Email authentication protocols like SPF, DKIM, and DMARC play a critical role in protecting domains from spoofing and phishing. However, when SEGs are introduced into the email path, the interaction with these protocols becomes more complex. Security gateways(SEGs) are a core part of many organizations’ email infrastructure. They act as intermediaries between the public internet and internal mail systems, inspecting, filtering, and routing messages. This blog examines how security gateways handle SPF, DKIM, and DMARC, with real-world examples from popular gateways such as Proofpoint, Mimecast, and Avanan. We’ll also cover best practices for maintaining authentication integrity and avoiding misconfigurations that can compromise email authentication or lead to false DMARC failures. Security gateways often sit at the boundary between your organization and the internet, managing both inbound and outbound email traffic. Their role affects how email authentication protocols behave. An inbound SEG examines emails coming into your organization. It checks SPF, DKIM, and DMARC to determine if the message is authentic and safe before passing it to your internal mail servers. An outbound SEG handles emails sent from your domain. It may modify headers, rewrite envelope addresses, or even apply DKIM signing. All of these can impact SPF,  DKIM, or DMARC validation on the recipient’s side. Understanding how SEGs influence these flows is crucial to maintaining proper authentication and avoiding unexpected DMARC failures. Inbound Handling of SPF, DKIM, and DMARC by Common Security Gateways When an email comes into your organization, your security gateway is the first to inspect it. It checks whether the message is real, trustworthy, and properly authenticated. Let’s look at how different SEGs handle these checks. Avanan (by Check Point) SPF: Avanan verifies whether the sending server is authorized to send emails for the domain by checking the SPF record. DKIM: It verifies if the message was signed by the sending domain and if that signature is valid. DMARC: It uses the results of the SPF and DKIM check to evaluate DMARC. However, final enforcement usually depends on how DMARC is handled by Microsoft 365 or Gmail, as Avanan integrates directly with them. Avanan offers two methods of integration:1. API integration: Avanan connects via APIs, no change in MX, usually Monitor or Detect modes.2. Inline integration: Avanan is placed inline in the mail flow (MX records changed), actively blocking or remediating threats. Proofpoint Email Protection SPF: Proofpoint checks SPF to confirm the sender’s IP is authorized to send on behalf of the domain. You can set custom rules (e.g. treat “softfail” as “fail”). DKIM: It verifies DKIM signatures and shows clear pass/fail results in logs. DMARC: It fully evaluates DMARC by combining SPF and DKIM results with alignment checks. Administrators can configure how to handle messages that fail DMARC, such as rejecting, quarantining, or delivering them. Additionally, Proofpoint allows whitelisting specific senders you trust, even if their emails fail authentication checks. Integration Methods Inline Mode: In this traditional deployment, Proofpoint is positioned directly in the email flow by modifying MX records. Emails are routed through Proofpoint’s infrastructure, allowing it to inspect and filter messages before they reach the recipient’s inbox. This mode provides pre-delivery protection and is commonly used in on-premises or hybrid environments. API-Based (Integrated Cloud Email Security – ICES) Mode: Proofpoint offers API-based integration, particularly with cloud email platforms like Microsoft 365 and Google Workspace. In this mode, Proofpoint connects to the email platform via APIs, enabling it to monitor and remediate threats post-delivery without altering the email flow. This approach allows for rapid deployment and seamless integration with existing cloud email services. Mimecast SPF: Mimecast performs SPF checks to verify whether the sending server is authorized by the domain’s SPF record. Administrators can configure actions for SPF failures, including block, quarantine, permit, or tag with a warning. This gives flexibility in balancing security with business needs. DKIM: It validates DKIM signatures by checking that the message was correctly signed by the sending domain and that the content hasn’t been tampered with. If the signature fails, Mimecast can take actions based on your configured policies. DMARC: It fully evaluates DMARC by combining the results of SPF and DKIM with domain alignment checks. You can choose to honor the sending domain’s DMARC policy (none, quarantine, reject) or apply custom rules, for example, quarantining or tagging messages that fail DMARC regardless of the published policy. This allows more granular control for businesses that want to override external domain policies based on specific contexts. Integration Methods Inline Deployment: Mimecast is typically deployed as a cloud-based secure email gateway. Organizations update their domain’s MX records to point to Mimecast, so all inbound (and optionally outbound) emails pass through it first. This allows Mimecast to inspect, filter, and process emails before delivery, providing robust protection. API Integrations: Mimecast also offers API-based services through its Mimecast API platform, primarily for management, archival, continuity, and threat intelligence purposes. However, API-only email protection is not Mimecast’s core model. Instead, the APIs are used to enhance the inline deployment, not replace it. Barracuda Email Security Gateway SPF: Barracuda checks the sender’s IP against the domain’s published SPF record. If the check fails, you can configure the system to block, quarantine, tag, or allow the message, depending on your policy preferences. DKIM: It validates whether the incoming message includes a valid DKIM signature. The outcome is logged and used to inform further policy decisions or DMARC evaluations. DMARC: It combines SPF and DKIM results, checks for domain alignment, and applies the DMARC policy defined by the sender. Administrators can also choose to override the DMARC policy, allowing messages to pass or be treated differently based on organizational needs (e.g., trusted senders or internal exceptions). Integration Methods Inline mode (more common and straightforward): Barracuda Email Security Gateway is commonly deployed inline by updating your domain’s MX records to point to Barracuda’s cloud or on-premises gateway. This ensures that all inbound emails pass through Barracuda first for filtering and SPF, DKIM, and DMARC validation before being delivered to your mail servers. Deployment Behind the Corporate Firewall: Alternatively, Barracuda can be deployed in transparent or bridge mode without modifying MX records. In this setup, the gateway is placed inline at the network level, such as behind a firewall, and intercepts mail traffic transparently. This method is typically used in complex on-premises environments where changing DNS records is not feasible. Cisco Secure Email (formerly IronPort) Cisco Secure Email acts as an inline gateway for inbound email, usually requiring your domain’s MX records to point to the Cisco Email Security Appliance or cloud service. SPF: Cisco Secure Email verifies whether the sending server is authorized in the sender domain’s SPF record. Administrators can set detailed policies on how to handle SPF failures. DKIM: It validates the DKIM signature on incoming emails and logs whether the signature is valid or has failed. DMARC: It evaluates DMARC by combining SPF and DKIM results along with domain alignment checks. Admins can configure specific actions, such as quarantine, reject, or tag, based on different failure scenarios or trusted sender exceptions. Integration methods On-premises Email Security Appliance (ESA): You deploy Cisco’s hardware or virtual appliance inline, updating MX records to route mail through it for filtering. Cisco Cloud Email Security: Cisco offers a cloud-based email security service where MX records are pointed to Cisco’s cloud infrastructure, which filters and processes inbound mail. Cisco Secure Email also offers advanced, rule-based filtering capabilities and integrates with Cisco’s broader threat protection ecosystem, enabling comprehensive inbound email security. Outbound Handling of SPF, DKIM, and DMARC by Common Security Gateways When your organization sends emails, security gateways can play an active role in processing and authenticating those messages. Depending on the configuration, a gateway might rewrite headers, re-sign messages, or route them through different IPs – all actions that can help or hurt the authentication process. Let’s look at how major SEGs handle outbound email flow. Avanan – Outbound Handling and Integration Methods Outbound Logic Avanan analyzes outbound emails primarily to detect data loss, malware, and policy violations. In API-based integration, emails are sent directly by the original mail server (e.g., Microsoft 365 or Google Workspace), so SPF and DKIM signatures remain intact. Avanan does not alter the message or reroute traffic, which helps maintain full DMARC alignment and domain reputation. Integration Methods 1. API Integration: Connects to Microsoft 365 or Google Workspace via API. No MX changes are needed. Emails are scanned after they are sent, with no modification to SPF, DKIM, or the delivery path.  How it works: Microsoft Graph API or Google Workspace APIs are used to monitor and intervene in outbound emails. Protection level: Despite no MX changes, it can offer inline-like protection, meaning it can block, quarantine, or encrypt emails before they are delivered externally. SPF/DKIM/DMARC impact: Preserves original headers and signatures since mail is sent directly from Microsoft/Google servers. 2. Inline Integration: Requires changing MX records to route email through Avanan. In this mode, Avanan can intercept and inspect outbound emails before delivery. Depending on the configuration, this may affect SPF or DKIM if not properly handled. How it works: Requires adding Avanan’s Protection level: Traditional inline security with full visibility and control, including encryption, DLP, policy enforcement, and advanced threat protection. SPF/DKIM/DMARC impact: SPF configuration is needed by adding Avanan’s include mechanism to the sending domain’s SPF record. The DKIM record of the original sending source is preserved. For configurations, you can refer to the steps in this blog. Proofpoint – Outbound Handling and Integration Methods Outbound Logic Proofpoint analyzes outbound emails to detect and prevent data loss (DLP), to identify advanced threats (malware, phishing, BEC) originating from compromised internal accounts, and to ensure compliance. Their API integration provides crucial visibility and powerful remediation capabilities, while their traditional gateway (MX record) deployment delivers true inline, pre-delivery blocking for outbound traffic. Integration methods 1. API Integration: No MX record changes are required for this deployment method. Integration is done with Microsoft 365 or Google Workspace. How it works: Through its API integration, Proofpoint gains deep visibility into outbound emails and provides layered security and response features, including: Detect and alert: Identifies sensitive content (Data Loss Prevention violations), malicious attachments, or suspicious links in outbound emails. Post-delivery remediation (TRAP): A key capability of the API model is Threat Response Auto-Pull (TRAP), which enables Proofpoint to automatically recall, quarantine, or delete emails after delivery. This is particularly useful for internally sent messages or those forwarded to other users. Enhanced visibility: Aggregates message metadata and logs into Proofpoint’s threat intelligence platform, giving security teams a centralized view of outbound risks and user behavior. Protection level: API-based integration provides strong post-delivery detection and response, as well as visibility into DLP incidents and suspicious behavior.  SPF/DKIM/DMARC impact: Proofpoint does not alter SPF, DKIM, or DMARC because emails are sent directly through Microsoft or Google servers. Since Proofpoint’s servers are not involved in the actual sending process, the original authentication headers remain intact. 2. Gateway Integration (MX Record/Smart Host): This method requires updating MX records or routing outbound mail through Proofpoint via a smart host. How it works: Proofpoint acts as an inline gateway, inspecting emails before delivery. Inbound mail is filtered via MX changes; outbound mail is relayed through Proofpoint’s servers. Threat and DLP filtering: Scans outbound messages for sensitive content, malware, and policy violations. Real-time enforcement: Blocks, encrypts, or quarantines emails before they’re delivered. Policy controls: Applies rules based on content, recipient, or behavior. Protection level: Provides strong, real-time protection for outbound traffic with pre-delivery enforcement, DLP, and encryption. SPF/DKIM/DMARC impact: Proofpoint becomes the sending server: SPF: You need to configure ProofPoint’s SPF. DKIM: Can sign messages; requires DKIM setup. DMARC: DMARC passes if SPF and DKIM are set up properly. Please refer to this article to configure SPF and DKIM for ProofPoint. Mimecast – Outbound Handling and Integration Methods Outbound Logic Mimecast inspects outbound emails to prevent data loss (DLP), detect internal threats such as malware and impersonation, and ensure regulatory compliance. It primarily functions as a Secure Email Gateway (SEG), meaning it sits directly in the outbound email flow. While Mimecast offers APIs, its core outbound protection is built around this inline gateway model. Integration Methods 1. Gateway Integration (MX Record change required) This is Mimecast’s primary method for outbound email protection. Organizations route their outbound traffic through Mimecast by configuring their email server (e.g., Microsoft 365, Google Workspace, etc.) to use Mimecast as a smart host. This enables Mimecast to inspect and enforce policies on all outgoing emails in real time. How it works: Updating outbound routing in your email system (smart host settings), or Using Mimecast SMTP relay to direct messages through their infrastructure. Mimecast then scans, filters, and applies policies before the email reaches the final recipient. Protection level: Advanced DLP: Identifies and prevents sensitive data leaks. Impersonation and Threat Protection: Blocks malware, phishing, and abuse from compromised internal accounts. Email Encryption and Secure Messaging: Applies encryption policies or routes messages via secure portals. Regulatory Compliance: Enforces outbound compliance rules based on content, recipient, or metadata. SPF/DKIM/DMARC impact: SPF: Your SPF record must include Mimecast’s SPF mechanism based on your region to avoid SPF failures. DKIM: A new DKIM record should be configured to make sure your emails are DKIM signed when routing through Mimecast. DMARC: With correct SPF and DKIM setup, Mimecast ensures DMARC alignment, maintaining your domain’s sending reputation. Please refer to the steps in this detailed article to set up SPF and DKIM for Mimecast. 2. API Integration (Complementary to Gateway) Mimecast’s APIs complement the main gateway by providing automation, reporting, and management tools rather than handling live outbound mail flow. They allow you to manage policies, export logs, search archived emails, and sync users. APIs enhance visibility and operational tasks but do not provide real-time filtering or blocking of outbound messages. Since APIs don’t process live mail, they have no direct effect on SPF, DKIM, or DMARC; those depend on your gateway (smart host) setup. Barracuda – Outbound Handling and Integration Methods Outbound Logic Barracuda analyzes outbound emails to prevent data loss (DLP), block malware, stop phishing/impersonation attempts from compromised internal accounts, and ensure compliance. Barracuda offers flexible deployment options, including both traditional gateway (MX record) and API-based integrations. While both contribute to outbound security, their roles are distinct. Integration Methods 1. Gateway Integration (MX Record / Smart Host) — Primary Inline Security How it works: All outbound emails pass through Barracuda’s security stack for real-time inspection, threat blocking, and policy enforcement before delivery. Protection level: Comprehensive DLP (blocking, encrypting, or quarantining sensitive content)  Outbound spam and virus filtering  Enforcement of compliance and content policies This approach offers a high level of control and immediate threat mitigation on outbound mail flow. SPF/DKIM/DMARC impact: SPF: Update SPF records to include Barracuda’s sending IPs or SPF include mechanism. DKIM: Currently, no explicit setup is needed; DKIM of the main sending source is preserved. Refer to this article for more comprehensive guidance on Barracuda SEG configuration. 2. API Integration (Complementary & Advanced Threat Focus) How it works: The API accesses cloud email environments to analyze historical and real-time data, learning normal communication patterns to detect anomalies in outbound emails. It also supports post-delivery remediation, enabling the removal of malicious emails from internal mailboxes after sending. Protection level: Advanced AI-driven detection and near real-time blocking of outbound threats, plus strong post-delivery cleanup capabilities. SPF/DKIM/DMARC impact: Since mail is sent directly by the original mail server (e.g., Microsoft 365), SPF and DKIM signatures remain intact, preserving DMARC alignment and domain reputation. Cisco Secure Email (formerly IronPort) – Outbound Handling and Integration Methods Outbound Logic Cisco Secure Email protects outbound email by preventing data loss (DLP), blocking spam and malware from internal accounts, stopping business email compromise (BEC) and impersonation attacks, and ensuring compliance. Cisco provides both traditional gateway appliances/cloud gateways and modern API-based solutions for layered outbound security. Integration Methods 1. Gateway Integration (MX Record / Smart Host) – Cisco Secure Email Gateway (ESA) How it works: Organizations update MX records to route mail through the Cisco Secure Email Gateway or configure their mail server (e.g., Microsoft 365, Exchange) to smart host outbound email via the gateway. All outbound mail is inspected and policies enforced before delivery. Protection level: Granular DLP (blocking, encrypting, quarantining sensitive content) Outbound spam and malware filtering to protect IP reputation Email encryption for sensitive outbound messages Comprehensive content and attachment policy enforcement SPF: Check this article for comprehensive guidance on Cisco SPF settings. DKIM: Refer to this article for detailed guidance on Cisco DKIM settings. 2. API Integration – Cisco Secure Email Threat Defense How it works: Integrates directly via API with Microsoft 365 (and potentially Google Workspace), continuously monitoring email metadata, content, and user behavior across inbound, outbound, and internal messages. Leverages Cisco’s threat intelligence and AI to detect anomalous outbound activity linked to BEC, account takeover, and phishing. Post-Delivery Remediation: Automates the removal or quarantine of malicious or policy-violating emails from mailboxes even after sending. Protection level: Advanced, AI-driven detection of sophisticated outbound threats with real-time monitoring and automated remediation. Complements gateway filtering by adding cloud-native visibility and swift post-send action. SPF/DKIM/DMARC impact: Since emails are sent directly by the original mail server, SPF and DKIM signatures remain intact, preserving DMARC alignment and domain reputation. If you have any questions or need assistance, feel free to reach out to EasyDMARC technical support.

Originally published at 92% of Top Email Domains Remain Unprotected Against Phishing by Anush Yolyan. New EasyDMARC report reveals widespread gaps in DMARC enforcement and reporting, leaving most business email domains exposed to spoofing and impersonation. New research from EasyDMARC reveals that just 7.7% of the world’s top 1.8 million email domains are fully protected against phishing and spoofing, having implemented the most stringent DMARC (Domain-based Message Authentication, Reporting, and Conformance) policy. This configuration, known as ‘p=reject’, actively blocks malicious emails from reaching inboxes. While DMARC adoption has accelerated since 2023, driven by regulatory pressure and mandates from major email providers, most leading organisations continue to rely on the weakest policy, ‘p=none’, which passively monitors inboxes for threats without intercepting them. The findings are part of EasyDMARC’s 2025 DMARC Adoption Report, which analyses email security practices across the highest-traffic websites globally, as well as Fortune 500 and Inc. 5000 organisations. The report reveals a significant gap between DMARC implementation and effective enforcement, with more than half (52.2%) of the domains still lacking even a basic DMARC record. Among those that have implemented DMARC, most fail to apply the enforcement policies or reporting mechanisms needed to make the protocol truly effective. The report comes at a time of escalating phishing threats and increasing pressure from both regulators and mailbox providers. Mandates from Google, Yahoo, and Microsoft, along with frameworks like PCI DSS v4.0.1, have spurred a rush to adopt DMARC. But in many cases, that adoption stops at a passive monitoring setting known as ‘p=none’, which doesn’t block fraudulent emails or provide full visibility into authentication failures. “There’s a growing perception that simply publishing a DMARC record is enough,” said EasyDMARC CEO Gerasim Hovhannisyan. “But adoption without enforcement creates a dangerous illusion of security. In reality, most organisations are leaving the door wide open to attacks targeting customers, partners, or even employees.” Countries with strict DMARC mandates, such as the United States, the UK, and the Czech Republic, saw the biggest reductions in phishing emails reaching inboxes. In the US, for example, the percentage of phishing emails accepted dropped from 68.8% in 2023 to just 14.2% in 2025. In contrast, countries with voluntary or no guidance, like the Netherlands and Qatar, showed little to no improvement. Compounding the problem is the lack of visibility. Even among domains with DMARC records, over 40% fail to include reporting mechanisms, such as RUA tags, that allow organisations to see who’s sending email on their behalf and whether it’s failing authentication checks. Hovhannisyan added: “Misconfigurations, missing reporting, and passive DMARC policies are like installing a security system without ever turning it on. Phishing remains one of the oldest and most effective forms of cyberattack, and without proper enforcement, organisations are effectively handing attackers the keys to their business. As threats grow more sophisticated and compliance pressures mount, stopping halfway with DMARC enforcement is no longer an option.” For more information, view the full report here.  Notes for Editors Research Methodology The EasyDMARC May 2025 DMARC Adoption Report is based on an analysis of the world’s top 1.8 million email domains, ranked by global web traffic. It examines the scale of DMARC adoption worldwide and assesses how effectively organisations are enforcing and monitoring the protocol. The report includes dedicated insights into the world’s top 1.8M domains, Fortune 500 and Inc. 5000 companies, offering a comparative view of email security maturity across different organisational sizes. It also incorporates findings from a survey of 980 IT professionals across the United States, the United Kingdom, Canada, and the Netherlands, providing regional perspectives on phishing trends, adoption challenges, and the influence of evolving regulatory mandates. In addition to public DNS data, the report also draws on proprietary data collected through EasyDMARC’s platform, including anonymised aggregate DMARC reports received from major mailbox providers (MBPs).  About EasyDMARC EasyDMARC is a cloud-native B2B SaaS that solves email security and deliverability challenges in just a few clicks. With advanced tools, including its AI-powered DMARC Report Analyser, DMARC, SPF, DKIM cloud management solutions, and email source reputation monitoring, EasyDMARC helps customers protect their domains, increase their email deliverability, and maintain strong email health. Media InquiriesResonance for EasyDMARCeasydmarc@resonancecrowd.com The post 92% of Top Email Domains Remain Unprotected Against Phishing appeared first on EasyDMARC.

At EasyDMARC, we believe in making email security as hassle-free as possible. One way we do this is by integrating our services with other IT solutions. That’s why we’re excited to announce our latest integration with Autotask PSA, a solution that will help our valued MSPs further protect their clients and efficiently manage their operations. Key Benefits The Autotask PSA integration streamlines operations for MSPs by enabling: Seamless Customer Mapping – Link your Autotask customers with corresponding domain groups in EasyDMARC for unified management. Flexible Reporting Configuration – Select which domains to report to Autotask for each mapped customer, giving you complete control over visibility and granularity. Automated Ticket Creation – Generate Autotask tickets automatically based on alerts triggered within the EasyDMARC platform, ensuring a timely response to security events. Contact Us Features & Functionalities 1. Authentication Setup Before you can start exploring the features and functionalities of the integration, you need to first link your accounts. To authenticate the connection between your EasyDMARC and Autotask PSA accounts, you’ll need to provide: Your API Tracking Identifier Your Username (Key) Your Password (Secret) These credentials allow secure communication between both platforms and must be configured before proceeding. 2. Customer Mapping Configuration With this integration, you can connect your customer data across both platforms by mapping: Domain Groups (from EasyDMARC) to Accounts (in Autotask PSA) Each mapping requires selecting a corresponding Contract linked to the Autotask Account Flexible mapping options: The mapping enables you to: Map one Domain Group to multiple Autotask Accounts Map multiple Domain Groups to a single Autotask Account You’ll receive email notifications if any issues arise with your mapped pairs. 3. Billing Configuration Settings Determine how domain reporting works and synchronizes between platforms: Enable or disable domain reporting If disabled, you can still use the integration for Alerting/Ticketing only. If domain reporting is enabled, select the service for domain reporting Create a new service in Autotask PSA or use an existing one. Configure parked domain synchronization (optional) Choose whether to sync parked domains Select which Autotask service to use for parked domains Set your preferred reporting frequency: Last day of the month: This option updates services monthly with the total domains valid during the previous month Selected date of the month: This option updates services on your chosen date with domain totals from the preceding period When services are updated, the system modifies: Unit count (quantities) Invoice Description with domain names 4. Alert-to-Ticket Mapping You can configure how EasyDMARC alerts generate tickets in Autotask PSA by doing the following: Select Domain Group (customer) from your list Choose which alerts should create tickets View all alerts configured for domains in that Domain Group Examples: DMARC Record Changed, SPF Record Changed, etc. Set default ticket parameters Type, Status, Priority, Sources, etc. How it works after configuration When an alert is triggered, the system automatically: Sends you a detailed email notification Creates a new Autotask Ticket containing: The customer information (Domain Group ⟷ Company) Alert name as the ticket subject (e.g., “DMARC Record Changed”) Complete details from the alert log (such as old and new record values) We’re sure you’ll find this integration useful in simplifying yours and your customers’ DMARC journey. Keep an eye out for more integrations coming soon. The post EasyDMARC Announces Integration with Autotask PSA appeared first on EasyDMARC.

Email continues to be the primary attack vector for cybercriminals targeting organizations across all industries. These attacks arrive disguised as legitimate communications, often mimicking trusted senders and creating a false sense of security that bypasses technical defenses by taking advantage of human error. Understanding the distinctions between business email compromise (BEC) vs phishing is crucial, as both represent sophisticated yet very different threat methods. The financial impact of email-based threats has reached unprecedented levels. According to the FBI’s Internet Crime Complaint Center, BEC scams resulted in over $2.77 billion across 21,442 reported incidents in 2024 alone. What makes a BEC attack different from a typical phishing email is its highly targeted nature. While phishing often involves mass distribution of generic threats designed to lure people in, BEC attacks specifically impersonate executives or trusted partners to target individuals with financial authority. The 2023 Verizon Data Breach Investigations Report also revealed that phishing attempts increased by 18% year-over-year, with 74% of breaches in financial services involving phishing as the initial attack method. Organizations can significantly strengthen their security posture through a combination of employee awareness training and effective security controls. Teaching staff how to identify suspicious emails represents a critical first line of defense, while implementing email authentication protocols provides essential protection.  DMARC solutions for businesses, like those provided by EasyDMARC, help organizations verify sender legitimacy, prevent domain spoofing, and block unauthorized emails before they reach employee inboxes, effectively neutralizing these threats before they can exploit various vulnerabilities. This multi-layered approach not only protects sensitive information but also preserves business continuity, shields organizational reputation, and maintains the trust that customers and partners place in your digital communications. In this article, we’ll go over what a BEC attack looks like, what makes a BEC attack different from a typical phishing email attack, recent trends, and what you can do to prevent these types of attacks.  Key Takeaways for BEC vs Phishing BEC attacks and phishing attacks are similar in that they both use social engineering tactics, typically involve email as an attack vector, and the end goal is often financial gain, data theft, or unauthorized access. While BEC attacks and phishing are similar, BEC issues are far more sophisticated and personalized to the target.  Best practices for preventing BEC attacks include training employees, using MFA, and implementing DMARC protocols.  What is a BEC Attack? BEC attacks are sophisticated email scams that target organizations, often with financial motives or to gain access to sensitive information. These highly targeted attacks involve cybercriminals impersonating executives, trusted vendors, or business partners to manipulate employees into taking actions that benefit the attacker. Unlike mass phishing campaigns that cast wide, generic nets, BEC attacks are meticulously researched and personalized. Attackers often spend weeks studying their targets’ organizational structures, business relationships, and communication patterns before launching their assault. They identify key individuals with financial authority or access to sensitive information, then craft convincing impersonations designed to exploit established relationships. The most common BEC scenario involves an urgent wire transfer request that appears to come from a company executive. For example, an employee might receive what looks like an authentic email from their CEO requesting an immediate wire transfer to a vendor. The message often emphasizes urgency and discretion, discouraging verification through normal channels. When the employee complies, the funds are transferred directly to the attacker’s account and typically moved multiple times within hours, making recovery virtually impossible. The financial damage from BEC attacks can be devastating. But beyond immediate financial losses, organizations face potential regulatory penalties, litigation costs, reputational damage, and lost business opportunities. In one case, a multinational corporation lost $47 million in a single BEC attack when an executive was tricked into authorizing multiple transfers for a supposed acquisition. How to Prevent Business Email Compromise Attacks The best way to prevent BEC attacks is by using a multi-layered approach, combining employee training, multi-factor authentication, and email security protocols. Employee Training Regular security training equips employees with the right tools to spot dangerous emails before they do damage. Teaching staff to adhere to email security best practices is a great way to ensure your employees are helping build a security-conscious culture. Multi-Factor Authentication Multi-factor authentication (MFA) provides multiple layers of defense through different authentication factors. These typically include something you know (like a password), something you have (such as a smartphone), and something you are (biometric data like fingerprints). Even if a password is compromised, these additional authentication layers prevent unauthorized access, dramatically reducing the risk of account infiltration. The multiple verification steps create a robust security mechanism that goes far beyond traditional password protection. Email security protocols like DKIM (DomainKeys Identified Mail), SPF (Sender Policy Framework), and DMARC (Domain-based Message, Authentication, Reporting, and Conformance) provide critical layers of protection against email spoofing and phishing attempts. These protocols work together to verify the authenticity of email senders and prevent unauthorized use of domain names. To best identify email security issues, users can use tools like SPF lookups, DKIM Record Checkers, and DKIM Record Generators. However, these tools can only go so far.  To ensure the best possible protection against BEC attacks, organizations must have DMARC properly set up to achieve the most secure email authentication. To do so, users can make use of online DMARC solutions to help them implement the strongest DMARC policies and get support with the continual monitoring of their domains.  Start Your 14-day Free Trial What is a Phishing Attack?  A phishing attack is one in which attackers impersonate trusted entities to trick victims into revealing sensitive information. They typically arrive via email, text messages, or social media, masquerading as legitimate communications from banks, service providers, colleagues, or other trusted sources.  Today’s phishing attacks have evolved far beyond the obvious grammatical errors and implausible scenarios of early attempts. Modern phishing emails often feature perfect spelling, convincing logos, and accurate sender information. They create a false sense of urgency, leverage fear or curiosity, and provide seemingly legitimate reasons for immediate action. The most common phishing scenario involves an email claiming to be from a trusted organization, alerting the recipient to a supposed account problem requiring immediate attention. Recent phishing statistics reveal that the most targeted industry in 2024 was the IT sector. This industry faces greater risk due to its critical role in infrastructure and access to valuable data. Cybercriminals exploit software vulnerabilities and employee susceptibility to phishing scams to gain access to sensitive information and important systems.  The Evolution of Phishing Since their inception in the 90s, phishing attacks have progressed significantly. Early attacks often contained obvious red flags like poor grammar and unlikely scenarios. Since then, cyber criminals have refined their tactics, creating more convincing messages that mimic legitimate organizations with increasing accuracy.  Modern attacks often include spear phishing, which targets individuals through the use of personal relevant information, clone phishing, which replicates legitimate emails but replaces attachments with malicious versions, vishing, involving voice phishing via phone calls, and pharming, which redirects website traffic to fake sites without user interaction. Today’s most sophisticated phishing attacks employ AI-generated content that can adapt to targets in real-time, creating highly personalized and convincing communications. According to SlashNext’s 2023 State of Phishing Report, AI-enhanced phishing attacks increased by 1,265% in 2022 alone, with attackers using machine learning to craft increasingly convincing messages. The Real Cost of Phishing The damage from phishing attacks extends far beyond initial credential theft, creating long-lasting consequences for organizations that fall victim to them. When attackers gain access to accounts or systems, they can steal sensitive data, including financial information and intellectual property. These breaches often lead to substantial financial loss, with the average cost of a data breach reaching $4.45 million in 2023.  Even more devastating can be the deployment of ransomware across corporate networks, as seen in high-profile cases where companies paid millions in ransom and still faced weeks of operational disruption. The repercussions continue to ripple outward as cybercriminals establish persistent access for extended campaigns, sometimes maintaining hidden footholds for months before being detected. Using compromised accounts, attackers frequently target an organization’s partners and customers, exploiting established trust relationships to spread their reach.  This cascade effect severely damages brand reputation and erodes customer confidence, as demonstrated when major retailers experienced phishing breaches that led to measurable customer churn and required expensive brand rehabilitation campaigns. The combined impact of regulatory fines, litigation, remediation costs, and lost business opportunities often transforms what seemed like a simple email attack into an existential threat for many businesses. Recent Trends and Emerging Threats Phishing threats continue to evolve at a rapid pace. Recent trends include: QR Code Phishing: Attackers embed malicious QR codes in emails that direct victims to credential-harvesting sites MFA Bypass Techniques: Sophisticated phishing kits that can intercept and replay authentication tokens in real-time AI-Generated Content: Using large language models to create highly convincing and contextually appropriate phishing messages Collaboration Platform Targeting: Focused attacks on workplace tools like Microsoft Teams, Slack, and Google Workspace How to Prevent a Phishing Attack To best prevent phishing attacks, as with BEC attacks, we recommend a multi-layered approach, combining technical solutions like DMARC, human awareness including security training, and organizational processes like MFA.  Detecting email security vulnerabilities requires specialized tools such as SPF lookup utilities, DKIM record verification and generation tools, DMARC verification services, and phishing link checkers.  For optimal defense against phishing attacks, organizations should implement properly configured DMARC protocols to maximize email authentication security. Dedicated DMARC solutions like EasyDMARC offer assistance in deploying robust DMARC policies and providing ongoing domain monitoring support. Get Started Now Is Business Email Compromise the Same as Phishing? BEC and phishing attacks are closely related and often overlap, as both rely on deception to trick victims into taking harmful actions. However, they differ in execution, targeting, and sophistication. Similarities Between BEC and Phishing  Both use social engineering tactics to manipulate victims. Both typically involve email as the primary attack vector. The end goal of both is often financial gain, data theft, or unauthorized access. Differences Between BEC and Phishing  Targeting: BEC attacks are highly targeted, often aimed at specific individuals like executives or finance personnel, while phishing is usually broader and sent to large groups. Tactics: BEC relies on impersonation and pretexting without malware or links, whereas phishing often uses malicious links or attachments to compromise systems. Complexity: BEC attacks are generally more sophisticated and customized, requiring research and planning, whereas phishing is typically automated and generic. EasyDMARC Can Prevent BEC Attacks and Stop Phishing As cyber threats continue to evolve, organizations must understand the nuances between BEC and phishing attacks to build more effective defenses. Both attack types exploit human trust and communication habits, but BEC attacks stand out for their precision, research, and high financial stakes, while phishing typically relies on volume and opportunism. Regardless of the method, email remains the most exploited vector, making email security a critical priority. At EasyDMARC, we equip businesses with the tools needed to identify, categorize, and neutralize both BEC and phishing threats, as well as countless other attacks. By implementing email authentication protocols like DMARC, SPF, and DKIM, organizations can verify sender identity and prevent domain spoofing.  Our platform also offers powerful tools to help users detect weaknesses and take action before attackers can exploit them. Features like real-time alerting and aggregate reporting give organizations the visibility and agility needed to respond quickly and decisively to suspicious activity. Looking ahead, phishing attacks continue to rise year upon year, becoming increasingly targeted and convincing. Meanwhile, BEC attacks are growing in sophistication and financial impact. The most effective way to stay ahead of these evolving threats is by adopting a proactive, layered defense strategy that includes email authentication. With the right tools, policies, and training in place, organizations can significantly reduce their exposure and build long-term resilience against the next wave of email-based attacks. Frequently Asked Questions What is a BEC cyber attack? A Business Email Compromise (BEC) cyber attack is a type of email fraud that targets businesses and organizations to trick employees, executives, or partners into transferring money or sensitive information to the attackers. It typically involves the spoofing or compromising of a legitimate business email address to manipulate the victim into taking actions that result in financial or data losses. Attackers will often impersonate other people at the company, particularly management or higher-ups. What is an example of a BEC? BEC attacks almost always involve impersonation of a company employee, so they often begin with an email from an attacker impersonating someone at the company. In some cases, the attacker will target the company’s accounts payable department with an email containing a malicious link or attachment. Once the link is clicked, the attacker can gain access to the accounts payable email, making stealing money much easier.  Here is an example of what an email from a BEC attack may look like. “Hi [Employee Name],I need you to process an urgent payment of $100,000 to [Vendor Name]. This payment is time-sensitive, and we need it completed by the end of the day. Please wire the funds to the following account:Account Number: 1234567890  Routing Number: 987654321  Bank Name: [Fake Bank Name]Let me know once it’s done. This is very important.Best,  [CEO Name] What makes a BEC attack different than a typical phishing? A Business Email Compromise (BEC) attack differs from a typical phishing attack in several key ways. While both types of attacks use social engineering to manipulate victims into taking actions that benefit the attacker, BEC attacks are usually aimed at businesses, focusing on financial transactions or stealing confidential data. The emails appear legitimate, making it harder to detect, and often involve impersonating high-level employees. On the other hand, phishing is usually more generic and aimed at a wide audience, trying to trick victims into clicking on malicious links or downloading malware to steal personal information, such as login credentials. Phishing emails often include suspicious links or attachments, while BEC emails are more subtle and business-focused. Who do BEC attacks typically target? Business Email Compromise (BEC) attacks typically target specific individuals within an organization who have access to financial transactions, sensitive company data, or the ability to authorize actions such as fund transfers. The attackers often focus on individuals who are more likely to be tricked into complying with requests that appear legitimate. What is the difference between BEC and EAC? BEC involves attackers impersonating executives or trusted partners to trick employees into transferring money or sensitive data. It’s highly targeted and often financially motivated. In contrast, EAC (Email Account Compromise) occurs when an attacker gains unauthorized access to an individual’s email account to steal information or monitor communications. While BEC focuses on financial fraud, EAC is generally more about unauthorized access and data theft. What is the best way to prevent BEC attacks? The best way to prevent BEC attacks is employee training. Teaching your employees what to look for gives them the knowledge needed to recognize when an email looks suspicious and trains them not to click on links or attachments in emails.  Other effective approaches include using multi-factor authentication and implementing email authentication protocols like DMARC, DKIM, and SPF. Services like EasyDMARC makes implementing these protocols easy, fast, and secure. 

Our recent webinar, “Stay Deliverable: Meet Microsoft Outlook’s New Email Sender Requirements,” brought in an engaged audience with insightful questions about how Microsoft’s updated policies affect bulk email senders. From domain management and alignment to monitoring and implementation challenges. As promised, to ensure everyone gets the answers they need, we’ve compiled some of the most important questions from the webinar, along with expert responses from our team. Let’s dive in! 1. Domain Management & Alias Complexity I have multiple domains, with one being main and others as alias domains. We’re having deliverability problems with aliases due to DMARC and Gmail/Yahoo requirements. Should I separate them entirely? There’s no specific indication that having alias domains could affect deliverability with Google and Yahoo. When it comes to alias domains, you can only set DKIM alignment to pass with the From: address alias domain. SPF alignment will always fail. Also, it’s good to note that the primary domain will continue sharing its reputation with alias domains in general. You can separate them entirely or set them up as secondary domains, where they will be fully independent from the primary domain and won’t share reputation. Even so, the reputation relies on thousands of data points. If I have EasyDMARC on my primary domain, do I need to set it up again on subdomains I send from? No. If you add just your primary domain, then your subdomains will automatically populate in your DMARC aggregate reports once we receive reports indicating there are outgoing emails from your subdomains. DMARC for subdomains will automatically inherit everything (policy and reporting) directly from the root/primary domain. If you don’t have an explicit DMARC record on your subdomain, it will inherit everything from your root domain. 2. Tools and Platform Mismatches How do you deal with Bluehost saying “no issues” when EasyDMARC shows otherwise? There are ESPs or hosting providers that show there are no problems if everything is set correctly from a DNS perspective. However, there are cases where, even if you’ve set your DNS records correctly (SPF, DKIM, or DMARC), things can still fail depending on your sending practices. It’s always best to follow the live process of DMARC reports, which are generated every 24 hours and show exactly what MBPs are saying about your authentication process. 3. Provider-Specific Requirements Are SPF, DKIM, and DMARC requirements different for Microsoft vs Gmail? If we’re good with Google, are we good with Microsoft too? Generally, yes. Both require senders to have SPF and DKIM authentication set up with DMARC implemented using at least p=none. When it comes to alignment, Google and Microsoft both require either SPF or DKIM to be aligned with the From: address domain, but Microsoft goes a step further by preferring both to be aligned. Google has Postmaster Tools. Is there a Microsoft equivalent? Microsoft provides SNDS, which is an IP-based Postmaster tool, unlike Google Postmaster, which is domain-based. That being said, Microsoft SNDS is useful and can be implemented if you have dedicated IP pools. Are there extra DMARC requirements for domains like cox.net or frontier that transitioned to Yahoo? Yes.  4. Implementation Clarifications What is “alignment” in the DMARC context? Alignment in DMARC means that the domain in the From: header matches (or is a subdomain of) the domain used in SPF or DKIM authentication. DMARC passes only if either SPF or DKIM passes and aligns with the From domain. Without alignment, even valid SPF/DKIM results won’t satisfy DMARC. If the sending server only supports SPF, what can be done? If SPF is the only supported authentication method, you must ensure SPF passes and aligns with the domain in the From: header to satisfy DMARC. Use a custom Return-Path domain that aligns, or adjust the From domain to match the SPF-authenticated domain. However, relying only on SPF is risky because intermediate forwarding can break SPF. DKIM signing is recommended for redundancy, better deliverability, and to avoid false positives. Is continuous monitoring needed after you configure DMARC? If yes, why? Yes, continuous monitoring is critical even after DMARC is configured. Email ecosystems change frequently; new services, new domains, or third-party platforms may start sending on your behalf without proper SPF/DKIM. Monitoring DMARC reports helps you detect unauthorized sources, misconfigurations, and alignment issues in real time. Without monitoring, you risk delivery failures. 5. Record Limits and Best Practices Can a domain have two SPF records? No, a domain must have only one SPF TXT record per domain level. If you publish more than one, SPF validation will fail with a PermError. Instead, you should merge all mechanisms and includes into a single record. Use tools to validate syntax and avoid duplication when combining SPF entries. Note: You can have an SPF record on different subdomains. What if a domain’s SPF needs more than 10 includes? Does EasyDMARC help with this? Yes, we have an EasySPF solution that replaces includes with resolved IPs and keeps your record within limits. It also auto-updates your SPF record regularly to reflect IP changes. Will having different DKIM selectors cause a conflict? No, multiple DKIM selectors can coexist without conflict. Selectors are used to locate the DKIM public key in DNS, and each selector is independent. This allows different services (e.g., Microsoft, Mailchimp) to sign with their own selectors. Just ensure each selector’s DNS record is correct and that you monitor them using DMARC Aggregate reports. 6. Sending Limits and Provider Rules This requirement applies to domains sending 5000+ emails/day via Microsoft 365, not just outlook.com/hotmail.com, right? No, this requirement is not about sending from Microsoft 365. It applies to any domain that sends over 5,000 emails per day to Microsoft’s consumer email services, such as outlook.com, hotmail.com, and live.com. The infrastructure you send from doesn’t matter—what matters is the volume of messages received by Microsoft consumer mailboxes. These domains must comply with Microsoft’s SPF, DKIM, and DMARC requirements or risk delivery issues. Microsoft 365 (enterprise mail) is not currently affected by this enforcement.  7. Miscellaneous but Useful Why did it take companies so long to adopt SPF, DKIM, DMARC if the solution existed for years? Adoption lagged due to a lack of awareness, poor tooling, and fear of breaking legitimate email flows. SPF and DKIM require precise DNS setup, and DMARC enforcement can cause delivery issues if alignment isn’t handled properly. Which BIMI cert is being de-trusted? The Entrust BIMI VMC is being de-trusted by Google starting August 31, 2024. This means BIMI logos using Entrust-issued VMCs will no longer display in Gmail after that date. Define CMC, please. CMC stands for Certified Mark Certificate. It’s a BIMI-compatible certificate issued to organizations without a registered trademark, allowing them to display a verified logo (without the blue checkmark) in email clients. Unlike a VMC, which requires a registered trademark, a CMC can use logos that are pending trademark approval or internally validated. For full compliance, does reporting (RUA/RUF) need to be enabled and monitored? No, enabling RUA/RUF is not required for DMARC compliance, but it’s strongly recommended (for us, it’s required). Reports don’t affect enforcement but provide visibility into who’s sending mail on your behalf and whether it passes SPF/DKIM. Without reports, you’re flying blind and could miss abuse or misconfigurations. Monitoring RUA reports helps you maintain ongoing compliance and security. What does “unsubscribe processing timeline (must honor within 2 days)” mean exactly? Does it include users who mark as spam? It means if a user clicks “unsubscribe,” their request must be processed and fully effective within 2 days, no more emails after that. It doesn’t apply to users who mark emails as spam, but high spam complaint rates are still tracked and can affect your domain reputation. Final Thoughts The new requirements from Microsoft mark a significant step toward a more secure and reliable email ecosystem but they also demand proactive configuration and monitoring from senders. We hope these answers clarify the nuances of authentication, domain reputation, and compliance as they relate to both Microsoft and other major mailbox providers. If you still have questions or need help implementing the right email security practices, our team is always here to support you. Stay tuned for more updates and educational sessions as the email landscape continues to evolve. The post Answering Your Webinar Questions: Meet Microsoft Outlook’s New Email Sender Requirements appeared first on EasyDMARC.

RSAC Conference, San Francisco, 28th April – EasyDMARC, a provider of email authentication and domain protection solutions, today announced the availability of its platform in the Microsoft Azure and Microsoft AppSource marketplaces. Microsoft customers can now deploy EasyDMARC directly within their existing cloud environment, with simplified procurement and management through trusted Microsoft channels. The integration comes at a time when email authentication has become a critical requirement for organizations sending large volumes of email. With Microsoft Outlook being the latest to introduce stricter standards for high-volume senders, businesses face growing pressure to implement DMARC, SPF, and DKIM. These protocols not only protect inboxes against domain spoofing and phishing threats but are increasingly essential for ensuring email deliverability. EasyDMARC’s marketplace availability helps organizations accelerate adoption by removing common procurement and integration barriers. Security teams can now evaluate, procure, and deploy the solution directly from the Microsoft ecosystem, helping ensure compliance with modern email requirements while improving protection against impersonation-based threats. Commenting on the integration, Gerasim Hovhannisyan, CEO and co-founder of EasyDMARC said: “Meeting modern security standards shouldn’t be complicated, nor should it be a barrier for businesses. By listing on Microsoft Azure and AppSource, we’re giving our customers a frictionless path to adoption. Our mission is to make strong email security accessible, and this partnership helps us deliver on that promise at scale.” EasyDMARC’s listing supports the company’s continued growth in the enterprise and managed service provider (MSP) sectors, following integrations with Pax8, HaloPSA, and other platforms serving channel partners. EasyDMARC’s Plus and Premium plans are now available for purchase directly through Microsoft Azure and AppSource. The company will also exhibit at RSAC 2025 at Booth N4529, North Expo. Demo requests can be made here:  https://easydmarc.com/blog/event/rsa-conference/ About EasyDMARC EasyDMARC is a cloud-native B2B SaaS that solves email security and deliverability challenges in just a few clicks. With advanced tools, including its AI-powered DMARC Report Analyser, DMARC, SPF, DKIM cloud management solutions, and email source reputation monitoring, EasyDMARC helps customers protect their domains and maintain strong email health. For Managed Service Providers (MSPs) seeking to grow their business, EasyDMARC offers a powerful platform for streamlining domain management with features like organisational control, domain grouping, and access management. A comprehensive sales and marketing enablement programme further supports MSPs in elevating DMARC sales. The platform is scalable and available with flexible, pay-as-you-go pricing. The post EasyDMARC Now Available on Microsoft Azure and AppSource Marketplaces appeared first on EasyDMARC.

What is Email Deliverability, and Why Does it Matter? Email deliverability is the ability of emails to successfully reach recipient inboxes, and not land in spam or junk folders. It’s not just about whether an email was sent; it’s also about whether it actually arrived, where it was supposed to go,  and whether it was considered trustworthy enough to show up in the inbox.  How Poor Deliverability Impacts Email Marketing Campaigns Deliverability matters because, for every marketing email that doesn’t make it to a prospect, a business opportunity is missed. It’s like printing thousands of flyers for a campaign and having over half of them tossed in the trash before they ever reach a mailbox.  The average email open rate is around 39.7%, with an average click-through rate of only 1.0%. Inbox placement rates trended downwards in 2024, declining to 82.3% in Q4. For companies investing serious time and money into email outreach, poor deliverability is a silent budget killer that can sabotage even the most well-crafted campaigns. While AI is decreasing the amount of time it takes to craft a high-converting marketing email, on average, 53% of brands take two weeks or more to produce a marketing email. (image credit: Kinsta.com) Time is money, and the last thing you want is for an email your Marketing team spent over a week tweaking to land in spam or be rejected by the server. You may be asking, ‘Why the focus on email marketing?’ Well, when done correctly, the return on investment for email campaigns can be up to 3600%. How Does DMARC Factor into Email Deliverability? DMARC may play a behind-the-scenes role in email deliverability, but it is a crucial one. It controls whether your marketing emails reach the inbox, get diverted to spam, or get rejected entirely. It works by verifying that an email claiming to be from your domain actually came from an authorized sender. If you want more of the nitty-gritty details on this, check out EasyDMARC’s ultimate guide to DMARC. When properly configured, DMARC helps email providers like Gmail, Outlook, and Yahoo trust your messages, which boosts your sender reputation and improves deliverability. Without it, your emails are more likely to be flagged as suspicious or spoofed, especially if someone else is trying to send phishing emails using your brand name. That’s why DMARC isn’t just a cybersecurity tool; it’s a strategic lever for ensuring your campaigns land in front of the people you’re trying to reach. What Brand Trust Means to Your Business Brand trust is the quiet force behind almost every buying decision. It’s what makes someone open your email instead of deleting it, click your link instead of scrolling past, and say “yes” to your offer instead of hesitating. When your audience trusts your brand, they assume your messages are safe, your promises are real, and your business is worth their time. That kind of trust doesn’t come from clever headlines or perfect designs; it comes from consistency, credibility, and showing that you take their security and experience seriously. In the crowded space of digital marketing, brand trust isn’t a soft metric; it’s a direct driver of engagement, loyalty, and ultimately, revenue. Why Would Using DMARC Increase Brand Trust? Using DMARC increases brand trust because it actively protects your customers, partners, and prospects from email-based fraud that could damage your reputation. When someone receives an email with your name on it, they’re putting trust in your brand just by opening it. If that message turns out to be a phishing scam or malware-laced spoof, that trust evaporates and can be hard to earn back.  DMARC prevents unauthorized senders from impersonating your domain, signaling to inbox providers and recipients that your messages are legitimate and safe. Over time, this builds confidence in your communication, reinforcing the perception that your business takes customer safety seriously and can be relied on, not just to deliver value, but to do it securely. How can IT and Marketing Collaborate on Email Deliverability? When IT and Marketing collaborate, email deliverability is no longer a technical hurdle – it’s a strategic advantage. Together, these teams can ensure that every campaign not only looks good but also gets seen. IT brings the tools and expertise to protect the domain and boost sender reputation, while Marketing understands the timing, tone, and target of each message. By working together, they can reduce bounce rates, improve open rates, and safeguard the brand from impersonation; ultimately stretching every marketing dollar further and building lasting trust with the audience. Align on Approved Sending Domains and Tools Marketing teams often use third-party platforms, like Mailchimp, HubSpot, or ActiveCampaign, to manage email campaigns. If those platforms aren’t properly authorized through SPF and DKIM records, your emails might be flagged as suspicious. IT should work closely with Marketing to make sure all tools and domains used for email are aligned with the organization’s DMARC policy. This is especially important when Marketing launches a new campaign or sends from a subdomain. A quick conversation before hitting “send” can prevent major deliverability issues and lost time.Treat Email Security as Part of the Customer Experience Marketing is usually laser-focused on customer experience, but that should include email security, too. If customers receive spoofed or phishing emails that appear to come from your brand, it not only creates confusion, it also breaks trust. IT plays a critical role in preventing that kind of damage, but Marketing can help by framing DMARC and authentication as part of the broader brand promise. When IT understands they’re contributing directly to the user experience, and marketing sees how security helps drive engagement, mutual respect and a more unified strategy are formed. Share Email Data to Spot Deliverability Problems Both Marketing and IT teams have useful data; they’re just looking at different dashboards. IT has access to DMARC reports, bounce logs, and authentication failures via solutions like EasyDMARC. Marketing has insights on open rates, engagement trends, and unsubscribes. When these data sets are shared and compared, you can spot deliverability problems from the outset. For example, if open rates suddenly drop, marketing might assume it’s a content issue, but IT could confirm that it’s actually a sender reputation problem. Regular data syncs help both sides connect the dots faster. Key Takeaways When Navigating Email Deliverability Challenges Ensuring email deliverability isn’t just a technical challenge, it’s a business imperative. Every missed message is a lost opportunity to engage a potential customer, grow your brand, and drive revenue. That’s why email deliverability can’t be owned by IT alone, or siloed off in a marketing dashboard; it requires shared responsibility and proactive communication between both teams. When IT lays the technical foundation, ensuring DMARC is in place, and Marketing brings creativity to the table, the result is powerful: more visibility, more engagement, and more value from every campaign you launch. If your business is struggling with low open rates, high bounce rates, or brand impersonation issues, you don’t have to figure it out alone. Consider working with a Managed Services Provider like Managed Nerds. As an EasyDMARC partner, we specialize in helping small and mid-sized businesses untangle their email deliverability challenges. Whether you need a full DMARC setup, help interpreting your reports, or just want your emails to actually land, we’re here to make that happen; because getting seen and trusted is the first step to getting email marketing results. The post From DNS to Deliverability: Why IT and Marketing Should Talk More Often appeared first on EasyDMARC.

What is Email Deliverability, and Why Does it Matter? Email deliverability is the ability of emails to successfully reach recipient inboxes, and not land in spam or junk folders. It’s not just about whether an email was sent; it’s also about whether it actually arrived, where it was supposed to go,  and whether it was considered trustworthy enough to show up in the inbox.  How Poor Deliverability Impacts Email Marketing Campaigns Deliverability matters because, for every marketing email that doesn’t make it to a prospect, a business opportunity is missed. It’s like printing thousands of flyers for a campaign and having over half of them tossed in the trash before they ever reach a mailbox.  The average email open rate is around 39.7%, with an average click-through rate of only 1.0%. Inbox placement rates trended downwards in 2024, declining to 82.3% in Q4. For companies investing serious time and money into email outreach, poor deliverability is a silent budget killer that can sabotage even the most well-crafted campaigns. While AI is decreasing the amount of time it takes to craft a high-converting marketing email, on average, 53% of brands take two weeks or more to produce a marketing email. Time is money, and the last thing you want is for an email your Marketing team spent over a week tweaking to land in spam or be rejected by the server. You may be asking, ‘Why the focus on email marketing?’ Well, when done correctly, the return on investment for email campaigns can be up to 3600%. How Does DMARC Factor into Email Deliverability? DMARC may play a behind-the-scenes role in email deliverability, but it is a crucial one. It controls whether your marketing emails reach the inbox, get diverted to spam, or get rejected entirely. It works by verifying that an email claiming to be from your domain actually came from an authorized sender. If you want more of the nitty-gritty details on this, check out EasyDMARC’s ultimate guide to DMARC. When properly configured, DMARC helps email providers like Gmail, Outlook, and Yahoo trust your messages, which boosts your sender reputation and improves deliverability. Without it, your emails are more likely to be flagged as suspicious or spoofed, especially if someone else is trying to send phishing emails using your brand name. That’s why DMARC isn’t just a cybersecurity tool; it’s a strategic lever for ensuring your campaigns land in front of the people you’re trying to reach. What Brand Trust Means to Your Business Brand trust is the quiet force behind almost every buying decision. It’s what makes someone open your email instead of deleting it, click your link instead of scrolling past, and say “yes” to your offer instead of hesitating. When your audience trusts your brand, they assume your messages are safe, your promises are real, and your business is worth their time. That kind of trust doesn’t come from clever headlines or perfect designs; it comes from consistency, credibility, and showing that you take their security and experience seriously. In the crowded space of digital marketing, brand trust isn’t a soft metric; it’s a direct driver of engagement, loyalty, and ultimately, revenue. Why Would Using DMARC Increase Brand Trust? Using DMARC increases brand trust because it actively protects your customers, partners, and prospects from email-based fraud that could damage your reputation. When someone receives an email with your name on it, they’re putting trust in your brand just by opening it. If that message turns out to be a phishing scam or malware-laced spoof, that trust evaporates and can be hard to earn back.  DMARC prevents unauthorized senders from impersonating your domain, signaling to inbox providers and recipients that your messages are legitimate and safe. Over time, this builds confidence in your communication, reinforcing the perception that your business takes customer safety seriously and can be relied on, not just to deliver value, but to do it securely. How can IT and Marketing Collaborate on Email Deliverability? When IT and Marketing collaborate, email deliverability is no longer a technical hurdle – it’s a strategic advantage. Together, these teams can ensure that every campaign not only looks good but also gets seen. IT brings the tools and expertise to protect the domain and boost sender reputation, while Marketing understands the timing, tone, and target of each message. By working together, they can reduce bounce rates, improve open rates, and safeguard the brand from impersonation; ultimately stretching every marketing dollar further and building lasting trust with the audience. Align on Approved Sending Domains and Tools Marketing teams often use third-party platforms, like Mailchimp, HubSpot, or ActiveCampaign, to manage email campaigns. If those platforms aren’t properly authorized through SPF and DKIM records, your emails might be flagged as suspicious. IT should work closely with Marketing to make sure all tools and domains used for email are aligned with the organization’s DMARC policy. This is especially important when Marketing launches a new campaign or sends from a subdomain. A quick conversation before hitting “send” can prevent major deliverability issues and lost time.Treat Email Security as Part of the Customer Experience Marketing is usually laser-focused on customer experience, but that should include email security, too. If customers receive spoofed or phishing emails that appear to come from your brand, it not only creates confusion, it also breaks trust. IT plays a critical role in preventing that kind of damage, but Marketing can help by framing DMARC and authentication as part of the broader brand promise. When IT understands they’re contributing directly to the user experience, and marketing sees how security helps drive engagement, mutual respect and a more unified strategy are formed. Share Email Data to Spot Deliverability Problems Both Marketing and IT teams have useful data; they’re just looking at different dashboards. IT has access to DMARC reports, bounce logs, and authentication failures via solutions like EasyDMARC. Marketing has insights on open rates, engagement trends, and unsubscribes. When these data sets are shared and compared, you can spot deliverability problems from the outset. For example, if open rates suddenly drop, marketing might assume it’s a content issue, but IT could confirm that it’s actually a sender reputation problem. Regular data syncs help both sides connect the dots faster. Key Takeaways When Navigating Email Deliverability Challenges Ensuring email deliverability isn’t just a technical challenge, it’s a business imperative. Every missed message is a lost opportunity to engage a potential customer, grow your brand, and drive revenue. That’s why email deliverability can’t be owned by IT alone, or siloed off in a marketing dashboard; it requires shared responsibility and proactive communication between both teams. When IT lays the technical foundation, ensuring DMARC is in place, and Marketing brings creativity to the table, the result is powerful: more visibility, more engagement, and more value from every campaign you launch. If your business is struggling with low open rates, high bounce rates, or brand impersonation issues, you don’t have to figure it out alone. Consider working with a Managed Services Provider like Managed Nerds. As an EasyDMARC partner, we specialize in helping small and mid-sized businesses untangle their email deliverability challenges. Whether you need a full DMARC setup, help interpreting your reports, or just want your emails to actually land, we’re here to make that happen; because getting seen and trusted is the first step to getting email marketing results. The post From DNS to Deliverability: Why IT and Marketing Should Talk More Often appeared first on EasyDMARC.

As the old proverb goes, “If you want to go fast, go alone. If you want to go far, go together.”  As I reflect on 15-plus years in cyber security, I realize that different approaches are often required to tackle the rapidly evolving threat landscape, whether they be from an economic or geo-political perspective.  On a recent trip to Yerevan, I had the opportunity to visit the TUMO Centre of Creative Technologies, an institution that provides a free educational program to the next generation of thinkers. During a design session facilitated by Picsart, a longtime customer of EasyDMARC, younger students were seen actively collaborating with older classmates on digital design projects.  It was inspiring to see such effortless teamwork at play, and an honor to share my experience in scaling hypergrowth companies at the American University of Armenia to a highly educated class of international graduates. The encounter once more reminded me of the importance of educating and nurturing the minds of future generations. Throughout my career, I have always emphasised the importance of being a team player. Indeed, cyber security is very much a collective effort–supporting organizations through their digital transformation while helping them learn to protect themselves is no small feat.  Conferences provide the ideal environment for attendees to explore the wider threat landscape, delivering valuable insights that benefit the entire DMARC community. We recognize that everyone’s time is precious, which is why at EasyDMARC, we focus on authentic conversations about the genuine value we bring to customers and partners across the entire security and deliverability ecosystem. I have been fortunate enough to attend RSAC Conference for more than a decade, and 2025 marks the first year of EasyDMARC’s participation at the world’s largest cyber and information security event, which attracts 40,000-plus attendees to San Francisco.  In a rapidly developing and economically-driven world, this year’s conference theme, “Many voices, One Community,” perfectly captures our collaborative spirit. Beyond our strategic booth location near the North Expo entrance, the EasyDMARC team has already received numerous invitations to participate in and contribute to various partner and government-led initiatives that emphasize meaningful engagement. I regularly hear about the budgetary pressures organizations face during a time when threats are constantly evolving. Whilst directives and regulations, such as PCI DSS v4.0 in the payments sector, may drive compliance, it’s imperative that customers make educated investment decisions with regards to their security poster prior to compulsory deadlines to best serve their customers and partners. At EasyDMARC, we pride ourselves on delivering intelligent research to drive more accurate decisions. That’s why we’ve recently added several new reports to the resource section of our website. And while our recent research suggests that DMARC adoption is improving, it’s clear that proper enforcement is lacking.  With the recent re-launch of our EasyDMARC Academy, which offers an innovative, online module for DMARC certification, we aim to help educate the rapidly growing DMARC community on the benefits of effective DMARC deployment. As more than five million cyber security roles remain vacant globally, it is clear we cannot solely rely on AI to close the skills gap in an increasingly technology-driven world. Further support is also available through our new Partner Portal to help our partners scale their skills with content to drive wider global engagement.  As you can see, collaboration is very much in our DNA at EasyDMARC. If you are attending RSAC Conference this week, we’d love to meet you and chat face-to-face. Stop by our booth, #4529, located in the North Hall, to see how we are truly delivering a bright future for domain and email security. You may even hear the new verb, “EasyDMARC it.” The post The Power of Collaboration  appeared first on EasyDMARC.

This morning started with a call from a friend – clearly shaken. He had just received an alarming email that looked strikingly legitimate. Unsure whether it was safe or a scam, he reached out to me for help verifying its authenticity. What followed was a deep dive into the message to determine whether it was a genuine communication or a cleverly crafted phishing attempt. The email was convincing enough to create real concern, and that’s what makes this story worth sharing. This was the email: The email claimed that a subpoena had been issued by law enforcement requesting the extraction (access/download) of the contents of his Google Account. What made the situation even more alarming was that the email appeared to come from a legitimate Google no-reply address. On the surface, everything looked clean – no typos, no odd links, and the sender domain seemed genuine. But something felt off, and that gut feeling is often your first line of defense. Ready to secure your email? Get started now! Digging Deeper: Investigating the Suspicious Email Curious and concerned, I examined the email headers and link previews in a sandbox environment, a secure setup isolated from production systems, specifically designed for this kind of research. On the surface, everything appeared to check out: The sender address looked like an official Google no-reply domain The branding and language were polished and professional There were no obvious grammar issues or suspicious attachments. But as we know, phishing campaigns have gotten much more sophisticated. So, I dug into the email headers, checking the SPF, DKIM, and DMARC authentication results. That’s when the red flags began to appear. Important Reminder: Don’t Engage with Suspicious Emails Never click on links or follow instructions in suspicious emails, no matter how legitimate they may seem. Even opening a link or downloading a file could trigger malicious scripts or redirect you to phishing sites designed to steal your credentials. If you’re unsure, leave the investigation to professionals who can safely analyze the message in a sandboxed environment.. Interacting with a malicious email outside of such an environment could result in: Loss of sensitive data Business Email Compromise (BEC) Account takeovers Wider network breaches When in doubt, don’t click – report and escalate. Here is the URL from that email:https://sites.google.com/u/34961821/d/1XMIxkFiq54WpH2tKqay2EPnhN0Ukovet/edit  This redirects to the Google account login page if you are not logged in : After logging in, or if you are already logged in, it sends you to the Google Sites page.  Here’s something critically important to understand: This is not a real Google support page. It’s not a Google sign-in page. It’s not any official Google property in the traditional sense. Instead, it’s a regular Google Sites page, a free tool anyone can use to build a website. In this case, cybercriminals used it to create a page that mimics an official Google support case, complete with convincing visuals and language. Because it’s hosted on a trusted google.comsites.google.com), many users let their guard down. But don’t be fooled – just because the domain looks legitimate doesn’t mean the content is. Start Email Security Check What Google Sites Is Used For Google Sites serves as a practical tool for various purposes, including: Internal team pages (like company intranets or project dashboards) Documentation hubs Event landing pages Personal portfolios or school projects Simple public websites You can create a site by dragging and dropping content blocks (text, images, videos, Google Docs, etc.), and it’s tightly integrated with other Google Workspace tools. When Trusted Infrastructure Becomes a Threat: Google Sites Abuse Google Sites, originally launched in 2008, is part of Google Workspace and allows any authenticated user to create a custom website hosted under the sites.google.com domain. It’s widely used for internal and public-facing content due to its ease of use, zero cost, and native integration with Google products. However, that same convenience is now being weaponized by attackers. Why it’s dangerous: Anyone with a Google account can create a site that looks legitimate and is hosted under a trusted Google-owned domain. There’s no need for custom hosting or domain registration, and attackers benefit from Google’s SSL certificates and brand reputation. Attackers can embed deceptive content (fake login screens, credential harvesting forms, misleading CTAs) under a domain that would normally pass casual user trust and even automated link validation checks. Now let’s take a closer look at the key elements that make this scam so deceptive. How the Attacker Performed a DKIM Replay to Spoof Google This attack was a confirmed DKIM Replay Attack where a spoofed message appeared to be from [email protected], had passed DKIM and DMARC, and was delivered to a Gmail inbox. Below is a step-by-step explanation of exactly what the attacker did, from start to finish — including all infrastructure involved. Step 1: Attacker receives a legitimate email from Google The attacker first received a real email from Google, originating from [email protected]. It included a valid DKIM signature: DKIM-Signature: d=accounts.google.com; s=20230601; bh=a+1bch/… The attacker then extracted and saved this exact email, including headers and body, without modifying anything signed by DKIM. Step 2: Attacker prepares to replay the signed message DKIM (DomainKeys Identified Mail) works by applying a digital signature to specific headers and the body of the email when it is first sent. This signature is generated using the sender’s private key and is attached as a header in the email itself. When the message is forwarded, the original DKIM signature usually remains untouched as long as the email content and headers covered by the signature are not modified. Since forwarding services often preserve the original message as-is (especially in cases like aliasing or server-side forwarding), the DKIM signature remains valid and can still be verified using the sender’s public DNS record.  dkim=pass  Step 3: Attacker sends the email from Outlook The attacker used an Outlook account ([email protected]) to send the spoofed message. Outbound hop: Server: LO3P265CU004.outbound.protection.outlook.comIP: 40.93.67.3 In another example, the origin of the email is Google’s notification service. The email flow is described in the attack reproduction section at the end of this article. Step 4: Message is relayed through Jellyfish SMTP Microsoft then hands the message over to a custom SMTP service: Relay: asp-relay-pe.jellyfish.systemsIP: 162.255.118.7 This system acts as a middle relay, distancing the spoof even further from Google. It’s not affiliated with Namecheap or PrivateEmail. Step 5: Message forwarded via Namecheap’s PrivateEmail The message is then received by Namecheap’s mail infrastructure (PrivateEmail), which provides mail forwarding: Systems involved: mta-02.privateemail.com DIR-08 fwd-04.fwd.privateemail.com fwd-04-1.fwd.privateemail.com During this phase: A new DKIM signature is added: DKIM-Signature: d=fwd.privateemail.com; l=52331; The body beyond 52KB is not signed, but this DKIM is not aligned, so it’s not used for DMARC. SPF passes due to rewritten Return-Path, but is also not aligned. However, since the original Google DKIM is untouched and aligned, DMARC still passes. Step 6: Final delivery to Gmail Final delivery is handled by: Sender: fwd-04-1.fwd.privateemail.com (66.29.159.58)Recipient MX: mx.google.com At this point, the email reaches the victim’s inbox looking like a valid message from Google, and all authentication checks show as passing: SPF=pass (via forwarder) DKIM=pass (from Google) DMARC=pass (based on aligned DKIM) Final SMTP Hop Breakdown: When a Fake Subpoena Becomes an Attack Vector Fake subpoena emails are especially dangerous because they trigger fear, urgency, and confusion. Most people don’t know precisely how subpoenas work, so when an email looks official and mentions legal action, it’s easy to panic and click without thinking. To clarify, a subpoena is typically issued by: A court A lawyer (in civil cases) A government agency (in administrative cases) A subpoena can require someone to: Appear in court Provide documents or evidence Testify at a deposition or trial Serving a Subpoena The subpoena must be formally served to the person or entity. Common methods include: Personal Service (most common and preferred) A process server or law enforcement officer physically hands the subpoena to the individual. Required in most cases to ensure proper delivery and acknowledgment. Mail or Email (only in some cases) Some jurisdictions or situations (especially civil subpoenas) allow service by certified mail or email, but only with prior consent or court approval. In such cases, the subpoena should be delivered in an encrypted way using the company’s official email address. It’s never delivered through third-party platforms. A Registered Agent (for companies) If the subpoena is for a business, it’s often served to their registered agent (a person or service officially designated to receive legal documents on the company’s behalf). Knowing how real subpoenas are issued and delivered can help you spot red flags. Phishing threats are evolving, no longer marked by broken English and sketchy URLs. Today’s attacks often come cloaked in legitimacy, sometimes even using platforms like Google Sites to mimic real support cases. As we saw in this real-world example, even the most tech-savvy users can be caught off guard. The Takeaway? Always question unexpected emails, especially those urging urgent action or containing links to login pages. Just because something looks like it comes from Google (or any other trusted source) doesn’t mean it’s safe. When in doubt, don’t click, don’t reply, and don’t engage. Escalate to your security team or a professional who can handle the investigation in a secure, sandboxed environment. I’m interested in seeing more real-life examples. Do you have any notable cases to share? Start DMARC Journey We Have an Update: Reproducing the Attack We have dived deeper and successfully reproduced the attack: In the first step, the attacker registered a domain via Namecheap. We observed the attack originating from the following domains, which have now been taken down: googl-mail-smtp-out-198-142-125-38-prod.net wd-00000000000097d33d0631f6fe58-goog-ssl.com On the second step attacker registered a free PrivateEmail via Namecheap. me@googl-mail-smtp-out-198-142-125-38-prod.net On the third step they registered a Google Workspace account (free trial) and verified the domain via the DNS TXT record. You need to register it in the google to be able to move to the next steps. In the next step, they created a Google OAuth app and granted the access to that account. Here’s the twist: Google sends the alert or notification to the privately registered email address, where the domain is verified but uses different MX records than Google’s (specifically, Namecheap PrivateEmail). And most importantly, the key trick is that you can put anything you want in the App Name field in Google.: The alert goes directly to the Namecheap account, which has some very interesting “capabilities.”. You can create conditions and put no-reply@google account as From address and the reply address can be anything: the forwarding rule will direct the email to the desired addresses: It is clearly visible from Resent-From and Redirected-From headers: Here is the result: The other details have already described. Frequently Asked Questions What is a DKIM replay attack? A DKIM replay attack is when an attacker captures a legitimate email with a valid DKIM signature and re-sends (replays) it to new victims. Since the body and signed headers remain unmodified, the DKIM signature still validates, making the spoofed email appear authentic. Can SPF or DMARC prevent DKIM replay attacks? Not reliably. 1. SPF validates the MAIL FROM domain and sending IP, which often won’t align during a replay.2. DMARC relies on alignment between SPF or DKIM and the Header From. If DKIM is aligned (as in this case, google.com), and still valid, DMARC can pass, even though the message is replayed from an attacker’s server. Why are DKIM replay attacks hard to detect? DKIM replay attacks are hard to detect because the message appears unmodified, with a valid DKIM signature and even a DMARC pass. If you rely on the email body or DKIM signature verification you may not see anything suspicious. The attack relies on trust in previously signed content, not on breaking cryptography. How did the attacker bypass detection using Google OAuth? The attacker created a malicious Google OAuth app, naming it something like “Google Support.” They inserted phishing content and links into the App Information which includes manually cloned Google support page hosted on sites.google.com.Google generated a valid security alert from [email protected] when access was granted, which the attacker then forwarded to the victim.The forwarded email looked like it came from Google and passed DKIM/DMARC, giving it credibility. What are the most effective ways to be cautious and reduce the risk of DKIM replay attacks? Rotate DKIM Keys FrequentlyRaise User Awareness 1. Encourage caution when clicking on links, even if the sender looks familiar.2. Remind users to check URLs carefully before entering any credentials.3. Share examples of phishing tactics like urgent language, fake legal notices, or account alerts.4. Promote a culture of reporting. If something feels off, it’s always worth flagging.

DKIM (DomainKeys Identified Mail) is an email authentication method that helps verify that an email wasn’t altered during transmission. It works by adding a digital signature to email headers using cryptographic techniques – the sending server signs outgoing messages with a private key, while receiving servers verify these signatures using a public key published in the sender’s DNS records. DKIM serves as a critical component of DMARC. When combined with SPF, DKIM helps DMARC further authenticate emails, protecting domains from spoofing and phishing attacks. However, proper DKIM implementation can be challenging, especially for those who are just getting started with DMARC protocols. That’s where DKIM selectors come in. They allow organizations to manage multiple authentication keys, simplifying deployment across different email services and departments while maintaining strong security practices. Take a look at our DKIM Lookup tool to easily verify digital signatures and the integrity of incoming emails. What is a DKIM Selector? A DKIM selector is a string that identifies a specific DKIM public key for a domain. They allow organizations to use multiple DKIM Key records for a single domain, enabling different departments or services to send authenticated emails. They work by linking each DKIM signature to its corresponding public key, helping receivers locate the correct key during authentication. For example, marketing emails might use the “mkt” selector while automated notifications use the “alert” selector, letting both departments send authenticated emails from the same domain. A selector appears as the “s=” tag in the DKIM signature header field (e.g., “s=mkt”) in the email header, directing the receiving server to check the specific DNS record (like mkt._domainkey.example.com) for the matching public key. The receiving server uses a selector to locate and retrieve the public key to verify that the specified outgoing message is authenticated and not altered along the way. Can I Have Multiple DKIM Selectors? Absolutely. As many organizations tend to use multiple Email Service Providers (ESPs) and third-party services for their email strategies, each service can have separate DKIM signatures identified with unique selectors so that the signing and verifying processes for one service doesn’t interfere with another. Say your organization uses GSuite, Sendgrid, and MailChimp. Each server provides its own DKIM Signature, which can be differentiated with a selector. For example: Google’s default DKIM selector is:google._domainkey.[yourdomain.com] containing DKIM Public Signature (where “Google” is the selector) Sendgrid’s default DKIM selector is: s1._domainkey.[yourdomain.com] containing DKIM Public Signature (where “s1” is the selector) MailChimp’s default DKIM selector is: k1._domainkey.[yourdomain.com] containing DKIM Public Signature k2._domainkey.[yourdomain.com] containing DKIM Public Signature (where “k1” and “k2” are the selectors) Why Do We Need Multiple DKIM Selectors, and How Do We Use Them? Multiple selectors enable email stream segmentation, allowing different departments or services to use their own keys. For example, you could use one selector for internal emails and another for, say, marketing emails. Having multiple selectors also enables third-party integrations, allowing each service provider to use a unique selector, which ensures that emails from different platforms authenticate correctly without error. This setup also aids in troubleshooting by allowing the user to quickly identify which specific key was used for each stream. Overall, using multiple selectors means more flexibility, security, and control over email processes. How to Use a DKIM Selector Generate a DKIM Key Pair: Create a private and public key pair using our DKIM tool. The private key signs your emails, while the public key is published in your DNS records for verification. Choose a DKIM Selector: Select a unique and descriptive name for your selector, such as “marketing2025” or “internal1.” This selector helps identify which key was used to sign an email. Publish the Public Key: Create a TXT record in your DNS with the format “selector._domainkey.yourdomain.com” and include your public key in the value field. Configure Your Email Server: Set up your email server to use the chosen selector for signing emails. Who Provides the DKIM Selector? It mainly depends on the source. If you’re using ESPs and third-party services, they usually have official documentation on how to implement a DKIM Signature. For some sources, it is possible to pick a custom “selector”, while with others, default and in-built selectors are used. Some sources, like Office365 and MailChimp, follow DKIM security best practices, requiring organizations to publish multiple selectors and DKIM records to support automated DKIM key rotation, achieved with CNAME records. At EasyDMARC, we provide more than 1,000 identified email vendors and configuration guides for both SPF and DKIM. With our DKIM lookup tool and DKIM record generator, getting started is easy, accurate, and secure. How Can I Find My DKIM Selector? The simplest way to find your DKIM selector is to send an email to yourself and look at the email headers. In Gmail, click ‘Show original’ Search for ‘DKIM-Signature’ to find the DKIM Signature applied to the email There will be cases where you may find multiple DKIM Signatures applied to your message. In this case, make sure you find the one that contains your domain name, applied in (d=yourdomain.com) tag. So if you don’t find any DKIM-Signature header, or you don’t find any DKIM-Signature that matches your domain name, additional steps need to be taken from your ESP side with DKIM configuration and implementation steps. You can read our article on DMARC Alignment on our website. Without inspecting email headers, and if properly authenticated, you will easily find your DKIM Signature selectors in your EasyDMARC dashboard. Implement DKIM, Protect Your Email Inspecting and verifying your DKIM signature is essential for debugging DKIM issues. Properly configured DKIM is critical for your DMARC enforcement journey, as improper setup can lead to rejected emails, increased spam filtering, damaged sender reputation, and vulnerability to spoofing attacks. DKIM selectors are key for managing multiple authentication keys across different email services, providing necessary flexibility while adding configuration complexity. The interplay between DKIM, SPF, and DMARC creates robust protection, but requires technical expertise to implement correctly. EasyDMARC simplifies this process with specialized tools including our DKIM Lookup for configuration analysis and DKIM Validator for pre-deployment testing. Our platform streamlines DMARC implementation with guided setup, automated policy recommendations, and intuitive reporting dashboards that transform complex authentication data into actionable insights, helping organizations of all sizes secure their email communications effectively. The post What is a DKIM Selector and How Does it Work? appeared first on EasyDMARC.

 RSAC 2025 Conference, San Francisco, 21st April – EasyDMARC, a leading provider of email authentication solutions, today announced it will be exhibiting at RSAC 2025 Conference in San Francisco. The company will be available at Booth #N4529 (North Expo) to demonstrate how businesses, MSPs, and channel partners can simplify compliance, strengthen their email security posture, and accelerate adoption of standards like DMARC, SPF, and DKIM. With increasing enforcement from providers like Google, Yahoo, and Microsoft Outlook, organizations are under more pressure than ever to adopt robust email authentication protocols. EasyDMARC’s platform helps enterprises and SMBs protect their domains from phishing, spoofing, and impersonation, while also aligning with evolving compliance mandates such as the PCI DSS v4.0.1 payment regulation. Gerasim Hovhannisyan, CEO and co-founder of EasyDMARC said: “Exhibiting at RSAC Conference for the first time is an exciting milestone for us. The conference is a great opportunity to connect with like-minded security leaders, while contributing to a stronger, more resilient cybersecurity ecosystem. Security standards are evolving quickly but adopting them shouldn’t be a burden. We are here to show that email and domain security should be fast, risk-free, easy-to-use and reliable as we build the world’s largest DMARC community. At RSAC Conference, EasyDMARC will unveil new integrations designed to enhance partner enablement and customer onboarding. The company will also launch its new bi-annual The EasyDMARC 2025 DMARC Adoption Report, offering a clear view of progress made in helping businesses understand what’s needed to take the next step toward meaningful, sustainable email and domain protection. As awareness of authentication best practices grows, EasyDMARC continues to expand its partner ecosystem. The company is on track to double its MSP and channel footprint in 2025, leveraging recent integrations with ConnectWise, HaloPSA, Pax8, whilst building on our strategic partnership with Guidepoint Security. “ Visitors to Booth #N4529 will also have the opportunity to: See a demo of EasyDMARC’s security platform in action. Gain clarity on the latest email authentication requirements from Google, Yahoo, and Microsoft Outlook, and how organizations need to be aware of new regulations and directives such as PCI DSS V4.0.1,  for changes. Be among the first to access EasyDMARC’s new DMARC Adoption Report. Explore MSP and partner opportunities. Meet and speak directly with EasyDMARC’s product experts and leadership team. To schedule a demo or connect with EasyDMARC at RSAC Conference, visit here: https://easydmarc.com/blog/event/rsa-conference/  About EasyDMARC EasyDMARC is a cloud-native B2B SaaS that solves email security and deliverability challenges in just a few clicks. With advanced tools, including its AI-powered DMARC Report Analyser, DMARC, SPF, DKIM cloud management solutions, and email source reputation monitoring, EasyDMARC helps customers protect their domains and maintain strong email health. For Managed Service Providers (MSPs) seeking to grow their business, EasyDMARC offers a powerful platform for streamlining domain management with features like organisational control, domain grouping, and access management. A comprehensive sales and marketing enablement programme further supports MSPs in elevating DMARC sales. The platform is scalable and available with flexible, pay-as-you-go pricing. The post EasyDMARC to launch new DMARC Adoption report at  RSAC™ 2025 Conference appeared first on EasyDMARC.

Despite the proliferation of messaging platforms, email remains the number one communication and verification method worldwide. In 2024, there were 4.48 billion email users worldwide, accounting for 56.8% of the world’s total population with projections indicating annual growth. Unfortunately, due to its popularity, email communications have long attracted a nefarious crowd: the cybercriminal. Despite long-established countermeasures, email-based threats have only intensified, both in sophistication and frequency. In a report published by Cybercrime Magazine, researchers found that ransomware attacks occur every two seconds, placing annual damage cost projections at $57 billion for 2025 – approximately $4.8 billion monthly. Phishing remains the most common form of cyber crime, with an estimated 3.4 billion spam emails sent every day.  But phishing isn’t the only way cyber criminals gain access to sensitive information. According to IBM, Business Email Compromise (BEC) attacks are the second most expensive type of security breach, costing an average of $4.89 million annually. Given the substantial damage these attacks can cause, it’s crucial for users to equip themselves with the proper tools to combat such threats. Email security protocols are designed to protect against these threats by verifying sender authenticity, encrypting content, and filtering out malicious messages. The good news is that most major email providers automatically implement these protocols to protect their users.  However, if you use an Email Service Provider (ESP), your DMARC responsibilities depend on your setup: Sending from your own domain: You’re responsible for publishing DMARC, SPF, and DKIM DNS records. While your ESP provides the necessary DKIM key and SPF include statement, you must add these to your domain’s DNS and create/manage your DMARC policy record yourself. Using ESP’s domain: The ESP handles all DMARC management for their domains—no setup required from you. DMARC requirements: Major providers like Google and Yahoo now require DMARC for bulk senders to ensure deliverability and prevent email spoofing. EasyDMARC offers a streamlined way to implement comprehensive email security, providing protection against spoofing, phishing, and other email-based attacks. Secure Your Email Domain Now What are Email Security Protocols? Email security protocols are configurations that help keep email communications safe. Let’s take a look at some of the most common ones: DMARC SPF DKIM MTA-STS TLS-RPT S/MIME BIMI ProtocolPurposeHow it WorksSPFValidates authorized sending IPsPublishes allowed IPs in DNS, mail servers verify before acceptingDKIMVerifies email content integritySigns message headers with a private key, verified with public key in DNSDMARCTies SPF and DKIM results, provides reportingInstructs receivers what to do if authentication failsMTA-STSForces TLS encryption for incoming emailsPublishes a policy in DNS, rejecting non-TLS mail serversTLS-RPTMonitors email encryption issuesSends reports if email encryption failsS/MIMEEncrypts email body and attachmentsUses digital certificates for encryption and signingBIMIShows logo in inboxes after DMARC passRequires strong authentication and displays brand logo What is DMARC? DMARC (Domain-based Message Authentication, Reporting, and Conformance) is an email authentication protocol that helps protect organizations and their recipients from fraudulent emails. Since its initial introduction, it has become a fundamental domain security tool and a global authentication standard. It works by utilizing SPF (Sender Policy Framework) and DKIM (Domain Keys Identified Mail) to determine the authenticity of a message. For Managed Service Providers (MSPs), implementing DMARC for MSP clients provides critical security value. A regular DMARC lookup process allows MSPs to monitor client domains, prevent email spoofing, and enhance overall security posture.  DMARC ensures that only authorized senders can use your domain, safeguarding your organization’s reputation and protecting clients and partners from fraudulent emails that appear to come from your email address. It is crucial for defending your domain against phishing and spoofing attacks. Additionally, DMARC reports offer insights into how your domain is being used and help you detect unauthorized activities before they become serious threats. What is SPF? SPF (Sender Policy Framework) is an email authentication protocol that lets domain owners specify which IP addresses are authorized to send emails on their behalf. It prevents spoofing of the RFC5321.MailFrom (Return-Path) address by publishing a DNS record listing these IPs, and receiving servers can validate the sending IP against the SPF record. SPF results alone usually do not cause direct rejection; instead, they contribute to the overall authentication evaluation (especially when combined with DKIM and DMARC) and may influence spam filtering decisions. For maximum protection, SPF is often implemented alongside DKIM (DomainKeys Identified Mail), which provides cryptographic verification that messages haven’t been altered in transit. What is DKIM? DKIM is a protocol that allows domain and organization owners to send authenticated or signed emails. This verification is made possible through cryptographic authentication. It allows the recipient server to verify that the content of the original message was not altered in any way, ensuring that an email was properly signed and remains unaltered. It works in tandem with SPF to provide the maximum protection for your domain, ensuring deliverability and helping to reduce the risk of phishing attacks. What is MTA-STS? MTA-STS (Mail Transfer Agent Strict Transport Security) is a mechanism that enforces TLS, an email encryption protocol, for inbound email delivery to a domain. It allows mail servers to securely communicate by ensuring messages are transmitted over an encrypted connection, thereby mitigating risks such as man-in-the-middle attacks. In 2019, Google became the first major email provider to adopt the new MTA-STS policy, which ensures all inbound emails come through the Transport Layer Security (TLS). This policy complements and strengthens STARTTLS, which is a command that allows mail servers to upgrade an SMTP (Simple Mail Transfer Protocol) connection to a secure, encrypted one. The issue with STARTTLS is that it is vulnerable to downgrade attacks and lacks mechanisms for strict enforcement or sender authentication, making it optional and insecure in certain scenarios. The MTA-STS policy aims to prevent attackers from tampering with email content or sending the communication to another address. Unlike STARTTLS, MTA Strict Transport Security always keeps TLS on. It tells external servers that your email server only accepts email delivery through a secure connection. What is TLS-RPT? TLS Reporting (TLS-RPT) is a protocol that allows email domains to receive reports about the success or failure of TLS encryption during email transmission, providing insights into potential security issues when emails are sent to a domain. Like DMARC reports, TLS reports detail failed SMTP connections and explain why they happened. These failures occur for three reasons: Failed TLS negotiation DNS-related issues MTA-STS problems Also like DMARC reports, TLS reports are delivered to a particular URI (Uniform Resource Identifier) or email address set up via a DNS TXT record. While other protocols focus on authentication and preventing spoofing, TLS-RPT is used specifically to help ensure that the transport encryption layer is working properly, protecting message confidentiality during transmission. What is S/MIME? S/MIME (Secure/Multipurpose Internet Mail Extensions) provides end-to-end encryption and digital signatures for email messages. Unlike SPF, DKIM, and DMARC, which focus on server-level authentication, S/MIME operates at the individual message level. Key features of S/MIME include: End-to-end encryption: S/MIME encrypts the actual content of email messages, keeping them private even if intercepted during transmission. Only the intended recipient with the correct private key can decrypt and read the message. Digital signatures: S/MIME allows senders to digitally sign their messages, verifying their identity to recipients and ensuring the message hasn’t been tampered with during transit. Certificate-based: S/MIME relies on public key infrastructure (PKI) and digital certificates issued by trusted Certificate Authorities (CAs). Each user needs their own certificate containing their public key. Client-side implementation: Unlike server-based protocols, S/MIME typically requires configuration on the email client (like Outlook, Apple Mail, etc.) rather than at the mail server level. What is BIMI? BIMI (Brand Indicators for Message Identification) is a visual trust indicator that allows domain owners to display their verified brand logos in supporting inboxes after passing DMARC authentication. That way, your customers can be sure that your emails are legitimate. BIMI is built on the DMARC standard for verifying email. Before you send an email to your recipients’ inboxes, your email provider verifies it against the sender’s DMARC record within the message to confirm that it’s legitimate. Resources like BIMI record checks allow users to validate their BIMI record to ensure customer trust. Why are Email Security Protocols Important? Email security protocols, like the ones discussed above, are vital in combating email-related attacks. As such, major email providers including Google, Yahoo, Microsoft, and Apple have begun to require certain authentication protocols like SPF, DKIM, and a proper DMARC setup to protect users from spam, spoofing, and phishing, help keep user data safe, and preserve their brand reputation.  While these major platforms simply require base-level implementation — meaning a DMARC record with at least a p=none policy — this is just the monitoring mode of DMARC and represents the first step in a domain’s DMARC journey. For the highest level of projection against email-based attacks, it is recommended that users implement a policy of p=reject in order to instruct email receivers to outright reject emails that fail DMARC checks.  What are Phishing and Spoofing? Phishing Phishing is a social engineering tactic in which hackers send emails or other messages pretending to be from reputable sources in order to get individuals to share sensitive and personal information. Since the mid-1990s, cybercriminals have used phishing attacks to steal credentials, financial information, and confidential business data, which often results in financial losses and reputational damage. Phishing remains the most prevalent cyber threat worldwide, accounting for the majority of security breaches, and is often the entry point for ransomware and BEC scams.  Spoofing Spoofing is a type of cybercrime in which spam emails are sent using the identity of a trusted company or individual. Bad actors send fake emails that appear legitimate so they can trick victims into sharing sensitive details or downloading malware-infected files. Cybercriminals use email spoofing for many reasons, including: Hiding their identities Avoiding a spam blocklist Damaging a brand’s image Doing personal damage Requesting transfers of money Tricking victims into submitting sensitive details like passwords and login credentials Fraudulently gaining a target’s financial details or OTPs How are Phishing and Spoofing Connected? Phishing attacks are successful because they often use emails designed to look legitimate and appear to come from a trusted sender. These cyberattacks exploit human nature, incorporating elements of urgency, fear, or excitement.  For example, a phishing email might look like an urgent bank message saying your account has been compromised and you need to submit your login credentials. It could also seem like communication from your boss requesting sensitive info or an email saying you’ve won something and need to click on a malicious link (disguised as a genuine one). You can avoid phishing attacks by checking if an email is sent from an authentic and credible domain. Other factors like misspellings, unrequested or unidentified links and files, unusual requests, etc., are red flags too. On the other hand, spoofing involves disguising illegitimate communication as legitimate. Bad actors use anything from email addresses and phone numbers to domain names and websites. In email spoofing, they usually send emails from a typosquatted or extended email domain. Typosquatting is a cybercrime where malicious actors register domains with deliberate misspellings to lure victims into clicking a corrupt link or sharing crucial details, for example, using amaz0n.com instead of amazon.com.  Phishing and spoofing are often used interchangeably because they work hand in hand to create a believable email that appears to come from a legitimate source. Hackers use email spoofing tactics to conceal phishing attempts and fool recipients. Which Security Protocols Help Prevent These Attacks? DMARC, DKIM, and SPF all specifically help prevent spoofing and phishing. By correctly implementing these protocols, users can correctly authenticate, verify, and monitor email communications. Email Security Protocols Protect Your Brand Many organizations view security measures as obstacles that slow down operations and create friction in communication channels. When it comes to email security protocols, there’s often hesitation due to perceived implementation complexity and concerns about potential delivery disruptions. However, this short-term thinking ignores the substantial consequences of email-based attacks. A single successful phishing campaign or domain spoofing incident can lead to data breaches costing millions, regulatory penalties, and most devastatingly, the erosion of customer trust that may have taken years to build. The reputational damage from compromised email channels far outweighs any temporary inconvenience during security implementation. In fact, 86% of customers are willing to pay more for companies they trust, while one-third of consumers will abandon brands they love after just one bad experience.  When customers receive fraudulent emails appearing to come from your domain, they don’t blame the cybercriminals – they question your organization’s commitment to security. Modern email authentication protocols not only prevent these incidents but have become streamlined enough that implementation no longer significantly impacts operations, making the argument against email security implementation obsolete. Protecting Your User’s Data is Critical The landscape of data leaks has evolved into a persistent threat for businesses of all sizes. According to IBM’s Cost of a Data Breach Report 2023, the global average cost of a data breach reached $4.45 million, a 15% increase over three years. These financial impacts extend far beyond immediately fixable costs. When MGM Resorts experienced a massive breach in September 2023, they reported losses exceeding $100 million from operational disruptions alone, while T-Mobile’s 2021 breach resulted in a $350 million settlement after exposing data from 76.6 million customers. The repercussions of data leaks stretch well beyond financial statements. Perhaps most concerning is the long-tail effect – businesses typically don’t discover breaches for an average of 277 days, allowing attackers extensive access to sensitive systems. Email security protocols are the critical first line of defense against these devastating scenarios. Given that approximately 90% of data breaches begin with phishing emails or business email compromise, implementing robust authentication standards like DMARC, SPF, and DKIM serves as a foundational security measure.  These protocols help prevent attackers from impersonating legitimate domains, blocking one of the most common entry points for data theft. By verifying sender legitimacy and ensuring email integrity, these standards significantly reduce the risk of employees or customers falling victim to sophisticated phishing attempts that often initiate the chain of events leading to catastrophic data exposure. Implementing Email Security Protocols can be Easy Email security protocols like SPF, DKIM, DMARC, TLS-RPT, MTA-STS, S/MINE, and BIMI form the foundation of modern communication security. As we’ve seen, email remains the primary communication and verification channel worldwide, with billions of users depending on it daily. As such, email is an attractive target for cybercriminals employing increasingly sophisticated phishing attacks, spoofing, and fraud schemes. Implementation of these critical protocols doesn’t have to be complex or disruptive when approached proactively. DMARC solutions for businesses are a great way to ensure proper execution of these measures. At EasyDMARC, we offer a comprehensive platform specifically designed to simplify email security implementation. Our solution provides automated setup, continuous monitoring, and real-time reporting to ensure your domain remains protected without burdening your IT resources. Whether you’re managing a small business email server or enterprise-level communications, our intuitive dashboard and expert support make maintaining robust email security accessible for organizations of all sizes. As we look to the future, email-based threats will only become more sophisticated, leveraging advanced AI and social engineering techniques to bypass traditional security measures. The rise of deepfakes and machine-learning powered impersonation attacks means that yesterday’s security approaches are insufficient for tomorrow’s threats. By implementing comprehensive email security protocols now, organizations establish a critical first line of defense against evolving threats.  With EasyDMARC’s continuous updates and proactive security approach, businesses can stay ahead of emerging vulnerabilities, preserve their brand reputation, and ensure the integrity of their most important communication channel.  The post Email Security Protocols and Why They’re Important appeared first on EasyDMARC.

The Adoption Report 2025 by EasyDMARC In our 2025 DMARC Adoption Report, we examined DMARC adoption across the 1.8 million most-visited domains worldwide. Though adoption is growing—spurred by new email provider requirements and regulations—our research reveals a critical protection gap. Most domains have implemented DMARC but lack the enforcement policies and reporting configurations necessary for actual security. Sign Up for Early Access Available May 2025 Inside This Report Adoption trends: The significant growth in DMARC implementation Implementation gaps: Why most domains remain exposed despite having records Missing visibility: How 70% of organizations lack crucial reporting configurations Action plan: Moving from basic compliance to effective protection Why This Matters Now Major email providers have implemented strict authentication requirements affecting all organizations sending bulk emails. Our report provides the strategic guidance needed to protect your domain reputation while ensuring email deliverability. Available May 2025 Join the Waitlist! First name Last name Email Job Title Company Name Phone Number Reserve Your Copy The post The Adoption Report 2025 by EasyDMARC appeared first on EasyDMARC.