Welcome to Cash in the Cyber Sheets. I'm your host, James Bowers, and together we'll work with business leaders and industry experts to dive into the misunderstood business of cybersecurity and compliance to learn how to start making money from being secure and compliant. Welcome to Cash in the Cyber Sheets.
Hey everybody, welcome back to Cash in the Cyber Sheets. I'm your host, James Bowers, Chief Security and Compliance Architect here at Input Output. The hamster is falling off the wheel, been a very busy week, but very happy to have you back.
And if you've been on our website, if you have been at any of the other talks that we've been doing, listening to the show, you've noticed we've been doing a lot of changes, a lot of branding changes, bringing on, talking about a lot more of the services that we provide, really just helping to beef everything up and get a lot more information out there. One of the other things that we've been doing, which is really cool, is adding in some new actual management tools and auditing tools that make it very easy and very inexpensive for businesses to identify the issues they're having and easily correct and manage those. And one of those is our email security and management tool.
Now, the reason I'm talking about that is because there have been some major changes with the way that email will be accepted, delivered, and routed. And it all comes down to May 5th, 2025, that's just a few weeks ago, there were major changes that now require DMARC to be set up correctly for emails to be delivered. Now, if you don't know what DMARC is, that's okay, we're going to talk a little bit about it today.
We're also going to talk about what SPF records and DKIM records are, although not too deep. I think we will set up some other podcasts and other blogs to dive into that because there's a lot of information there and honestly, I don't want to get into a rambling lecture too late, but we'll have a lot there. But today we're going to talk about what those changes are that happened this May, May 5th, just a few weeks ago, what that means for your business and what you need to do to make sure that your emails continue to get delivered and don't start getting rejected outright.
With that said, before we dive in, click that like, click that subscribe, wherever you're listening to us at, YouTube, Spotify, Apple, leave us a comment. Would love to hear about the things that are working in your business, the things that we could help with, and I always say it, but would love to hear about the different wins and different things that are working really well because those we can get out to everybody and it's good to celebrate some stuff. So let's dive into it.
Let's start, I guess, with what is DMARC? Well, DMARC is Domain Based Message Authentication, Reporting, and Conformance. You're welcome. Case closed.
We can wrap up right there. No, that doesn't actually really say a lot. What DMARC is, is it actually pulls together SPF and DKIM.
Now you may be wondering what the heck is SPF and DKIM, and that's a perfectly valid question because if you look at a lot of email domains, they don't have any of this set up correctly. So again, not getting too deep, but SPF, DKIM, and DMARC are basically three levels of email security and configuration with SPF being the oldest and kind of the first level. What SPF does, Sender Policy Framework, is it's just a DNS record in your DNS records that states who it is that can send email using your domain.
You'll typically list like Microsoft or Google, and if you use MailChimp or Constant Contact or another CRM, you'll list those in there. Anybody that would send email using your domain will be in your SPF record. And what that tells everybody when they get your email is if it is not one of these approved, one of these documented hosts, it's not coming from us.
And that lets that receiver know that this might be spam, this might not be legitimate. DKIM is the next step. That's Domain Keys Identified Mail, and what that does is actually digitally signs your email.
It takes it a step further to be able to validate that this did come from you and helps to show that it hasn't been altered. Now SPF and DKIM together, DMARC pulls those together. What DMARC does is it says to any receiving email host, if you get our email and SPF and DKIM don't match, here's what we want you to do with our email.
And it can either do nothing, just let them decide what to do. It can tell them to quarantine the email, send that into your quarantine, or the step that you really should be at is tell the receiver to reject it. If our SPF and our DKIM records don't match, that's not us because we have everything tightened up.
Just get rid of it. It's spam. It's spoof.
So that's very high level what DMARC is. If you take a look at your DNS records, you can see if you DMARC record would be a text record. And you can see that in there.
If you have, it would look something like, it would start with a V as in Victor, V equals like DMARC1. And this just shows the version of DMARC that you're using. The next part of it would be a P as in private.
P equals, and this would either be none, meaning don't do anything with it, just whatever you want to do with the email. It could be P equals quarantine, which means if SPF and DKIM don't match, quarantine it. And the final step is P equals reject, which means if the records don't match, it's not us, get rid of it.
The final part of that text record would be the RUA. What that is, is that specifies an email address of where to send any reports of what happens with those emails. So what's really cool with DMARC is that when you have that set up, if the email gets rejected or it gets quarantined because of your DMARC record, you'll actually get an email back that gives you all of that information from everybody getting all of your emails.
And you can aggregate all those to see, are all of our emails getting to where they're supposed to be? Are there things in here that we don't recognize at all, meaning maybe somebody's spoofing our email? It gives you a lot of information once those emails leave your domain. This gives you the ability to perform forensic reports and manage email security. It also allows you to prevent spoofed emails and cyber attacks.
It helps control a lot of business email compromise and other types of email attacks, because if you've got everything locked down correctly, it's very difficult to spoof your domain. Not that there still aren't ways to do it, but it becomes much more difficult. What's also very important for DMARC is that the email receivers, the different hosts that are getting the emails, when they see that you have the SPF, the DKIM, and DMARC records set up correctly, one, that helps deliver the email.
It also helps keep it out of spam. This is a very big part of what calculates, should this go to spam or should this go to the inbox? So we'll talk a little bit more about what that means. But before we do that, I want to get into what's changed.
May 5th, 2025, again, just a few weeks ago, there was a massive change with DMARC, where it used to be optional, honestly, used to be more of kind of a Cadillac and the really nice to have and something that only really security conscious companies set up. Well, May 2025, because of all of the spam email, because of all the spoofed email, it's become a requirement. Now, getting into it and reading everything from Google, from Yahoo and Microsoft, technically this applies to those sending bulk email, so over 5000 emails a month.
However, when you're really reading everything, the way that it is coming across, the way that it's being stated is that all of these major providers are saying they're going to be very strict with bulk email senders, also requiring that there's a one click unsubscribe, that their email list are scrubbed, that they don't go over a 0.3 or 0.03% spam score, 0.03%, a lot more tighter with bulk sending. However, when reading it, it also states that, well, we're going to be very strict with bulk senders, we're going to apply this to everybody else too. And here's why.
My opinion on one of the reasons, but the first reason that even they've stated is to help with security. It's to combat spam, it's to combat all the spoofing, all the phishing, it's just rampant. The other reason, and this is my opinion, but reading between the lines, is that there is so much spam, so much spoofing, so many emails that are not legitimate.
That's eating up a lot of processing power. It's eating up a lot of scanning, a lot of spam tools, a lot of tools that are opening those up, scanning the attachments. And if these major companies, and eventually all of them, can push this to the email domains to say, listen, we're just going to cut out a bulk of this.
We're not even going to scan it. We're not going to use any of our processing power or our money to scan these. If the DMARC records aren't set up, if everything's not set up correctly, these companies are going to save a lot of processing time, a lot of money, and at the same time, help with the security.
I can't say that I blame that, and also I do kind of agree with it. With that said, I think all that's just really said, say that I don't think this is going to change. I think it's going to get tighter because it makes serious financial sense for all of these businesses to move in that direction.
And from a security perspective, it's just really the right way to be moving. I think the problem with DMARC though, is that it has seemed very complicated. A lot of people don't know how to set it up.
They don't even really know what it is. And part of the reason that we're doing this podcast today, that we're starting to put out more materials, is in a lot of our audits, and even now just scanning each domain that comes into us out of curiosity, and now it's part of our prospecting, is easily over 50% of companies don't have all of their records set up right. There are a very big chunk though, that don't have any of them set up correct.
And what this means for you as a business, especially now, May going forward, is if you don't have your SPF, your DKIM, and now your DMARC records set up correctly and monitoring those, that means that up to 40 to 60% of your emails may just get rejected outright, which is huge. That means that you can't reach clients and you can't reach prospects. And for any marketing campaigns that you're paying for, 40 to 60% of that money could just be going down the drain because it's just getting rejected.
It's not even going to get to the email inbox. So that's why this is so important. What DMARC will do for your company, for your business, for your brand, is make sure that you actually get your emails delivered.
It will help with inbox placement by avoiding spam. And on the security side, it's going to help with real time spoofing protection and create a safer environment for your internal employees and company and for your customers, because it's much more difficult to spoof when you have all of the records set up correctly. It's easier to identify when somebody's trying to do it.
Now with our plugs in to make this easy, because granted trying to set up SPF, trying to set up the film, DMARC traditionally has been maybe not difficult, but it's easy to get wrong and it has a big impact. You can easily check all of your records. If you go to input output.com slash email dash audit, we'll also have the link in the description of the podcast.
But right from there, you'll be able to see how you're set up, where your gaps are, and then that can even show you how the IO click safe email tool can help manage all of that for you. It can show you exactly what you need to do to fix it and making it even easier. You can point all of your records right to it and manage it all basically with a click of the button and, and get all of your reporting, see where things are at, if people are trying to spoof your email records, if there's emails that aren't getting to where they need to be so you can follow up and correct those issues and make sure that your email's getting delivered and that it's set up correctly, that is all the time that we have for today.
And like I said, there is so much more information to talk about SPF, DKIM, DMARC, and we didn't even get into BME and what that is and how that will help with your deliverability. We'll definitely be setting up future podcasts, future blogs, but I thank you very much for listening to us today. Please check out those links to make sure that your email's set up right, that you're protected, and I can't wait to have you back until next time.
Thanks for joining us today. Don't forget, click that subscribe button, leave us a review and share it with your network. Remember, security and compliance aren't just about avoiding risk.
They're about unlocking your business's full potential. So stay secure, stay compliant, and we'll catch you next week on Cash in the Cyber Sheets. Goodbye for now.
