"No reason to be nervous about implementing e-mail security standards"
In July 2018, we added an e-mail security incentive to the Registrar Scorecard (RSC). The aim was to boost the adoption of standards such as SPF, DKIM, DMARC and STARTTLS. In support of that goal, we also organised SIDN Academy sessions on the use of e-mail standards, and held a practical workshop for registrars. One registrar that decided to have a go at upping their e-mail security score and earning a good incentive payment was QDC Internetservices. QDC's Support Manager Dave Fredriksz has been talking to us about how the firm went about it.
E-mail security standards in a nutshell
DKIM, SPF and DMARC are standards that protect against phishing, spam and virus/malware distribution by securing the contents and various attributes of e-mail messages. Enabling the standards involves adding records to the domain name's DNS details. Read more
Since the incentive was introduced, we've seen more SPF, DKIM and DMARC records linked to .nl domain names, and the quality of the records has improved. Mail traffic within .nl is therefore more secure, and the phishing and spam threats have been mitigated. While SPF was already in fairly widespread use, DMARC in particular has really taken off. That's welcome news, because DMARC has the effect of reinforcing SPF and DKIM. The real benefit comes when the three standards are used together (in combination with STARTTLS, of course). One registrar that has significantly grown the number of DMARC records in their portfolio is QDC Internetservices. QDC's Support Manager Dave Fredriksz has been telling us how.
Rollout completed inside two weeks
Dave: "The SIDN Academy was the trigger to get us working with e-mail standards. Two members of our team came back from the Academy session and said, 'This is something we've really got to do.' After that, it took us less than two weeks to enable the standards for almost all the .nl domain names in our portfolio. For convenience, we did all our .eu and .be domains as well. Once the implementation was complete, we informed our clients. In our eyes, enabling the standards is integral to customer service, not a billable extra. Clients are often unaware of the risks, so we think this is something we should take care of for them."
Nothing to worry about
Dave continues: "Beforehand, we were worried that implementing SPF, DKIM and DMARC might result in some e-mail not getting delivered. But, as it turned out, everything was fine. We initially used the 'p=none' setting in DMARC, so we were able to see that our customers' outgoing mail wasn't going to be bounced by mistake."
Next step: applying a stricter policy
We asked SIDN's Technical Advisor Marco Davids to take a look at QDC's set-up. "By creating DMARC records with 'p=none' for most of their domains, QDC kept everything as it was, while getting feedback from receiving mail servers," says Marco. "The reports sent back by the receiving servers provided a picture of the mail flows associated with clients' domains. The challenge for QDC and its clients is now to analyse the mail flows and to think how that can be translated into stricter mail policies."
"We've now set things up so that an alert is automatically generated if a DMARC record isn't working," Dave explains. Our internal system is designed so that, when an issue is flagged up, anyone here at QDC can deal with it, including non-technical personnel. The message I'd like to pass on to other registrars is that they shouldn't be nervous about implementing e-mail security standards. There's really nothing to worry about."