Save content
Have you found this content useful? Use the button above to save it to your profile.
An email being blocked
iStock_wenmei Zhou_AW_email

Email security changes: Don’t miss DMARC

by

Changes to email security standards from several large providers could see accounting firm emails that fail authentication marked as spam or rejected outright, unless their settings are correctly configured.

21st Feb 2024
Save content
Have you found this content useful? Use the button above to save it to your profile.

More than 90% of successful cyberattacks start with a phishing email – a message from criminals designed to trick the recipient into revealing system login credentials, financial or other sensitive information.

Many organisations don’t appropriately secure or configure their email systems, allowing attackers to impersonate their email domains – with potentially disastrous results when applied to the kinds of data and access held by accountants or accounting firms.

Efforts from several major providers to tackle the rising tide of cybercrime have yielded results, but upcoming changes to email security standards from several of the largest vendors, including Google and Microsoft, could also see legitimate communications from accounting firms or finance departments caught in the net.

Email authentication changes

Three main types of email authentication methods have been put in place to try to prevent unauthorised parties from sending emails on behalf of a domain they do not own: Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting and Conformance (DMARC).

SPF is a way for a domain to list all the servers they send emails from, while a DKIM “signature” is a digital signature that uses cryptography to mathematically verify that the email came from the domain it says it does. DKIM and SPF help demonstrate legitimacy, the email equivalent of a qualification or practice licence for accounting firms.

DMARC tells mail servers what to do when DKIM or SPF fail – marking the failing emails as spam, delivering the emails anyway, or rejecting them altogether.

In 2022, Google started requiring that emails sent to Gmail addresses have some form of authentication, with a first step of making email security records mandatory, a move that the internet giant claims led to a reduction of 75% of unauthenticated emails reaching email inboxes.

Now Google has announced that from February 2024, it will require email authentication to be in place for all senders when sending messages to its 1.8bn Gmail accounts, with Yahoo and Apple swiftly following suit, and Microsoft likely to join them soon.

Bulk senders that send more than 5,000 emails per day to Google’s Gmail accounts will have more email authentication requirements to meet and also need to:

  • have a DMARC policy in place 
  • ensure SPF and DKIM alignment 
  • make it easy for recipients to unsubscribe (one-click unsubscribe).

While these requirements will be phased in, rather than dropped on businesses all at once, Google has stated that from April 2024 it will start rejecting a percentage of non-compliant email traffic and will gradually increase the rejection rate. So if 75% of a sender’s traffic meets its requirements, they will start rejecting a percentage of the remaining 25% of traffic that isn’t compliant. 

In the long run, this will mean that if email systems are not set up correctly with the appropriate authentications, emails will no longer be accepted by providers with this type of security in place. Domains missing their DMARC record will automatically get their emails sent to junk by Microsoft 365, Google and Yahoo.

Finance emails into junk: Not a good look

“No organisation is wholly responsible for the upkeep or security of the internet, so the big providers tend to be the ones driving that forward,” Francis West, founder of cybersecurity firm Security Everywhere, told AccountingWEB.

“It sounds basic, but sometimes it’s impossible to verify who an email is from due to the prevalence of older systems on the internet and the lack of email security records, and that’s what these changes are about,” said West.

“Accountancy firms or accountants in industry are prime targets for cybercriminals as they often deal with the most sensitive information. From an attacker’s point of view, it’s a double-edged sword. Not only do they compromise your business, but allowing your domain to be spoofed means hackers can send emails to clients, customers or suppliers as part of an attack chain – ‘these are our new bank details’ and so on.

“Just from a functionality point of view, you need to at least have basic email authentication in place. If you don’t have that in place then your message may end up in junk, or worse. It doesn’t matter if you’ve been emailing each other for 10 years, it still could get rejected.

“You’re trying to position yourself as a trusted service that keeps their data safe and secure. Finance emails going into junk is not a good look,” West added.

Here's a video explaining the role of DMARC from Security Everywhere:

Depending on their email provider, firms looking to check or put in place email authentication can find help on the Google Workspaces or Microsoft 365 help pages, or by contacting their email provider.

Tags:

Replies (15)

Please login or register to join the discussion.

avatar
By FactChecker
21st Feb 2024 19:27

That's all news to me (and frankly fairly incomprehensible news - which no doubt is a reflection on me). But a couple of things in particular that I don't understand here:

1. Google (and later probably Yahoo and Microsoft) will be requiring conformance with some of these aspects by "emails sent to Gmail addresses".
But although a gmail address may be near ubiquitous amongst individuals, it's not common amongst businesses (certainly the non-SME ones) ... so how will this lead to "legitimate communications from accounting firms or finance departments (being) caught in the net"?

2. It's not clear how long any of this has been in operation, but I've seen no noticeable reduction in the number of rogue emails purporting to come from HMRC ... so should we expect to see a rapid fall away in the volumes of phishing attempts that spoof various real HMRC people's addresses?

Thanks (4)
Replying to FactChecker:
Tom Herbert
By Tom Herbert
21st Feb 2024 20:09

My apologies if I've caused confusion. I've tweaked a line in the copy to try and perhaps answer question 1:

- "In the long run, this will mean that if email systems are not set up correctly with the appropriate authentications, emails will no longer be accepted by providers with this type of security in place."

So if you're an accounting firm trying to email clients and you haven't set up your email authentications properly, the chances are that at some point in 2024, your emails won't get through. Hope that... makes sense?

There are lots of businesses that run on Google Workspaces (for example) that don't have a Gmail suffix but are powered by Google's servers - they're likely to be affected at some point.

For question 2, I've noticed a subtle improvement in the amount of emails that are filtered into spam, but a few still get through.

Thanks (4)
avatar
By petestar1969
22nd Feb 2024 10:28

These rejections are already happening. We send out fee proposal using Go Proposal, they go via a mail gun from Go Proposal. Some clients never get them as their Barracuda email security blocks them, they don't go in spam, they just never get there.

I have a longstanding client who has an aol email and never gets anything I send him that has an attachment, unless its a reply to an email he's sent me.

I can see this causing hassle for accountants who deal with sole traders who have emails like [email protected].

Thanks (3)
Intercity
By Mr Hankey
22nd Feb 2024 10:44

I've had this problem, any emails I sent to a Gmail address would either bounce back, or if they did go through, would end up in the recipient's junk folder.

I logged into my domain provider and messed around (something about DNS settings- I don't really know what I'm doing) and managed to solve the problem, but that now has taken my website offline!

Thanks (2)
By SteveHa
22nd Feb 2024 11:45

For personal emails I host my own email server, and emails to gmail addresses rarely get through. A timely reminder to re-visit my server and get it set up properly.

Thanks (2)
Replying to SteveHa:
avatar
By Ken Moorhouse
22nd Feb 2024 18:21

I have sold email servers to lots of my clients and so well versed with the problem with gmail*. If you've got a mail server all that I've found is necessary (until things get tightened further) is to setup an SPF record. To setup SPF go into the portal where your domain name is hosted, go into the Advanced DNS section and add a TXT record which can take various forms, the simplest is arguably:-

v=spf1 ip4:{x.x.x.x} -all

Replace {x.x.x.x] (don't include the squirly brackets) with the IP address where your mailserver is located - a static IP is pretty well mandatory (as opposed to dynamic IP used in association with a Dynamic DNS provider) . Sorry, complex I know.

What this gobbledeygook means is that you send email ONLY from that one IP address, so if someone sends out emails pretending to be you they will fail this test because they are at a different IP address. You, when you receive emails, can either let emails that fail SPF through, but marked as spam, or reject them (that's what the all parameter is about). This can trip companies up if they use a third party bulk mailer but use their own company domain to send their emails with, rather than the third party domain.

* (I have also found no problem emailing to aol addresses either).

Thanks (2)
Replying to SteveHa:
All Paul Accountants in Leeds
By paulinleeds
22nd Feb 2024 21:33

If it helps others; I've just contacted IONOS who provides my domain. They were very helpful. Spend 30 minutes on the phone and they talked me through the process online.

They told me to go into the DNS setting for my domain and enter three txt (text) items. In fact, I use Wix.com for my website and DNS and so I had to go into the DNS server on Wix to update my details.

My domain server online asks me for 'Host name' and a 'Value' for each of three:
SPF
DMARC
DKIM

Again, as an example, assuming my domain is BestAccountant.co.uk, I entered the following TXT (text) values for my domain

Hostname _BestAccountant.co.uk
Value v=spf1 include:_spf.perfora.net include:_spf.kundenserver.de -all

Hostname _dmarc.BestAccountant.co.uk
Value v=DMARC1;p=quarantine;pct=10;ruf=mailto:[email protected]

Hostname _default._domainkey.BestAccountant.co.uk
v=DKIM1; k=rsa; p=GMILFfMAA%&NH^coODJUvGJ7QIDAQAB$%3DQEBAQUAA4GNADCBiQKBgQDf0Oy37Malof45h^5GlZbh6fUceA9uNoh3ZjZV9rj

At least you now know what you are looking to expect it to look likew.

Thanks (2)
avatar
By Rob Swan
22nd Feb 2024 12:06

Nice one Tom. Very useful and informative. Probably explains why my hotmail spam/junk has almost disappeared completely in recent weeks.

Thanks (1)
avatar
By kjevans
22nd Feb 2024 14:55

Doesn't really stop spammers as domains are dirt cheap and all the spammer has to do is set up their existing domain that looks almost like the one they are trying to impersonate (eg Cyrillic a instead of English a etc) with DMARC, DKIM and SPF. Just more costs to small businesses and no doubt more profit to the large tech ones like Cloudflare.

Thanks (2)
avatar
By Nigel Hughes
22nd Feb 2024 18:20

Tom
This is useful thank you.
I think there must be some aspects of this already in place - my ukulele group has a numenr of members and some time back I tried to email all members of the group and the gmail addresses were bounced.
I guess I'd better talk to my service provider!

Thanks (2)
Replying to Nigel Hughes:
avatar
By Ken Moorhouse
22nd Feb 2024 20:50

Do you play "When I'm cleaning windows" when running Anti Virus utilities?

Thanks (3)
Replying to Ken Moorhouse:
avatar
By Nigel Hughes
23rd Feb 2024 11:57

Nah! we don't do ukulele songs, but our Bat out of hell really rocks

Thanks (1)
Elliott Chandler Picture
By elliottchandler
22nd Feb 2024 20:04

Glad this has been written about. We all need to raise the bar in cyber security.

Thanks (2)
avatar
By listerramjet
22nd Feb 2024 22:36

Spam being treated as such is a good thing. Even if it comes from an accountancy firm!

Thanks (1)
avatar
By Caber Feidh
22nd Feb 2024 23:33

About a year ago I realised that all my emails to recipients with Gmail accounts were being rejected, with the message "Diagnostic-Code: smtp; 550-5.7.26 This mail has been blocked because the sender is unauthenticated."

I discovered that changing recipient addresses from, say, [email protected] to [email protected], resulted in my emails reaching the intended recipients.

Thanks (1)