Zulu eDM - Trusted Sender & DMARC Research Timeline

Domain-based Authentication, Reporting & Conformance (DMARC) is made available to the public for the first time to comment.

The following organizations were the Founding contributors and saw the project go live after numerous planning, commentary and refining:

At this stage there was no industry push or set of business guidelies for email service providers or businesses to follow. There was indication from our logs that any ISPs or webmail providers had adopted the standard. We set this to a watch only action.

The third and SECOND last Giant Webmail provider to implement a strict DMARC policy.

A client sending more than 1 million emails per day starts to see big delivery and open rate drop-offs. Our investigation led to the Webmail providers not accepting support tickets unless the emails were sent from a DMARC comliant domain.

Off the back of US Government recommendations, The Australian Government issued the Mailicious Email Mitigation Strategy recommending that DMARC being implemented for inbound ONLY emails. David Barnes starts to examine and investigate why only inbound when the domain is NOT protected from illegal use.

Initially we invited a few customers that had risk exposure and delivery variances to implement the DMARC program in their Zulu eDM Account. We started to use DMARCIAN as our preferred policy reporting tool.

Meeting with Return Path - Sydney

Implementing the staff user interface and business rules was completed and launched.

This release enabled all account holders use a DMARC enabled domain. Although untested we foud no evidence of any other product enforcing the authentication.

FREE Account holders were allocated a mail redirect using our zuluedm.com domain as their SMTP:FROM (Return Path). To ensure All client sign-ups are vetted and cross referenced for aurthenticity.

Our interpretation of this announcment, other than the obvious security enhancement is to encourage any businesses looking to interact via email to implement DMARC.

Having the only access to DMARC only data as an ESP we could clearly see that a mixed mail strategy is the most effective way to maintain email reputation across the enterprise or small business.

Our research has concluded that the email clients and webmail providers are implementing trust / protection tools in many in different ways if at all. So how can we help to share our knowledge and give the general public a resource to help identify good and responsible senders of email? We launched Trusted Sender, helping to vet senders through best practices, technology implementation, education and processes to prevent attacks.

The Trusted Sender Mascot

The first notice to clients and partners sharing both Trusted Sender and the Community App, Email Sender Check was sent by David Barnes. The email was posted in full on the Trusted Sender blog.

Keep up to date with the Trusted Sender Blog

The Australian Competition & Consumer Commission (ACCC) who provide the SCAM Watch web site and the Queensland Government were both advised of the following: SCAM Watch ACCC QLD SCAM Watch

The following checks (searches) were subsequently performed on Email Sender Check:

defence.gov.au accc.gov.au

There is no reason why an email SCAM using a SPOOFed domain should effect the general public. David Barnes has been meeting and discussing the issue with top law firms and insurers to educate the industries with respects to this problem and the available solution.

A comment was made that the incoming mail servers need to check for DMARC to create a liability for the domain owner, that covers over 85% or the internet email users!

So far ONLY 2 firms have implemented DMARC or even pursued this matter.

In discussions (pre any non-disclosure) Agari (one of the Worlds leading email security firms), the email team at Oracle and Zulu are all aligned with the research presented here and how the market will adjust quickly to the DMARC issue.

Interestingly the information we had to share on what happens post implementation to domain reputation is an aspect that has been not really been looked at before. Our published information is correct.

After being made aware of their factual errors as documented above (June 2018) the ACCC continues to misinform the general public and Australian businesses with respects to preventing email spoof and avoiding phishing scams. Channel 9 was contacted as to the factual nature of their story with no response.

Further evidence is that other Federal Government Agencies have proteced themsleves against SPOOG and Email Business Compromise (BEC) attacks by implemting DMARC with a policy of reject.

See the humanservices.gov.au result here:

humanservices.gov.au Email Authentication Check

The policy to protect Government workers and the economy in general from business email compromise attacks went live.

Only weeks earlier Microsoft implemented the necessary tools in Office 365 for it's cutomers to comply with US Regulations. Thishad an immediate effect on business email which ended up in the junk folder, or treated as SPAM.

Australian businesses continue to suffer losses due to ACCC email scam protection advice (business email compromise attacks), which is compounded by media reports such as the recent Smart Company article entitled: Business loses $300,000 to ‘spoofed’ email scam: How to protect yourself from being impersonated

"McKinnon advises business owners to enable two-factor authentication on their accounts wherever they can, along with implementing training regimes for staff around the risks."

All this advice suggests is to secure your company email from being hacked, nothing to do with BEC attacks and therefore this advice is factually incorrect and irrelevant to the issue.

Suffering inbound spoof / phishing attacks OR being the company that has been SPOOFed, where staff or customers pay fake invoices, can be best protected against further attach by doing the following:

1. Implement a DMARC reject policy
2. Place notices on websites and any corresponding contractual or communicationn related material advising of such a policy
3. Awareness training for staff
4. Implement tools for staff to check the trust worthiness of emails they receive and if they comply
5. Implement a supplier policy, all suppliers must have a DMARC policy of reject
6. Join the Zulu Trusted Sender program and make it easy for customers / subscribers to identify that your emial is protected and can be trusted.

David Barnes left a discussion topic on the Smart Company web site after the journalist failed to meet their agreed appoint: