Podcast: Insights from the Google/Yahoo DMARC Requirement
Ash Morin, our Director of Deployment, joined Mailgun’s Email’s Not Dead podcast crew to discuss Google and Yahoo’s DMARC sender requirements, which they began enforcing on February 1, 2024.
Ash was a guest on Email’s Not Dead S2 E7—Spoofing, Phishing and for the Love of DMARC and on S3 E5—Implementing DMARC.
In S5 E4, faithful hosts Jonathan Torres and Eric Trinidad asked Ash to join them and provide an overview of what he’s seen and what he predicts with the new email authentication standards update from Yahoo and Google.
“Immediately after the announcement we started getting a lot of questions coming in. Not only questions from our existing customer base, but also in ecosystems,” Ash said. “There’s been a lot of ‘what does that mean?’ And almost immediately following, they were asking, ‘does that change anything about the standards? If not, what’s my current state? Am I actually good?’ Even organizations that deployed DMARC and were at p=reject were wondering.”
Eric asked Ash about his thoughts after he heard the news of the requirements. “What I was really wondering is, are they doing anything new with the existing standards since it took years for people to understand not only the standard, but to implement the standard as a sender,” Ash said. “You also have a lot of other systems, vendors, and third-party service providers that will send on your behalf. What does that mean for them? Ultimately, we all agree on one thing: okay, I need DMARC.”
When he was asked about employing subdomains to send email and protecting those subdomains, Ash said it is an approach that dmarcian always recommends, and falls within the best practice of a segmentation strategy. “Segmenting your email stream is very important for a variety of reasons. Security is one of them, but that’s not always what a business decides to do. You know, at first glance, especially for organizations that’ve been around for a fair bit of time—Mailgun or Amazon or Microsoft—big names. When we see a domain like that, we’re like, ‘oh yeah, we’ve seen this domain around forever.’ So they want to send from that domain as much as possible. It’s not advisable. You don’t want to put all of your eggs in the same basket, and this is effectively what you’re doing. And if one egg is rotten, it could spoil the whole basket. I know it’s a silly comparison, but it’s true, unfortunately.”
You don’t want to miss the conversation with these guys as it continues to cover what the sender requirements mean and how people are responding to the ever-evolving email landscape. Tune in to Email’s Not Dead: S5 E4: The DMARC side of the Yoogle update.
We’re Here to Help
With a team of email security experts and a mission of making email and the internet more trustworthy through domain security, dmarcian is here to help assess an organization’s domain catalog and implement and manage DMARC for the long haul.
Want to continue the conversation? Head over to the dmarcian Forum.
