As the old proverb goes, “If you want to go fast, go alone. If you want to go far, go together.”  As I reflect on 15-plus years in cyber security, I realize that different approaches are often required to tackle the rapidly evolving threat landscape, whether they be from an economic or geo-political perspective.  On a recent trip to Yerevan, I had the opportunity to visit the TUMO Centre of Creative Technologies, an institution that provides a free educational program to the next generation of thinkers. During a design session facilitated by Picsart, a longtime customer of EasyDMARC, younger students were seen actively collaborating with older classmates on digital design projects.  It was inspiring to see such effortless teamwork at play, and an honor to share my experience in scaling hypergrowth companies at the American University of Armenia to a highly educated class of international graduates. The encounter once more reminded me of the importance of educating and nurturing the minds of future generations. Throughout my career, I have always emphasised the importance of being a team player. Indeed, cyber security is very much a collective effort–supporting organizations through their digital transformation while helping them learn to protect themselves is no small feat.  Conferences provide the ideal environment for attendees to explore the wider threat landscape, delivering valuable insights that benefit the entire DMARC community. We recognize that everyone’s time is precious, which is why at EasyDMARC, we focus on authentic conversations about the genuine value we bring to customers and partners across the entire security and deliverability ecosystem. I have been fortunate enough to attend RSAC Conference for more than a decade, and 2025 marks the first year of EasyDMARC’s participation at the world’s largest cyber and information security event, which attracts 40,000-plus attendees to San Francisco.  In a rapidly developing and economically-driven world, this year’s conference theme, “Many voices, One Community,” perfectly captures our collaborative spirit. Beyond our strategic booth location near the North Expo entrance, the EasyDMARC team has already received numerous invitations to participate in and contribute to various partner and government-led initiatives that emphasize meaningful engagement. I regularly hear about the budgetary pressures organizations face during a time when threats are constantly evolving. Whilst directives and regulations, such as PCI DSS v4.0 in the payments sector, may drive compliance, it’s imperative that customers make educated investment decisions with regards to their security poster prior to compulsory deadlines to best serve their customers and partners. At EasyDMARC, we pride ourselves on delivering intelligent research to drive more accurate decisions. That’s why we’ve recently added several new reports to the resource section of our website. And while our recent research suggests that DMARC adoption is improving, it’s clear that proper enforcement is lacking.  With the recent re-launch of our EasyDMARC Academy, which offers an innovative, online module for DMARC certification, we aim to help educate the rapidly growing DMARC community on the benefits of effective DMARC deployment. As more than five million cyber security roles remain vacant globally, it is clear we cannot solely rely on AI to close the skills gap in an increasingly technology-driven world. Further support is also available through our new Partner Portal to help our partners scale their skills with content to drive wider global engagement.  As you can see, collaboration is very much in our DNA at EasyDMARC. If you are attending RSAC Conference this week, we’d love to meet you and chat face-to-face. Stop by our booth, #4529, located in the North Hall, to see how we are truly delivering a bright future for domain and email security. You may even hear the new verb, “EasyDMARC it.” The post The Power of Collaboration  appeared first on EasyDMARC.

This morning started with a call from a friend – clearly shaken. He had just received an alarming email that looked strikingly legitimate. Unsure whether it was safe or a scam, he reached out to me for help verifying its authenticity. What followed was a deep dive into the message to determine whether it was a genuine communication or a cleverly crafted phishing attempt. The email was convincing enough to create real concern, and that’s what makes this story worth sharing. This was the email: The email claimed that a subpoena had been issued by law enforcement requesting the extraction (access/download) of the contents of his Google Account. What made the situation even more alarming was that the email appeared to come from a legitimate Google no-reply address. On the surface, everything looked clean – no typos, no odd links, and the sender domain seemed genuine. But something felt off, and that gut feeling is often your first line of defense. Ready to secure your email? Get started now! Digging Deeper: Investigating the Suspicious Email Curious and concerned, I examined the email headers and link previews in a sandbox environment, a secure setup isolated from production systems, specifically designed for this kind of research. On the surface, everything appeared to check out: The sender address looked like an official Google no-reply domain The branding and language were polished and professional There were no obvious grammar issues or suspicious attachments. But as we know, phishing campaigns have gotten much more sophisticated. So, I dug into the email headers, checking the SPF, DKIM, and DMARC authentication results. That’s when the red flags began to appear. Important Reminder: Don’t Engage with Suspicious Emails Never click on links or follow instructions in suspicious emails, no matter how legitimate they may seem. Even opening a link or downloading a file could trigger malicious scripts or redirect you to phishing sites designed to steal your credentials. If you’re unsure, leave the investigation to professionals who can safely analyze the message in a sandboxed environment.. Interacting with a malicious email outside of such an environment could result in: Loss of sensitive data Business Email Compromise (BEC) Account takeovers Wider network breaches When in doubt, don’t click – report and escalate. Here is the URL from that email:https://sites.google.com/u/34961821/d/1XMIxkFiq54WpH2tKqay2EPnhN0Ukovet/edit  This redirects to the Google account login page if you are not logged in : After logging in, or if you are already logged in, it sends you to the Google Sites page.  Here’s something critically important to understand: This is not a real Google support page. It’s not a Google sign-in page. It’s not any official Google property in the traditional sense. Instead, it’s a regular Google Sites page, a free tool anyone can use to build a website. In this case, cybercriminals used it to create a page that mimics an official Google support case, complete with convincing visuals and language. Because it’s hosted on a trusted google.comsites.google.com), many users let their guard down. But don’t be fooled – just because the domain looks legitimate doesn’t mean the content is. Start Email Security Check What Google Sites Is Used For Google Sites serves as a practical tool for various purposes, including: Internal team pages (like company intranets or project dashboards) Documentation hubs Event landing pages Personal portfolios or school projects Simple public websites You can create a site by dragging and dropping content blocks (text, images, videos, Google Docs, etc.), and it’s tightly integrated with other Google Workspace tools. When Trusted Infrastructure Becomes a Threat: Google Sites Abuse Google Sites, originally launched in 2008, is part of Google Workspace and allows any authenticated user to create a custom website hosted under the sites.google.com domain. It’s widely used for internal and public-facing content due to its ease of use, zero cost, and native integration with Google products. However, that same convenience is now being weaponized by attackers. Why it’s dangerous: Anyone with a Google account can create a site that looks legitimate and is hosted under a trusted Google-owned domain. There’s no need for custom hosting or domain registration, and attackers benefit from Google’s SSL certificates and brand reputation. Attackers can embed deceptive content (fake login screens, credential harvesting forms, misleading CTAs) under a domain that would normally pass casual user trust and even automated link validation checks. Now let’s take a closer look at the key elements that make this scam so deceptive. How the Attacker Performed a DKIM Replay to Spoof Google This attack was a confirmed DKIM Replay Attack where a spoofed message appeared to be from [email protected], had passed DKIM and DMARC, and was delivered to a Gmail inbox. Below is a step-by-step explanation of exactly what the attacker did, from start to finish — including all infrastructure involved. Step 1: Attacker receives a legitimate email from Google The attacker first received a real email from Google, originating from [email protected]. It included a valid DKIM signature: DKIM-Signature: d=accounts.google.com; s=20230601; bh=a+1bch/… The attacker then extracted and saved this exact email, including headers and body, without modifying anything signed by DKIM. Step 2: Attacker prepares to replay the signed message DKIM (DomainKeys Identified Mail) works by applying a digital signature to specific headers and the body of the email when it is first sent. This signature is generated using the sender’s private key and is attached as a header in the email itself. When the message is forwarded, the original DKIM signature usually remains untouched as long as the email content and headers covered by the signature are not modified. Since forwarding services often preserve the original message as-is (especially in cases like aliasing or server-side forwarding), the DKIM signature remains valid and can still be verified using the sender’s public DNS record.  dkim=pass  Step 3: Attacker sends the email from Outlook The attacker used an Outlook account ([email protected]) to send the spoofed message. Outbound hop: Server: LO3P265CU004.outbound.protection.outlook.comIP: 40.93.67.3 In another example, the origin of the email is Google’s notification service. The email flow is described in the attack reproduction section at the end of this article. Step 4: Message is relayed through Jellyfish SMTP Microsoft then hands the message over to a custom SMTP service: Relay: asp-relay-pe.jellyfish.systemsIP: 162.255.118.7 This system acts as a middle relay, distancing the spoof even further from Google. It’s not affiliated with Namecheap or PrivateEmail. Step 5: Message forwarded via Namecheap’s PrivateEmail The message is then received by Namecheap’s mail infrastructure (PrivateEmail), which provides mail forwarding: Systems involved: mta-02.privateemail.com DIR-08 fwd-04.fwd.privateemail.com fwd-04-1.fwd.privateemail.com During this phase: A new DKIM signature is added: DKIM-Signature: d=fwd.privateemail.com; l=52331; The body beyond 52KB is not signed, but this DKIM is not aligned, so it’s not used for DMARC. SPF passes due to rewritten Return-Path, but is also not aligned. However, since the original Google DKIM is untouched and aligned, DMARC still passes. Step 6: Final delivery to Gmail Final delivery is handled by: Sender: fwd-04-1.fwd.privateemail.com (66.29.159.58)Recipient MX: mx.google.com At this point, the email reaches the victim’s inbox looking like a valid message from Google, and all authentication checks show as passing: SPF=pass (via forwarder) DKIM=pass (from Google) DMARC=pass (based on aligned DKIM) Final SMTP Hop Breakdown: When a Fake Subpoena Becomes an Attack Vector Fake subpoena emails are especially dangerous because they trigger fear, urgency, and confusion. Most people don’t know precisely how subpoenas work, so when an email looks official and mentions legal action, it’s easy to panic and click without thinking. To clarify, a subpoena is typically issued by: A court A lawyer (in civil cases) A government agency (in administrative cases) A subpoena can require someone to: Appear in court Provide documents or evidence Testify at a deposition or trial Serving a Subpoena The subpoena must be formally served to the person or entity. Common methods include: Personal Service (most common and preferred) A process server or law enforcement officer physically hands the subpoena to the individual. Required in most cases to ensure proper delivery and acknowledgment. Mail or Email (only in some cases) Some jurisdictions or situations (especially civil subpoenas) allow service by certified mail or email, but only with prior consent or court approval. In such cases, the subpoena should be delivered in an encrypted way using the company’s official email address. It’s never delivered through third-party platforms. A Registered Agent (for companies) If the subpoena is for a business, it’s often served to their registered agent (a person or service officially designated to receive legal documents on the company’s behalf). Knowing how real subpoenas are issued and delivered can help you spot red flags. Phishing threats are evolving, no longer marked by broken English and sketchy URLs. Today’s attacks often come cloaked in legitimacy, sometimes even using platforms like Google Sites to mimic real support cases. As we saw in this real-world example, even the most tech-savvy users can be caught off guard. The Takeaway? Always question unexpected emails, especially those urging urgent action or containing links to login pages. Just because something looks like it comes from Google (or any other trusted source) doesn’t mean it’s safe. When in doubt, don’t click, don’t reply, and don’t engage. Escalate to your security team or a professional who can handle the investigation in a secure, sandboxed environment. I’m interested in seeing more real-life examples. Do you have any notable cases to share? Start DMARC Journey We Have an Update: Reproducing the Attack We have dived deeper and successfully reproduced the attack: In the first step, the attacker registered a domain via Namecheap. We observed the attack originating from the following domains, which have now been taken down: googl-mail-smtp-out-198-142-125-38-prod.net wd-00000000000097d33d0631f6fe58-goog-ssl.com On the second step attacker registered a free PrivateEmail via Namecheap. me@googl-mail-smtp-out-198-142-125-38-prod.net On the third step they registered a Google Workspace account (free trial) and verified the domain via the DNS TXT record. You need to register it in the google to be able to move to the next steps. In the next step, they created a Google OAuth app and granted the access to that account. Here’s the twist: Google sends the alert or notification to the privately registered email address, where the domain is verified but uses different MX records than Google’s (specifically, Namecheap PrivateEmail). And most importantly, the key trick is that you can put anything you want in the App Name field in Google.: The alert goes directly to the Namecheap account, which has some very interesting “capabilities.”. You can create conditions and put no-reply@google account as From address and the reply address can be anything: the forwarding rule will direct the email to the desired addresses: It is clearly visible from Resent-From and Redirected-From headers: Here is the result: The other details have already described. Frequently Asked Questions What is a DKIM replay attack? A DKIM replay attack is when an attacker captures a legitimate email with a valid DKIM signature and re-sends (replays) it to new victims. Since the body and signed headers remain unmodified, the DKIM signature still validates, making the spoofed email appear authentic. Can SPF or DMARC prevent DKIM replay attacks? Not reliably. 1. SPF validates the MAIL FROM domain and sending IP, which often won’t align during a replay.2. DMARC relies on alignment between SPF or DKIM and the Header From. If DKIM is aligned (as in this case, google.com), and still valid, DMARC can pass, even though the message is replayed from an attacker’s server. Why are DKIM replay attacks hard to detect? DKIM replay attacks are hard to detect because the message appears unmodified, with a valid DKIM signature and even a DMARC pass. If you rely on the email body or DKIM signature verification you may not see anything suspicious. The attack relies on trust in previously signed content, not on breaking cryptography. How did the attacker bypass detection using Google OAuth? The attacker created a malicious Google OAuth app, naming it something like “Google Support.” They inserted phishing content and links into the App Information which includes manually cloned Google support page hosted on sites.google.com.Google generated a valid security alert from [email protected] when access was granted, which the attacker then forwarded to the victim.The forwarded email looked like it came from Google and passed DKIM/DMARC, giving it credibility. What are the most effective ways to be cautious and reduce the risk of DKIM replay attacks? Rotate DKIM Keys FrequentlyRaise User Awareness 1. Encourage caution when clicking on links, even if the sender looks familiar.2. Remind users to check URLs carefully before entering any credentials.3. Share examples of phishing tactics like urgent language, fake legal notices, or account alerts.4. Promote a culture of reporting. If something feels off, it’s always worth flagging.

DKIM (DomainKeys Identified Mail) is an email authentication method that helps verify that an email wasn’t altered during transmission. It works by adding a digital signature to email headers using cryptographic techniques – the sending server signs outgoing messages with a private key, while receiving servers verify these signatures using a public key published in the sender’s DNS records. DKIM serves as a critical component of DMARC. When combined with SPF, DKIM helps DMARC further authenticate emails, protecting domains from spoofing and phishing attacks. However, proper DKIM implementation can be challenging, especially for those who are just getting started with DMARC protocols. That’s where DKIM selectors come in. They allow organizations to manage multiple authentication keys, simplifying deployment across different email services and departments while maintaining strong security practices. Take a look at our DKIM Lookup tool to easily verify digital signatures and the integrity of incoming emails. What is a DKIM Selector? A DKIM selector is a string that identifies a specific DKIM public key for a domain. They allow organizations to use multiple DKIM Key records for a single domain, enabling different departments or services to send authenticated emails. They work by linking each DKIM signature to its corresponding public key, helping receivers locate the correct key during authentication. For example, marketing emails might use the “mkt” selector while automated notifications use the “alert” selector, letting both departments send authenticated emails from the same domain. A selector appears as the “s=” tag in the DKIM signature header field (e.g., “s=mkt”) in the email header, directing the receiving server to check the specific DNS record (like mkt._domainkey.example.com) for the matching public key. The receiving server uses a selector to locate and retrieve the public key to verify that the specified outgoing message is authenticated and not altered along the way. Can I Have Multiple DKIM Selectors? Absolutely. As many organizations tend to use multiple Email Service Providers (ESPs) and third-party services for their email strategies, each service can have separate DKIM signatures identified with unique selectors so that the signing and verifying processes for one service doesn’t interfere with another. Say your organization uses GSuite, Sendgrid, and MailChimp. Each server provides its own DKIM Signature, which can be differentiated with a selector. For example: Google’s default DKIM selector is:google._domainkey.[yourdomain.com] containing DKIM Public Signature (where “Google” is the selector) Sendgrid’s default DKIM selector is: s1._domainkey.[yourdomain.com] containing DKIM Public Signature (where “s1” is the selector) MailChimp’s default DKIM selector is: k1._domainkey.[yourdomain.com] containing DKIM Public Signature k2._domainkey.[yourdomain.com] containing DKIM Public Signature (where “k1” and “k2” are the selectors) Why Do We Need Multiple DKIM Selectors, and How Do We Use Them? Multiple selectors enable email stream segmentation, allowing different departments or services to use their own keys. For example, you could use one selector for internal emails and another for, say, marketing emails. Having multiple selectors also enables third-party integrations, allowing each service provider to use a unique selector, which ensures that emails from different platforms authenticate correctly without error. This setup also aids in troubleshooting by allowing the user to quickly identify which specific key was used for each stream. Overall, using multiple selectors means more flexibility, security, and control over email processes. How to Use a DKIM Selector Generate a DKIM Key Pair: Create a private and public key pair using our DKIM tool. The private key signs your emails, while the public key is published in your DNS records for verification. Choose a DKIM Selector: Select a unique and descriptive name for your selector, such as “marketing2025” or “internal1.” This selector helps identify which key was used to sign an email. Publish the Public Key: Create a TXT record in your DNS with the format “selector._domainkey.yourdomain.com” and include your public key in the value field. Configure Your Email Server: Set up your email server to use the chosen selector for signing emails. Who Provides the DKIM Selector? It mainly depends on the source. If you’re using ESPs and third-party services, they usually have official documentation on how to implement a DKIM Signature. For some sources, it is possible to pick a custom “selector”, while with others, default and in-built selectors are used. Some sources, like Office365 and MailChimp, follow DKIM security best practices, requiring organizations to publish multiple selectors and DKIM records to support automated DKIM key rotation, achieved with CNAME records. At EasyDMARC, we provide more than 1,000 identified email vendors and configuration guides for both SPF and DKIM. With our DKIM lookup tool and DKIM record generator, getting started is easy, accurate, and secure. How Can I Find My DKIM Selector? The simplest way to find your DKIM selector is to send an email to yourself and look at the email headers. In Gmail, click ‘Show original’ Search for ‘DKIM-Signature’ to find the DKIM Signature applied to the email There will be cases where you may find multiple DKIM Signatures applied to your message. In this case, make sure you find the one that contains your domain name, applied in (d=yourdomain.com) tag. So if you don’t find any DKIM-Signature header, or you don’t find any DKIM-Signature that matches your domain name, additional steps need to be taken from your ESP side with DKIM configuration and implementation steps. You can read our article on DMARC Alignment on our website. Without inspecting email headers, and if properly authenticated, you will easily find your DKIM Signature selectors in your EasyDMARC dashboard. Implement DKIM, Protect Your Email Inspecting and verifying your DKIM signature is essential for debugging DKIM issues. Properly configured DKIM is critical for your DMARC enforcement journey, as improper setup can lead to rejected emails, increased spam filtering, damaged sender reputation, and vulnerability to spoofing attacks. DKIM selectors are key for managing multiple authentication keys across different email services, providing necessary flexibility while adding configuration complexity. The interplay between DKIM, SPF, and DMARC creates robust protection, but requires technical expertise to implement correctly. EasyDMARC simplifies this process with specialized tools including our DKIM Lookup for configuration analysis and DKIM Validator for pre-deployment testing. Our platform streamlines DMARC implementation with guided setup, automated policy recommendations, and intuitive reporting dashboards that transform complex authentication data into actionable insights, helping organizations of all sizes secure their email communications effectively. The post What is a DKIM Selector and How Does it Work? appeared first on EasyDMARC.

 RSAC 2025 Conference, San Francisco, 21st April – EasyDMARC, a leading provider of email authentication solutions, today announced it will be exhibiting at RSAC 2025 Conference in San Francisco. The company will be available at Booth #N4529 (North Expo) to demonstrate how businesses, MSPs, and channel partners can simplify compliance, strengthen their email security posture, and accelerate adoption of standards like DMARC, SPF, and DKIM. With increasing enforcement from providers like Google, Yahoo, and Microsoft Outlook, organizations are under more pressure than ever to adopt robust email authentication protocols. EasyDMARC’s platform helps enterprises and SMBs protect their domains from phishing, spoofing, and impersonation, while also aligning with evolving compliance mandates such as the PCI DSS v4.0.1 payment regulation. Gerasim Hovhannisyan, CEO and co-founder of EasyDMARC said: “Exhibiting at RSAC Conference for the first time is an exciting milestone for us. The conference is a great opportunity to connect with like-minded security leaders, while contributing to a stronger, more resilient cybersecurity ecosystem. Security standards are evolving quickly but adopting them shouldn’t be a burden. We are here to show that email and domain security should be fast, risk-free, easy-to-use and reliable as we build the world’s largest DMARC community. At RSAC Conference, EasyDMARC will unveil new integrations designed to enhance partner enablement and customer onboarding. The company will also launch its new bi-annual The EasyDMARC 2025 DMARC Adoption Report, offering a clear view of progress made in helping businesses understand what’s needed to take the next step toward meaningful, sustainable email and domain protection. As awareness of authentication best practices grows, EasyDMARC continues to expand its partner ecosystem. The company is on track to double its MSP and channel footprint in 2025, leveraging recent integrations with ConnectWise, HaloPSA, Pax8, whilst building on our strategic partnership with Guidepoint Security. “ Visitors to Booth #N4529 will also have the opportunity to: See a demo of EasyDMARC’s security platform in action. Gain clarity on the latest email authentication requirements from Google, Yahoo, and Microsoft Outlook, and how organizations need to be aware of new regulations and directives such as PCI DSS V4.0.1,  for changes. Be among the first to access EasyDMARC’s new DMARC Adoption Report. Explore MSP and partner opportunities. Meet and speak directly with EasyDMARC’s product experts and leadership team. To schedule a demo or connect with EasyDMARC at RSAC Conference, visit here: https://easydmarc.com/blog/event/rsa-conference/  About EasyDMARC EasyDMARC is a cloud-native B2B SaaS that solves email security and deliverability challenges in just a few clicks. With advanced tools, including its AI-powered DMARC Report Analyser, DMARC, SPF, DKIM cloud management solutions, and email source reputation monitoring, EasyDMARC helps customers protect their domains and maintain strong email health. For Managed Service Providers (MSPs) seeking to grow their business, EasyDMARC offers a powerful platform for streamlining domain management with features like organisational control, domain grouping, and access management. A comprehensive sales and marketing enablement programme further supports MSPs in elevating DMARC sales. The platform is scalable and available with flexible, pay-as-you-go pricing. The post EasyDMARC to launch new DMARC Adoption report at  RSAC™ 2025 Conference appeared first on EasyDMARC.

Despite the proliferation of messaging platforms, email remains the number one communication and verification method worldwide. In 2024, there were 4.48 billion email users worldwide, accounting for 56.8% of the world’s total population with projections indicating annual growth. Unfortunately, due to its popularity, email communications have long attracted a nefarious crowd: the cybercriminal. Despite long-established countermeasures, email-based threats have only intensified, both in sophistication and frequency. In a report published by Cybercrime Magazine, researchers found that ransomware attacks occur every two seconds, placing annual damage cost projections at $57 billion for 2025 – approximately $4.8 billion monthly. Phishing remains the most common form of cyber crime, with an estimated 3.4 billion spam emails sent every day.  But phishing isn’t the only way cyber criminals gain access to sensitive information. According to IBM, Business Email Compromise (BEC) attacks are the second most expensive type of security breach, costing an average of $4.89 million annually. Given the substantial damage these attacks can cause, it’s crucial for users to equip themselves with the proper tools to combat such threats. Email security protocols are designed to protect against these threats by verifying sender authenticity, encrypting content, and filtering out malicious messages. The good news is that most major email providers automatically implement these protocols to protect their users.  However, if you use an Email Service Provider (ESP), your DMARC responsibilities depend on your setup: Sending from your own domain: You’re responsible for publishing DMARC, SPF, and DKIM DNS records. While your ESP provides the necessary DKIM key and SPF include statement, you must add these to your domain’s DNS and create/manage your DMARC policy record yourself. Using ESP’s domain: The ESP handles all DMARC management for their domains—no setup required from you. DMARC requirements: Major providers like Google and Yahoo now require DMARC for bulk senders to ensure deliverability and prevent email spoofing. EasyDMARC offers a streamlined way to implement comprehensive email security, providing protection against spoofing, phishing, and other email-based attacks. Secure Your Email Domain Now What are Email Security Protocols? Email security protocols are configurations that help keep email communications safe. Let’s take a look at some of the most common ones: DMARC SPF DKIM MTA-STS TLS-RPT S/MIME BIMI ProtocolPurposeHow it WorksSPFValidates authorized sending IPsPublishes allowed IPs in DNS, mail servers verify before acceptingDKIMVerifies email content integritySigns message headers with a private key, verified with public key in DNSDMARCTies SPF and DKIM results, provides reportingInstructs receivers what to do if authentication failsMTA-STSForces TLS encryption for incoming emailsPublishes a policy in DNS, rejecting non-TLS mail serversTLS-RPTMonitors email encryption issuesSends reports if email encryption failsS/MIMEEncrypts email body and attachmentsUses digital certificates for encryption and signingBIMIShows logo in inboxes after DMARC passRequires strong authentication and displays brand logo What is DMARC? DMARC (Domain-based Message Authentication, Reporting, and Conformance) is an email authentication protocol that helps protect organizations and their recipients from fraudulent emails. Since its initial introduction, it has become a fundamental domain security tool and a global authentication standard. It works by utilizing SPF (Sender Policy Framework) and DKIM (Domain Keys Identified Mail) to determine the authenticity of a message. For Managed Service Providers (MSPs), implementing DMARC for MSP clients provides critical security value. A regular DMARC lookup process allows MSPs to monitor client domains, prevent email spoofing, and enhance overall security posture.  DMARC ensures that only authorized senders can use your domain, safeguarding your organization’s reputation and protecting clients and partners from fraudulent emails that appear to come from your email address. It is crucial for defending your domain against phishing and spoofing attacks. Additionally, DMARC reports offer insights into how your domain is being used and help you detect unauthorized activities before they become serious threats. What is SPF? SPF (Sender Policy Framework) is an email authentication protocol that lets domain owners specify which IP addresses are authorized to send emails on their behalf. It prevents spoofing of the RFC5321.MailFrom (Return-Path) address by publishing a DNS record listing these IPs, and receiving servers can validate the sending IP against the SPF record. SPF results alone usually do not cause direct rejection; instead, they contribute to the overall authentication evaluation (especially when combined with DKIM and DMARC) and may influence spam filtering decisions. For maximum protection, SPF is often implemented alongside DKIM (DomainKeys Identified Mail), which provides cryptographic verification that messages haven’t been altered in transit. What is DKIM? DKIM is a protocol that allows domain and organization owners to send authenticated or signed emails. This verification is made possible through cryptographic authentication. It allows the recipient server to verify that the content of the original message was not altered in any way, ensuring that an email was properly signed and remains unaltered. It works in tandem with SPF to provide the maximum protection for your domain, ensuring deliverability and helping to reduce the risk of phishing attacks. What is MTA-STS? MTA-STS (Mail Transfer Agent Strict Transport Security) is a mechanism that enforces TLS, an email encryption protocol, for inbound email delivery to a domain. It allows mail servers to securely communicate by ensuring messages are transmitted over an encrypted connection, thereby mitigating risks such as man-in-the-middle attacks. In 2019, Google became the first major email provider to adopt the new MTA-STS policy, which ensures all inbound emails come through the Transport Layer Security (TLS). This policy complements and strengthens STARTTLS, which is a command that allows mail servers to upgrade an SMTP (Simple Mail Transfer Protocol) connection to a secure, encrypted one. The issue with STARTTLS is that it is vulnerable to downgrade attacks and lacks mechanisms for strict enforcement or sender authentication, making it optional and insecure in certain scenarios. The MTA-STS policy aims to prevent attackers from tampering with email content or sending the communication to another address. Unlike STARTTLS, MTA Strict Transport Security always keeps TLS on. It tells external servers that your email server only accepts email delivery through a secure connection. What is TLS-RPT? TLS Reporting (TLS-RPT) is a protocol that allows email domains to receive reports about the success or failure of TLS encryption during email transmission, providing insights into potential security issues when emails are sent to a domain. Like DMARC reports, TLS reports detail failed SMTP connections and explain why they happened. These failures occur for three reasons: Failed TLS negotiation DNS-related issues MTA-STS problems Also like DMARC reports, TLS reports are delivered to a particular URI (Uniform Resource Identifier) or email address set up via a DNS TXT record. While other protocols focus on authentication and preventing spoofing, TLS-RPT is used specifically to help ensure that the transport encryption layer is working properly, protecting message confidentiality during transmission. What is S/MIME? S/MIME (Secure/Multipurpose Internet Mail Extensions) provides end-to-end encryption and digital signatures for email messages. Unlike SPF, DKIM, and DMARC, which focus on server-level authentication, S/MIME operates at the individual message level. Key features of S/MIME include: End-to-end encryption: S/MIME encrypts the actual content of email messages, keeping them private even if intercepted during transmission. Only the intended recipient with the correct private key can decrypt and read the message. Digital signatures: S/MIME allows senders to digitally sign their messages, verifying their identity to recipients and ensuring the message hasn’t been tampered with during transit. Certificate-based: S/MIME relies on public key infrastructure (PKI) and digital certificates issued by trusted Certificate Authorities (CAs). Each user needs their own certificate containing their public key. Client-side implementation: Unlike server-based protocols, S/MIME typically requires configuration on the email client (like Outlook, Apple Mail, etc.) rather than at the mail server level. What is BIMI? BIMI (Brand Indicators for Message Identification) is a visual trust indicator that allows domain owners to display their verified brand logos in supporting inboxes after passing DMARC authentication. That way, your customers can be sure that your emails are legitimate. BIMI is built on the DMARC standard for verifying email. Before you send an email to your recipients’ inboxes, your email provider verifies it against the sender’s DMARC record within the message to confirm that it’s legitimate. Resources like BIMI record checks allow users to validate their BIMI record to ensure customer trust. Why are Email Security Protocols Important? Email security protocols, like the ones discussed above, are vital in combating email-related attacks. As such, major email providers including Google, Yahoo, Microsoft, and Apple have begun to require certain authentication protocols like SPF, DKIM, and a proper DMARC setup to protect users from spam, spoofing, and phishing, help keep user data safe, and preserve their brand reputation.  While these major platforms simply require base-level implementation — meaning a DMARC record with at least a p=none policy — this is just the monitoring mode of DMARC and represents the first step in a domain’s DMARC journey. For the highest level of projection against email-based attacks, it is recommended that users implement a policy of p=reject in order to instruct email receivers to outright reject emails that fail DMARC checks.  What are Phishing and Spoofing? Phishing Phishing is a social engineering tactic in which hackers send emails or other messages pretending to be from reputable sources in order to get individuals to share sensitive and personal information. Since the mid-1990s, cybercriminals have used phishing attacks to steal credentials, financial information, and confidential business data, which often results in financial losses and reputational damage. Phishing remains the most prevalent cyber threat worldwide, accounting for the majority of security breaches, and is often the entry point for ransomware and BEC scams.  Spoofing Spoofing is a type of cybercrime in which spam emails are sent using the identity of a trusted company or individual. Bad actors send fake emails that appear legitimate so they can trick victims into sharing sensitive details or downloading malware-infected files. Cybercriminals use email spoofing for many reasons, including: Hiding their identities Avoiding a spam blocklist Damaging a brand’s image Doing personal damage Requesting transfers of money Tricking victims into submitting sensitive details like passwords and login credentials Fraudulently gaining a target’s financial details or OTPs How are Phishing and Spoofing Connected? Phishing attacks are successful because they often use emails designed to look legitimate and appear to come from a trusted sender. These cyberattacks exploit human nature, incorporating elements of urgency, fear, or excitement.  For example, a phishing email might look like an urgent bank message saying your account has been compromised and you need to submit your login credentials. It could also seem like communication from your boss requesting sensitive info or an email saying you’ve won something and need to click on a malicious link (disguised as a genuine one). You can avoid phishing attacks by checking if an email is sent from an authentic and credible domain. Other factors like misspellings, unrequested or unidentified links and files, unusual requests, etc., are red flags too. On the other hand, spoofing involves disguising illegitimate communication as legitimate. Bad actors use anything from email addresses and phone numbers to domain names and websites. In email spoofing, they usually send emails from a typosquatted or extended email domain. Typosquatting is a cybercrime where malicious actors register domains with deliberate misspellings to lure victims into clicking a corrupt link or sharing crucial details, for example, using amaz0n.com instead of amazon.com.  Phishing and spoofing are often used interchangeably because they work hand in hand to create a believable email that appears to come from a legitimate source. Hackers use email spoofing tactics to conceal phishing attempts and fool recipients. Which Security Protocols Help Prevent These Attacks? DMARC, DKIM, and SPF all specifically help prevent spoofing and phishing. By correctly implementing these protocols, users can correctly authenticate, verify, and monitor email communications. Email Security Protocols Protect Your Brand Many organizations view security measures as obstacles that slow down operations and create friction in communication channels. When it comes to email security protocols, there’s often hesitation due to perceived implementation complexity and concerns about potential delivery disruptions. However, this short-term thinking ignores the substantial consequences of email-based attacks. A single successful phishing campaign or domain spoofing incident can lead to data breaches costing millions, regulatory penalties, and most devastatingly, the erosion of customer trust that may have taken years to build. The reputational damage from compromised email channels far outweighs any temporary inconvenience during security implementation. In fact, 86% of customers are willing to pay more for companies they trust, while one-third of consumers will abandon brands they love after just one bad experience.  When customers receive fraudulent emails appearing to come from your domain, they don’t blame the cybercriminals – they question your organization’s commitment to security. Modern email authentication protocols not only prevent these incidents but have become streamlined enough that implementation no longer significantly impacts operations, making the argument against email security implementation obsolete. Protecting Your User’s Data is Critical The landscape of data leaks has evolved into a persistent threat for businesses of all sizes. According to IBM’s Cost of a Data Breach Report 2023, the global average cost of a data breach reached $4.45 million, a 15% increase over three years. These financial impacts extend far beyond immediately fixable costs. When MGM Resorts experienced a massive breach in September 2023, they reported losses exceeding $100 million from operational disruptions alone, while T-Mobile’s 2021 breach resulted in a $350 million settlement after exposing data from 76.6 million customers. The repercussions of data leaks stretch well beyond financial statements. Perhaps most concerning is the long-tail effect – businesses typically don’t discover breaches for an average of 277 days, allowing attackers extensive access to sensitive systems. Email security protocols are the critical first line of defense against these devastating scenarios. Given that approximately 90% of data breaches begin with phishing emails or business email compromise, implementing robust authentication standards like DMARC, SPF, and DKIM serves as a foundational security measure.  These protocols help prevent attackers from impersonating legitimate domains, blocking one of the most common entry points for data theft. By verifying sender legitimacy and ensuring email integrity, these standards significantly reduce the risk of employees or customers falling victim to sophisticated phishing attempts that often initiate the chain of events leading to catastrophic data exposure. Implementing Email Security Protocols can be Easy Email security protocols like SPF, DKIM, DMARC, TLS-RPT, MTA-STS, S/MINE, and BIMI form the foundation of modern communication security. As we’ve seen, email remains the primary communication and verification channel worldwide, with billions of users depending on it daily. As such, email is an attractive target for cybercriminals employing increasingly sophisticated phishing attacks, spoofing, and fraud schemes. Implementation of these critical protocols doesn’t have to be complex or disruptive when approached proactively. DMARC solutions for businesses are a great way to ensure proper execution of these measures. At EasyDMARC, we offer a comprehensive platform specifically designed to simplify email security implementation. Our solution provides automated setup, continuous monitoring, and real-time reporting to ensure your domain remains protected without burdening your IT resources. Whether you’re managing a small business email server or enterprise-level communications, our intuitive dashboard and expert support make maintaining robust email security accessible for organizations of all sizes. As we look to the future, email-based threats will only become more sophisticated, leveraging advanced AI and social engineering techniques to bypass traditional security measures. The rise of deepfakes and machine-learning powered impersonation attacks means that yesterday’s security approaches are insufficient for tomorrow’s threats. By implementing comprehensive email security protocols now, organizations establish a critical first line of defense against evolving threats.  With EasyDMARC’s continuous updates and proactive security approach, businesses can stay ahead of emerging vulnerabilities, preserve their brand reputation, and ensure the integrity of their most important communication channel.  The post Email Security Protocols and Why They’re Important appeared first on EasyDMARC.

The Adoption Report 2025 by EasyDMARC In our 2025 DMARC Adoption Report, we examined DMARC adoption across the 1.8 million most-visited domains worldwide. Though adoption is growing—spurred by new email provider requirements and regulations—our research reveals a critical protection gap. Most domains have implemented DMARC but lack the enforcement policies and reporting configurations necessary for actual security. Sign Up for Early Access Available May 2025 Inside This Report Adoption trends: The significant growth in DMARC implementation Implementation gaps: Why most domains remain exposed despite having records Missing visibility: How 70% of organizations lack crucial reporting configurations Action plan: Moving from basic compliance to effective protection Why This Matters Now Major email providers have implemented strict authentication requirements affecting all organizations sending bulk emails. Our report provides the strategic guidance needed to protect your domain reputation while ensuring email deliverability. Available May 2025 Join the Waitlist! First name Last name Email Job Title Company Name Phone Number Reserve Your Copy The post The Adoption Report 2025 by EasyDMARC appeared first on EasyDMARC.