Countless myths abound in the world of email deliverability. That’s why there’s no one better to clear up these common misconceptions than the leading experts in the world of email. Every month, we’ll bring you a Q&A with leaders from inbox providers, spam trap networks, antispam systems, and more in our new Expert Series blog.
In our fifth Expert Series blog, we chat with Marcel Vinson. Marcel has been in cybersecurity for the last 13 years and the email security side of things for 11 years. He’s been at Valimail for the last 3 years. Marcel is passionate about email security, and said, “DMARC is clearly something that’s going to be adopted by all email senders in the future, so it’s nice to be working toward getting people on the right side of the fence.”
Now, let’s dive in.
20 questions with email security expert Marcel Vinson
1. What does your role at Valimail entail?
I’ve been the sales director for mid-market at Valimail for 3 years. It’s an exciting time in DMARC, so I appreciate the opportunity to connect with the Twilio SendGrid audience.
In the past 2 years, we’ve watched the market drive toward mass adoption—26% to 64% of U.S. enterprise companies have adopted DMARC. As a result, getting to DMARC at enforcement is no longer a “good to have” but rather a necessity for companies who are serious about brand trust and email authentication.
2. How do malicious senders spoof domains? Can you explain how that works?
At its core, an email message is just text and other data fed to a specific piece of software that transmits the message to its destination. If the malicious sender controls the operation of that piece of software, they can submit any content, including messages, using domains they don’t own.
Email, by design, is an open protocol, meaning it doesn’t automatically verify senders, so it’s up to senders to protect their domains as much as possible. That’s where email authentication protocols, like SPF, DKIM, and DMARC, and solutions like Valimail come into play.
3. What are the main benefits of setting up a DMARC policy?
Overall, it’s about having peace of mind. It’s the assurance that you’ve done all you can to protect your brand, customers, and employees from spoofing attacks in which bad actors attempt to send malicious emails by impersonating your domain(s).
Setting up a DMARC policy (DMARC at enforcement) is about authenticating every sender within your domain. This means getting to p=reject, where no email gets sent from your domain(s) without your approval. The main benefits include:
- Obtain full visibility and control of your domain(s):
- Identify all the unknowns within your ecosystem to lockdown your domain’s brand and reputation protection
- Eliminate the risk of becoming a headline—89% of phishing attacks are preventable with DMARC at enforcement
- Boost email deliverability:
- Avoid getting your emails stuck in the spam folder
4. OK, I understand DMARC protects the domain I implement it on, but what’s stopping someone from just slightly altering my domain (for example, from example.com to exampleemail.com) and spoofing it that way?
Unfortunately, there’s nothing. We cover this issue in our blog, Security Awareness Training Can’t Be the Only Arrow in Your Quiver, but domain owners would need to register all possible permutations of look-alike domains and publish DMARC records for all of them—and that’s not a scalable solution. Instead, domain owners should implement effective antispam and filtering mechanisms for inbound email streams in addition to strong DMARC policies.
5. What are the common misunderstandings around DMARC?
The most common misunderstandings around DMARC are that it’s not necessary because domain owners:
- Have a Secure Email Gateway (SEG)
- This is a common misconception because DMARC (email authentication) and SEG both ensure that emails that get delivered are safe for the end user. However, to achieve this goal, both use separate techniques. An SEG filters messages based on content, while email authentication identifies and verifies the sender.
- Are already at DMARC enforcement (when at a p=none)
- This misconception is critical because getting a DMARC record or buying into a DMARC vendor alone doesn’t get you to enforcement. If your DMARC policy is still at p=none, that means you’ve requested no action on the email that fails DMARC authentication and alignment. This is the equivalent of investing in a steel door to secure your home but always leaving the door unlocked or wide open for intruders.
6. What information is available within a DMARC report?
A DMARC report includes information on email origination from an outbound perspective as well as IP addresses and sending domain (via a RUA report).
7. Can you explain the function behind some of the primary elements of a DMARC record (like policy, PCT, and RUA/RUF records)?
Here’s what you should know:
- Policy: This refers to your actual DMARC policy. There are 3 different policies: none, quarantine, and reject.
- PCT: This is the percentage of email that will follow your policy. For example, PCT at 50% means that if you had a quarantine policy, 50% of those failing emails would be quarantined.
- RUA: This is the aggregate information provided from the email providers.
8. What is the difference between aggregate and forensic data in relation to DMARC?
Here’s what you should know:
- Aggregate data: This is the general report of available information on who sends on behalf of your domain(s).
- Forensic data: This is the comprehensive report that includes a deeper analysis on who sends on your behalf. Valimail doesn’t collect forensic information, as this can expose personal identifiable information.
9. Why is data visualization especially important to utilize DMARC effectively?
Domain visibility is the first step toward DMARC enforcement because it shows you what’s going on with your domain(s). It allows you to see who passes authentication and who doesn’t.
Also, domain visibility is the same across most DMARC vendors because it’s generated from the same aggregated DMARC reports. This is why we offer free visibility here at Valimail—we don’t believe you should pay for free information generated by email service providers.
What sets us apart is our patented technology and intelligent automation throughout the entire DMARC process, including:
- Hosted DMARC and DKIM
- Unlimited SPF
- Sender intelligence
- And more
10. How does domain alignment play a role in DMARC?
Domain authentication and alignment is the originating methodology of DMARC. It validates what the machine sees, while domain alignment ensures what’s authenticated matches what displays to a user. The combination of these checks and balances ensure your protection from fraud.
11. Valimail has a feature that involves automating authentication records. Can you explain what this does?
We have intelligent workflows to help guide you through an efficient process to set up your records autonomously. Our intuitive interface allows you to keep tabs on all your SPF, DKIM, and DMARC actions for your entire environment.
Once you point your records to us, you’ll have full control over your domains by following a to-do checklist from your dashboard. And this is all without having to touch any DNS.
12. When companies send from a root domain and multiple subdomains, are there any different recommendations you make to those companies regarding DMARC compared to a company just sending from a root domain?
No, not necessarily, because our patented technology automates the process of DMARC implementation in any organization, regardless of how complex the setup may be. Other vendors have trouble supporting large, complicated email ecosystems because they use manual, fragile solutions. Therefore, many vendors will advise users to create unnecessary subdomains to solve SPF limitations.
We keep things clean and straightforward. By unlocking unlimited SPF lookups without resorting to flattening or subdomains, we provide continuous protection for any size business.
13. Why do many companies struggle to get to DMARC enforcement?
We get it, DMARC is complex. Companies also run into SPF limitations due to the number of third-party services that an organization uses internally. Not to mention are sometimes unaware of the actual services used internally.
14. Once a company gets to DMARC enforcement, should it continue monitoring DMARC reports? Is it a “set it and forget it” approach?
I would say yes and no. Even after you’ve reached DMARC enforcement, we recommend you continue to monitor your email ecosystem to ensure that you’re in total control of your domain. Monitoring will help you know whether you have issues with email delivery or authentication, and consequently, secure your emails, data, and brand better.
However, Valimail will notify you when there are changes to your DMARC policy or issues with your existing DMARC record. With our alert capability, you don’t have to monitor every day—we do what we do best, so you can focus on things that really matter for your business.
15. How does DMARC play a role in BIMI?
As we all know by now, DMARC plays a critical role in your brand’s email security and deliverability strategy. BIMI is the visual confirmation that builds on the foundation of DMARC.
For marketers, DMARC has a valuable brand reputation impact. It increases deliverability and can improve your reputation score as an email sender. So when you come to IT and say, “Let’s do this DMARC project because we can use it to enable a revenue-boosting, customer-experience-enhancing project like BIMI,” the collaboration of marketing with IT and security makes DMARC a much higher priority and much more likely to get accomplished.
16. What are the main benefits of BIMI?
You can see BIMI as the carrot for completing a DMARC project in which you can produce real return on investment:
- It provides a richer inbox experience for your customers
- It gives your brand visual differentiation
- It drives engagement
- It helps amplify and underscore that cohesive brand identity
- It enhances the customer experience
Studies have even shown that you can get a 10% increase in email deliverability from DMARC enforcement. So you combine DMARC’s 10% deliverability improvement with BIMI’s 10% open rate enforcement, and you get a multiplier effect. With BIMI, you put your brand where it matters so people can see it and connect with you—and this yields meaningful results.
17. What inbox providers currently support BIMI?
As of July 12, 2021, Google has rolled out general support in Gmail, making it easier for brands to display authenticated logos in roughly 2 billion inboxes around the globe. Also, Apple recently joined Yahoo!, Fastmail, and La Poste to extend the BIMI standard to reach hundreds of millions more inboxes.
I believe Apple’s support for BIMI is critical for the growth of the ecosystem and will only increase the incentive for other mailbox providers to implement BIMI in the near future.
18. What’s the process a company must go through to enable BIMI?
To get started with BIMI, you first need to configure DMARC, as well as SPF and DKIM, for your organization’s main domain and a policy of enforcement. Remember, the major benefit of BIMI is the inclusion of your brand logo in inboxes, so you need to supply it in a specific, secure vector format and in the correct size and shape.
It’s critical to note that key participating mailbox providers also require a trademarked logo and a Verified Mark Certificate (VMC) from a certificate authority like DigiCert or Entrust.
Lastly, publish a BIMI record for your domain in DNS, and your logo will show in participating mailbox providers within minutes.
19. There’s talk that the BIMI group is working to lower the cost of domain verification certificates. Is there any validity to this?
Although the AuthIndicators Working Group has no influence on the price of VMCs, as it’s controlled by certificate authorities like Digicert or Entrust, the BIMI group is currently in discussions with mail providers like Gmail on lifting the requirement of trademarked logos.
Ultimately, our goal is to encourage secure email best practices, and we will continue exploring the best path toward, expanding the criteria beyond trademarks. While companies with trademarks can apply for a VMC now, we also encourage those without registered trademarks to get BIMI-ready while we work hard to expand features and support for BIMI.
20. Is there anything else you want to share with us?
Yes, I’m excited to share that we’ve just released the newest evolution of Enforce. We listened to our best customers and elevated our solution to streamline the path to DMARC enforcement while enabling continuous protection.
With these updates, you can now achieve continuous DMARC enforcement in as little as 60 days, saving you hundreds of thousands of dollars typically spent on employees configuring and managing DMARC manually.
Thanks to Marcel! And be sure to stay tuned, as we’ll chat with another expert in the world of email marketing to provide you with further insight into the ins and outs of email deliverability.
Don’t forget to check out Twilio SendGrid’s email deliverability services packages to level up your email program with the help of a Deliverability Expert.