPT & MTA-STS certificates.
- We’ll generate all the DNS records you require to add to your DNS server: if you require assistance we can provide that too.
Just phone 01905 426364 to find out more.