Insider Insights: The History & Evolution of DMARC - A Conversation with a DMARC Protocol Writer and Global Comparisons with South Africa

Podcast by Paul Ogier on January 31, 2023
TIM DRAEGEN DMARC

In episode 7 of Taming Tech, The Podcast, Paul Ogier speaks to Tim Draegen, founder of dmarcian.

Tim is a technology reformer currently fixing email and is the primary author of DMARC, the global interoperability standard that authenticates emails and secures domains from cyberattacks. Tim is also the co-founder of dmarcian, a company working towards making DMARC accessible to all.

In this episode, Tim shares with us his expert opinion on the results of that audit and what it means for the top 100 companies and their customers, suppliers and other stakeholders.

Who should listen to this episode?

  • CTOs, CIOs and IT security professionals who are looking for best practices for DMARC implementation.
  • Business owners and managers who are concerned about reputational damage caused by spoofing and bad actors impersonating their domains.
  • Marketers, email service providers, email administrators and email security teams dealing with email deliverability issues.
  • Network administrators, cybersecurity experts and information technology consultants looking for deeper understanding of the value of cybersecurity stacking.
  • Compliance officers looking to ensure their cybersecurity policies are comprehensive.

Sign up for a dmarcian Trial here https://eu.dmarcian.com/partners/register/osh

Top 100 South African Companies' DMARC Compliance

Company NameDomain NameDMARCDmarcian Links
AB InBevab-inbev.cominvalidhttps://dmarcian.com/dmarc-inspector/?domain=ab-inbev.com
Avi Ltd.avi.co.zainvalidhttps://dmarcian.com/dmarc-inspector/?domain=avi.co.za
Barloworld Limitedbarloworld.cominvalidhttps://dmarcian.com/dmarc-inspector/?domain=barloworld.com
Bid Corpbidcorpgroup.cominvalidhttps://dmarcian.com/dmarc-inspector/?domain=bidcorpgroup.com
British American Tobaccobatsa.co.zainvalidhttps://dmarcian.com/dmarc-inspector/?domain=batsa.co.za
Capital & Counties Properties PLCcapitalandcounties.cominvalidhttps://dmarcian.com/dmarc-inspector/?domain=capitalandcounties.com
Exxaroexxaro.cominvalidhttps://dmarcian.com/dmarc-inspector/?domain=exxaro.com
Fortress REIT Limited (Fortress Income Fund Ltd)fortressfund.co.zainvalidhttps://dmarcian.com/dmarc-inspector/?domain=fortressfund.co.za
Globe Trade Centre S.A.gtc.com.plinvalidhttps://dmarcian.com/dmarc-inspector/?domain=gtc.com.pl
Italtile Ltd.italtile.cominvalidhttps://dmarcian.com/dmarc-inspector/?domain=italtile.com
Karoooookarooooo.cominvalidhttps://dmarcian.com/dmarc-inspector/?domain=karooooo.com
Liberty Holdings Limitedlibertyholdings.co.zainvalidhttps://dmarcian.com/dmarc-inspector/?domain=libertyholdings.co.za
Lighthouse Capitallighthousecapital.muinvalidhttps://dmarcian.com/dmarc-inspector/?domain=lighthousecapital.mu
Northam Platinum Ltdnortham.co.zainvalidhttps://dmarcian.com/dmarc-inspector/?domain=northam.co.za
Rand Merchant Investment Holdingsrmih.co.zainvalidhttps://dmarcian.com/dmarc-inspector/?domain=rmih.co.za
Royal Bafokeng Platinumbafokengplatinum.co.zainvalidhttps://dmarcian.com/dmarc-inspector/?domain=bafokengplatinum.co.za
AECIaeciworld.comp=nonehttps://dmarcian.com/dmarc-inspector/?domain=aeciworld.com
African Rainbow Mineralsarm.co.zap=nonehttps://dmarcian.com/dmarc-inspector/?domain=arm.co.za
Anglo Americanangloamerican.comp=nonehttps://dmarcian.com/dmarc-inspector/?domain=angloamerican.com
Aspen Pharmacareaspenpharma.comp=nonehttps://dmarcian.com/dmarc-inspector/?domain=aspenpharma.com
Capitec Bankcapitecbank.co.zap=nonehttps://dmarcian.com/dmarc-inspector/?domain=capitecbank.co.za
Clicksclicks.co.zap=nonehttps://dmarcian.com/dmarc-inspector/?domain=clicks.co.za
Distell Group Limiteddistell.co.zap=nonehttps://dmarcian.com/dmarc-inspector/?domain=distell.co.za
Equites Property Fundequites.co.zap=nonehttps://dmarcian.com/dmarc-inspector/?domain=equites.co.za
Gold Fieldsgoldfields.comp=nonehttps://dmarcian.com/dmarc-inspector/?domain=goldfields.com
KAP Industrial Holdingskap.co.zap=nonehttps://dmarcian.com/dmarc-inspector/?domain=kap.co.za
Massmartmassmart.co.zap=nonehttps://dmarcian.com/dmarc-inspector/?domain=massmart.co.za
Momentum Metropolitan Holdings Limitedmomentummetropolitan.co.zap=nonehttps://dmarcian.com/dmarc-inspector/?domain=momentummetropolitan.co.za
Montauk Renewablesmontaukenergy.comp=nonehttps://dmarcian.com/dmarc-inspector/?domain=montaukenergy.com
Motus Group Limitedmotus.co.zap=nonehttps://dmarcian.com/dmarc-inspector/?domain=motus.co.za
Mr Price Group Limitedmrp.comp=nonehttps://dmarcian.com/dmarc-inspector/?domain=mrp.com
MTN Groupmtn.co.zap=nonehttps://dmarcian.com/dmarc-inspector/?domain=mtn.co.za
Nedbanknedbank.co.zap=nonehttps://dmarcian.com/dmarc-inspector/?domain=nedbank.co.za
Netcarenetcare.co.zap=nonehttps://dmarcian.com/dmarc-inspector/?domain=netcare.co.za
Ninety One plcninetyone.comp=nonehttps://dmarcian.com/dmarc-inspector/?domain=ninetyone.com
Old Mutual plcoldmutual.co.zap=nonehttps://dmarcian.com/dmarc-inspector/?domain=oldmutual.co.za
Pick n Pay Storespnp.co.zap=nonehttps://dmarcian.com/dmarc-inspector/?domain=pnp.co.za
PSG Konsult Limitedpsg.co.zap=nonehttps://dmarcian.com/dmarc-inspector/?domain=psg.co.za
Richemont SArichemont.comp=nonehttps://dmarcian.com/dmarc-inspector/?domain=richemont.com
Santamsantam.co.zap=nonehttps://dmarcian.com/dmarc-inspector/?domain=santam.co.za
Sasolsasol.comp=nonehttps://dmarcian.com/dmarc-inspector/?domain=sasol.com
Shopriteshoprite.co.zap=nonehttps://dmarcian.com/dmarc-inspector/?domain=shoprite.co.za
Sirius Real Estatesirius-real-estate.comp=nonehttps://dmarcian.com/dmarc-inspector/?domain=sirius-real-estate.com
SPARspar.co.zap=nonehttps://dmarcian.com/dmarc-inspector/?domain=spar.co.za
Standard Bankstandardbank.co.zap=nonehttps://dmarcian.com/dmarc-inspector/?domain=standardbank.co.za
Sygnia Itrixsygnia.co.zap=nonehttps://dmarcian.com/dmarc-inspector/?domain=sygnia.co.za
Telkomtelkom.co.zap=nonehttps://dmarcian.com/dmarc-inspector/?domain=telkom.co.za
Textainer Group Holdingstextainer.comp=nonehttps://dmarcian.com/dmarc-inspector/?domain=textainer.com
Truworthstruworths.co.zap=nonehttps://dmarcian.com/dmarc-inspector/?domain=truworths.co.za
Vivo Energyvivoenergy.comp=nonehttps://dmarcian.com/dmarc-inspector/?domain=vivoenergy.com
AngloGold Ashantianglogoldashanti.comp=quarantinehttps://dmarcian.com/dmarc-inspector/?domain=anglogoldashanti.com
Coronation Fund Managerscoronation.comp=quarantinehttps://dmarcian.com/dmarc-inspector/?domain=coronation.com
Discovery Limiteddiscovery.co.zap=quarantinehttps://dmarcian.com/dmarc-inspector/?domain=discovery.co.za
EPPepp-poland.comp=quarantinehttps://dmarcian.com/dmarc-inspector/?domain=epp-poland.com
FirstRandfirstrand.co.zap=quarantinehttps://dmarcian.com/dmarc-inspector/?domain=firstrand.co.za
Foschini Grouptfg.co.zap=quarantinehttps://dmarcian.com/dmarc-inspector/?domain=tfg.co.za
Hammersonhammerson.comp=quarantinehttps://dmarcian.com/dmarc-inspector/?domain=hammerson.com
Harmony Goldharmony.co.zap=quarantinehttps://dmarcian.com/dmarc-inspector/?domain=harmony.co.za
Impala Platinumimplats.co.zap=quarantinehttps://dmarcian.com/dmarc-inspector/?domain=implats.co.za
Imperial Holdings Ltd.imperiallogistics.comp=quarantinehttps://dmarcian.com/dmarc-inspector/?domain=imperiallogistics.com
Life Healthcare Grouplifehealthcare.co.zap=quarantinehttps://dmarcian.com/dmarc-inspector/?domain=lifehealthcare.co.za
NEPI Rockcastlenepirockcastle.comp=quarantinehttps://dmarcian.com/dmarc-inspector/?domain=nepirockcastle.com
Pepkorpepkor.co.zap=quarantinehttps://dmarcian.com/dmarc-inspector/?domain=pepkor.co.za
Remgroremgro.comp=quarantinehttps://dmarcian.com/dmarc-inspector/?domain=remgro.com
Sanlamsanlam.co.zap=quarantinehttps://dmarcian.com/dmarc-inspector/?domain=sanlam.co.za
Sibanye-Stillwatersibanyestillwater.comp=quarantinehttps://dmarcian.com/dmarc-inspector/?domain=sibanyestillwater.com
South32south32.netp=quarantinehttps://dmarcian.com/dmarc-inspector/?domain=south32.net
Woolworths Holdings Limitedwoolworths.co.zap=quarantinehttps://dmarcian.com/dmarc-inspector/?domain=woolworths.co.za
Absa Group Limitedabsa.co.zap=rejecthttps://dmarcian.com/dmarc-inspector/?domain=absa.co.za
BHPbhp.comp=rejecthttps://dmarcian.com/dmarc-inspector/?domain=bhp.com
Bidvest Groupbidvest.co.zap=rejecthttps://dmarcian.com/dmarc-inspector/?domain=bidvest.co.za
Bytes Technology Group (Proprietary) Limitedaltron.comp=rejecthttps://dmarcian.com/dmarc-inspector/?domain=altron.com
Dis-Chemdischem.co.zap=rejecthttps://dmarcian.com/dmarc-inspector/?domain=dischem.co.za
DRDGOLD Limiteddrdgold.comp=rejecthttps://dmarcian.com/dmarc-inspector/?domain=drdgold.com
Glencoreglencore.comp=rejecthttps://dmarcian.com/dmarc-inspector/?domain=glencore.com
Growthpoint Propertiesgrowthpoint.co.zap=rejecthttps://dmarcian.com/dmarc-inspector/?domain=growthpoint.co.za
Investec plcinvestec.comp=rejecthttps://dmarcian.com/dmarc-inspector/?domain=investec.com
MAS Real Estatemasrei.comp=rejecthttps://dmarcian.com/dmarc-inspector/?domain=masrei.com
Mediclinic Internationalmediclinic.co.zap=rejecthttps://dmarcian.com/dmarc-inspector/?domain=mediclinic.co.za
Mondimondigroup.comp=rejecthttps://dmarcian.com/dmarc-inspector/?domain=mondigroup.com
MultiChoice Groupmultichoice.comp=rejecthttps://dmarcian.com/dmarc-inspector/?domain=multichoice.com
Naspersnaspers.comp=rejecthttps://dmarcian.com/dmarc-inspector/?domain=naspers.com
Prosusprosus.comp=rejecthttps://dmarcian.com/dmarc-inspector/?domain=prosus.com
Quilter plcquilter.comp=rejecthttps://dmarcian.com/dmarc-inspector/?domain=quilter.com
Redefine Propertiesredefine.co.zap=rejecthttps://dmarcian.com/dmarc-inspector/?domain=redefine.co.za
Reinet Investmentsreinet.comp=rejecthttps://dmarcian.com/dmarc-inspector/?domain=reinet.com
Resilient REITresilient.co.zap=rejecthttps://dmarcian.com/dmarc-inspector/?domain=resilient.co.za
Sappisappi.comp=rejecthttps://dmarcian.com/dmarc-inspector/?domain=sappi.com
Steinhoff Internationalsteinhoffinternational.comp=rejecthttps://dmarcian.com/dmarc-inspector/?domain=steinhoffinternational.com
Super Groupsupergroup.co.zap=rejecthttps://dmarcian.com/dmarc-inspector/?domain=supergroup.co.za
Tiger Brandstigerbrands.comp=rejecthttps://dmarcian.com/dmarc-inspector/?domain=tigerbrands.com
Transaction Capitaltransactioncapital.co.zap=rejecthttps://dmarcian.com/dmarc-inspector/?domain=transactioncapital.co.za
Vodacomvodacom.co.zap=rejecthttps://dmarcian.com/dmarc-inspector/?domain=vodacom.co.za
Vukile Property Fund Limitedvukile.co.zap=rejecthttps://dmarcian.com/dmarc-inspector/?domain=vukile.co.za

These DMARC policies were correct as of 2023/01/15. If you are a domain owner represented above and you have changed your DMARC policy and would like that reflected, please reach out to us on support@osh.co.za.

Show Notes

dmarcian Website

dmarcian on Twitter

dmarcian on Facebook

dmarcian on LinkedIn

DMARC Domain Checker - Domain Health Checker

More Reading about DMARC and Email Deliverability

More information about DMARC and DMARCIAN

Edited Transcript

Paul Ogier

So welcome to Taming Tech, The Podcast. This is episode number seven. And you can find all the show notes at taming.tech/7. Hi, Tim. And welcome to Taming Tech, the Podcast.

Tim Draegen

I'm glad to be here. Thank you for having me.

Paul Ogier

Okay, so for listeners and viewers of this Podcast, because you can go and watch this on YouTube, Tim Draegen is one of the developers, the writers, and as the kids say, and people much cooler than I would say, the OG of the DMARC standard, and also the founder of dmarcian. What? Okay, first question, this is going to be a hard question. So, brace yourself. Did you feel that DMARC was a needed thing? Or did you feel that IT people just needed another acronym?

Tim Draegen

A little bit of both. I think the world needs DMARC. But most of the time, people get stumped by three-letter acronyms. So, we're like, how do we fuck with everyone and make it super long? But Paul, it backfired. Because when people go on the internet for, I don't know, 10 years or so, people will type in DMARC. And the number one hit was the Des Moines area religious council. And so, Google supports team

Paul Ogier

okay, yes, that is a problem.

Tim Draegen

you need to Deploy DMARC. And then people are like Google's converting me in Des Moines, Iowa. I don't understand. It is super conflicting. Sucks.

Paul Ogier

Yes. No, look, I think between IT people and acronyms and abbreviations and technicalities, they actually  just like it to feel superior sometimes to other people.

Tim Draegen

They don't feel superior, man; that's just the way it is.

Paul Ogier

Okay, that's just the way it is. But, but in all seriousness, what are the advantages of businesses getting the SPF, DKIM, DMARC, record sorted, and sorted now

Tim Draegen

the acronyms don't matter. Email has been around forever. Everyone's always been able to just make up any email they want. The content could be arbitrary. And you just set it out to the world and say, hey, world, figure out what the hell this thing is. All DMARC sorry, all the acronyms do is make it so that a piece of email could be linked back to an internet domain. That's all it does. Okay. And then the domain owner who's sending email can say, I'm doing this thing, check my email for the thing. And if it doesn't pass, just don't even accept it, block it. And that's the basic model.

Paul Ogier

Okay. Look, I mean, there's various types of listeners and viewers of this Podcast. There are people who are business owners, and there's very technical people. So, in terms of business owner who doesn't understand stuff, then they know that the emails are going into someone else's spam. And they listening to this and going, why on earth? I'm a good person. Why is this happening to me? Why is it? Yes. So why is it happening to them? I mean, there's millions of answers. But I think if we could break it down for them in that kind of way, that will allow them to say, Okay, I've ticked box number one, I'm not going to tick box number two, and I have no idea what box number three is.

Tim Draegen

yes, that's a, that's a solid place to start. So, if you're a business owner, even if you're not a business owner, if you're just a person that doesn't want to get defrauded on the Internet. In the days of old, someone had to take an interest in you and say, Tim, you're in western North Carolina, and I've got a pipe fitting shop, not too many people on the internet are gonna fly to my town and break up my window and steal my pipe fittings, because no one gives a crap. However, the internet makes everything different. You don't have to come to my hometown, to break into my shop, you can just go online and even worse now is that there's so much social networks, there's so much social media, where everyone is putting everything online, all you have to do is pay attention and say, I'm going to go to LinkedIn or whatever social network and say Tim's pipe fitting shops, what's the name of the admin? What is the use for banking, and then just send a piece of crap email that says, can you pay this invoice from the bank? and by the way, I'm the admin. And it doesn't even matter. It's so cheap to do all that machines do all the work of finding the intelligence now, it's just using legitimate technology in a criminal way. It's so cheap, you can send a million of these kinds of messages to everybody around the world. And even if 100 of them click on it, your bank account just shoots out the roof from Free Easy money. That's how shitty it is for people. And so, the best.

Paul Ogier

That is pretty shitty. Yes.

Tim Draegen

So, the best thing to do is do basic internet security. One, don't be online, but you have to be online to do anything. So, if you have an internet domain, do the basic controls. Make sure you have something there's only one thing like DMARC, do DMARC so that when you send a real piece of email, anybody else who cares to see if you're real or not can say, oh, your email actually does come from you. That means I'm not going to put you in the spam folder. I'm going to deliver it and it makes it far easier for me, the person who's trying to figure that out to understand what's real or not. Granted, big asterisk, you know, big footnote at the bottom of the page is, if you send email that no one wants, if you're a spammer, or you thrive on just flooding the internet with crap mail, hoping that someone's gonna click on your bullshit drug pill, email, or whatever, buy some crap from you, it's probably going to be bad for you, because everyone's gonna say, Wow, that person's really sending a lot of email that no one wants. And thank you for identifying yourself. So, we can all block all the crap that no one wants. So, if you're a good actor, definitely do it. If you're a bad actor, definitely do it so that everyone can understand that you're a bad actor. Either way, you are going have to do the work anyway, because no one has time anymore to sort through the big unknown pile to find the little needle that you know, that supposedly important, but it comes from someone who just doesn't care enough to actually do the minor amount of work it takes to make sure that they're not a needle in a haystack. So that's the way it's happening.

Paul Ogier

Okay, so now, if I'm a business owner, if I've got a domain, and I want to serve, like, figure this stuff out, I think there's a couple of ways obviously, we can go to dmarcian.com. *Editor: to test your SPF, DKIM and DMARC go to this webpage* And we can type our domain number, domain number really Paul? domain name in there, and it will tell us a couple of things. It will tell us are we covered by SPF; it'll tell us if we covered by DKIM. And it'll tell us if we covered by DMARC. There are a couple other ones that are that I've used for email deliverability in the past, which is a website called mailgenius.com and mail-tester.com, which I'll put both of those in the in the show notes. What they do is that you can actually get a temporary email address from them and you email that that email address and it basically looks at the headers of your email, it says, okay, you know what, we've actually got proper returns senders, we've got proper DMARC records, DKIM records, but you know what, you actually have no unsubscribe in your email, or you've got a bad reputation on the internet. Where should people start? We should because they might be listening to this going. I'm scared. Now I want to look at it. Where should people start?

Tim Draegen

Paul, the two, there's two different problems that you've been talking about. The email tester stuff is great, easy place to start. Most of the time, people will send themselves email to their favorite HTML based web provider, you know, Gmail, or Yahoo, or Hotmail or whatever, they'll send themselves email, they'll look at it. And they'll say, I want to look at the headers to figure out what's going on. But immediately, that means you're not a normal person, because normal people don't look at email headers. So, using one of the services instead

Paul Ogier

what are you saying about me, Tim? I am normal. God, I'm normal.

Tim Draegen

You are normal. I guess? I don't know.

Paul Ogier

Thank you

Tim Draegen

But the thing is, using those services make it you know, it's accessible to normal people who say, what does my mail look like when I send it to you. But that only works for the email that you're sending to those test addresses. Something like DMARCs, it's useful for the internet domain owner, especially at a small business or larger, because when you turn on DMARC, and you go through the process, you get visibility into all the legitimate people that are trying to send email on your behalf. And the whole work is got visibility, work with your vendors. So, they send legitimized email using DMARC. And then you can flip the switch that says, if you get any piece of email that comes from my domain, you know, accept it if it checks, but otherwise block it if it doesn't. And so, it's really two different contexts. For the things you're gonna get started as an individual and you don't own your own internet domain. DMARC is not for you, you don't even have to think about it. But if you do register your own internet domain, takes a little bit of time it takes to put some DMARC controls in place. And there's a number of different services. When DMARC was first launched in 2012, I realized that nobody on the internet would develop sorry, nobody in internet would deploy this stuff unless there was some kind of support resource. And if you turn on DMARC by default, you get blasted with you know, hundreds of pieces of XML from all around the internet every day. And it's just not right and so people try that they turn on they're like, why is these weird things like punching me in the face all the time, like don't do that. Machines are close to processing. And dmarcian was the first thing online that could process DMARC XML data. But the point is not to make a monopoly. The point is to spread DMARC everywhere so there's many different services out there that could meet your needs. So, look at three of them, you know, take as much time as you want to find the right kind of vendor. There's something for everybody out there after 10 years of advocating it just tried to get people to do it.

Paul Ogier

Okay, so now, IT security in a normal company is multi layered. It's rather than just having antivirus, which was the ultimate thing in, I don’t know, 1998. It's, it's known we need firewalls and anti-malware and group policies. And, and and. In email deliverability, the, as you said, we’ve got SPF, we've got DKIM, we've got DMARC. And all of those things have come over the years, obviously DMARC is one of the newer ones coming from but 2015, I think. And so that is another layer in terms of email security. And obviously, if I say to you that the first step in email deliverability and protecting your domain would be SPF, then maybe the second would be DKIM. And then the third would be DMARC. Would you agree with that, putting it in that kind of thing, because obviously DMARC relates to the SPF and DKIM records.

Tim Draegen

That's how evolved historically, but that's not the right way to do to do it today. Here's a series of fun facts, SPF came out

Paul Ogier

I like fun facts.

Tim Draegen

in 2004-2005. It's just a way to use the DNS, you can publish a small list of servers on the Internet that are that are okay to send on behalf of your domain, specifically, the envelope domain has a message which confuses everybody. But anyway, that came out in 2004-2005. No one gave a crap about it until Hotmail said, hey, if you want to deliver your email to Hotmail, if everybody remembers, you know, Hotmail, 2006, I think, they said, you need to make an SPF record if you want to get your email delivered. So, all of a sudden, big, big day, everyone's like, crap, I need to put in an SPF record because I need to send my newsletter or whatever, to my buddies at Hotmail. And so, everybody did it. Yes. So that time, everyone tried their best, but they had no idea. They're like, I have an email server and I have a domain, I'm going to tell the world, my email comes from my email server, because it's obvious, but what they didn't think was they're not the only ones using that domain. So, in 2006, a bunch of SPF records came about arguably accurate, you know, for a few people. And that was it. And then SPF never goes away. Instead, people who have to maintain SPF change jobs, they quit and then people show up at a new office, they're like, I need to do something SPF. So, they just keep adding things, they just add more and more stuff to their SPF records, super bad, not accurate. An email receiver can't really trust the results. If they work. And it looks like you know, syntactically things are good, then great. They have a signal that they could use for their existing anti-spam engine. But you know, publishing SPF record, it's still just like, you know, you pinch your nose, you close your eyes, and you're like, I hope this helps. But I can't really tell if it does anything, but it feels good. And someone told me to do it. Okay, fast forward a couple years, DKIM comes around.

Paul Ogier

But let me jump in. But just quickly on that one. So, we're actually going to be talking about the top 100 companies in South Africa and the way the DMARC records and the DKIM and the SPF will actually set up and what kind of percentages are actually compliant. Touching on the SPF records now, one of the things that I noticed when compiling all this data was a lot of them actually are compliant with the SPF because you would hope that they are because it was from 2004. But a lot of them have actually just added and added and added and some of them on 11 or 12 Different things for their SPF, their different includes, and they haven't done a flattening of the SPF for anything, it's just they went Oh, we've added a new Mail Sender. So, we're going to add that as an include we now send from Microsoft 365. So, we're gonna add that, we now also send from whatever a bulk mail servers SMTP to go or something, and they just start adding all of these includes. What can people actually do to actually stop that kind of thing? I touched on SPF flattening a little bit, but is that the best thing? Or should they actually do an audit once a year of actually what's in the SPF records?

Tim Draegen

Yeah, an audit once every year, once every 10 years, you know, any audit would be better. So, the difficulty with SPF is because 2006 ever needed it. And there's just a bunch of bad advice on why people should add their MailChimp, like include MailChimp, even though by default MailChimp doesn't send email in a way where it makes sense. So, people end up with SPF records that are huge, that include things that should not be in there. If you like put on your weird security researcher hat, I guess it's more like this. You put on your internet security researcher hat that's very pointy. You have a security envelope where people are just adding more and more authorized stuff and your envelope fast and now, you're authorizing half the Internet to send in your behalf. So, the audit part, it's probably not optional. If you even want to take that a little bit Seriously, just look at it and just cut out the parts that are clearly not supposed to be there. But that's the crux of the problem is people don't know what should be there or not because there has been no feedback loop saying this is what looks legitimate coming out of your systems. And people in one office often have no idea what's being sent from other offices or other lines of businesses. And so, it's been a big problem. Okay, so SPF has that thing.

Paul Ogier

Okay. So that was step number one was SPF. And then you're going on to the DKIM,

DKIM came second, it was a bastard hybrid between Cisco identified email, and Yahoo came up with domain keys. And they were very, very similar. And I think it's because Yahoo headquarters and Cisco headquarters are really close to each other in California. So same idea probably happened at one bar, someone overheard it, and then just parallel implementation tracks, they fought a little bit, like only people in Silicon Valley can. And then they decided to hug, make up, because California is really soft like that. It's really nice. They came together and DKIM was born. So, they're like, they didn't want to budge. So, it's DomainKeys Identified Mail. So, it's like the two-tech talent technology is crammed together, came together made a lovely thing. 2007. That's what it was. DKIM a little bit different. You take the message you give it you know; I'm completely paraphrasing. You give it a digital thumbprint that says this really does come from a domain. And it's great, it travels with the message so that you know, you're not authorizing servers, but rather you're saying this message has a thumbprint that travels with it. And as long as you don't mess with the message or add stuff to it or take something away, it still works, it still can be checked, which is great. The problem there is still the same that people would use the technology that go to their corporate email sender and say, I'm sorry, their corporate email server, put the technology in place. So, they had one stream of email using the domain that's DKIM signed, and then say we're done. But they forgot about their newsletters. They forgot about all the other email that's using that email domain. And so, from a receiver’s perspective, sometimes a bank's email will authenticate correctly. Sometimes the bank email would not it was still up to the receiver to figure out what was real or not, which is completely crappy. From a protect your user’s perspective, right? The Gmail team has to inspect every message try to figure out is this thing real? Or is it liking a dangerous fake that looks super real? And it just leads to a really bad situation? So DMARC, the last acronym, better acronym, because it has more letters. That one came along. The problem was, how do you get people? How do you give domain owners information that they can use to deploy SPF and DKIM accurately? And so that's what DMARC adds to the whole thing is, you get a feedback loop where the rest of the internet says, here's how we see your domain being used at our own front door. And you put all those front doors together, you process it as a big blob, and you pull out, you know, the infrastructure that's like, you know, here, you're using Gmail infrastructure for your corporate stuff. You're using MailChimp for your newsletters, and you're using you know, a payroll company, and they're all sending using your domains, then you can go through and deploy SPF and DKIM to such a degree of accuracy that you could throw the switch and say, I've done the work, block, anything that doesn't come from me and receivers, then can really trust it. And the important thing is the receivers can trust you. But more importantly, from their perspective is if there's ever a support issue, they can just say, oh, you're doing DMARC, you never reject policy, you have a problem with that internet domain, go to the sender and stop talking to us about why your stuffs ending up in the spam folder. So, it's made this really beautiful kind of ecosystem, this feedback loop where domain owners can now have responsibility for what it is that they're sending. And they get to deal with the support costs for their own behavior, which is really, really brilliant.

Paul Ogier

Yes. Okay, so now there are three levels of DMARC, there is none, there is quarantine, and there is reject. So, none is basically where everyone starts with DMARC. It basically, you put a none record and then then everyone who gets emails from you, or any server that gets emails from you will then start sending XML things back to the reporting address

Tim Draegen

and people sometimes call it a monitor mode, and it was designed

Paul Ogier

Monitor mode?

Tim Draegen

It was designed, you can turn it on and collect data without anything being affected. So, you can turn the light on, it's okay, you might see something horrible, but it's not going to change the way things are currently going. So, you can get started as just a technician. You can turn it on, collect data and do things without getting an angry phone call on Saturday night from the boss being like, what have you fucked up?

Paul Ogier

Yes. So now with these top 100, which we'll talk about just now. There's a couple that have got the none, a couple that have got the quarantine and couple that have got to reject. There's also a couple that have got nothing. In my opinion. That's inexcusable. They're not even trying. They're not even monitoring; they're not seeing what's actually happening with their domain. They're not seeing if the domain is being spoofed. They're not seeing if there's a whole bunch of people sending mails to possibly their clients. And they're not monitoring it. They're not getting any feedback from it.

Tim Draegen

Yeah. I don't think there's any malicious intent there. Because I'm an idealist. Fundamentally, I believe that the only reason why that's the way it is, is because people aren't aware of it.

Paul Ogier

Yes, but you know, that that old saying that in the eyes of the law ignorance is not a defense.

Tim Draegen

I'm familiar with that.

Paul Ogier

Ignorance. It's something like that. Ignorance is something. I get the irony of you not knowing that.

Tim Draegen

That is not quite right.

Paul Ogier

It's something about meek, and is this animal involved? I'm not sure. Anyway. So, in terms of being an IT person, there's a couple of roles that an IT person needs to have. And one of the roles in my opinion, is that they need to be a researcher, they need to be a learner, they need to be an understander of new technologies. Because if someone deployed Microsoft Exchange in the year 2000, and went cool, I'm done now. And 20 years later, hadn't done anything else about it. In my opinion, that's inexcusable. That's almost negligence.

Tim Draegen

Yeah, I agree.

Paul Ogier

So, if DMARC was released last month, I'd go cool. They are okay. They haven't read the articles. They've been busy. Whatever they have. DMARC is from 2015. That's six years, and then IT circles that is a long time

Tim Draegen

I have to interrupt. DMARC is from 2012. So, it's even worse.

Paul Ogier

Okay. Okay, so that that is definitely worse. Yes. Okay. So, if I was to say to someone, I haven't done my DMARC records, because I didn't know about them. It's brand new. In 2012, I'd be okay with that. Maybe 2013-14 at a push, but now? I don't think so anymore.

Tim Draegen

Yeah, I think it comes down to if people haven't done it yet. There's probably lack of a current, lack of a stick, lack of awareness. I don't know. I spent the first 2012 to 2015 flying around telling people and evangelizing and saying this is a really neat technology until someone put me on the shoulder and said, so we need to sit down. We know it's there. That would be okay. I realized like wow,

Paul Ogier

yeah, listen to Tim. Calm down. We all know, and we get it.

Tim Draegen

Exactly.

Paul Ogier

Thank you

Tim Draegen

change your stick, dude. Move on to the next acronym, but I'm like, this is all I know. So fun.

Paul Ogier

Yeah, this is this is gonna be carved on my gravestone. I'm called the DMarcer.

Tim Draegen

No, no, I just want a quiet life. Why am I even on your Podcast? I don't want to be known for any DMARC. Quietly, play electronic music and ride mountain bikes. I'm doing the wrong thing.

Paul Ogier

That sounds brilliant. We will just take a break. Now instead, like just do that. We'll just Yes. Okay, so let's jump in here. Let's jump in here. There's a couple of things. If they don't have DMARC involved, there's a couple of negatives. Let's start with the stick. There's spoofing, there's privacy laws, there's hacking, there's phishing, there's all of those things that can actually happen if they don't have SPF, DKIM and especially DMARC. Right, put in, are there any things that I'm missing?

Tim Draegen

Yeah.

Paul Ogier

Are there any other sticks that you have?

Tim Draegen

yes, from a technical perspective, that I have a different way of saying this, but I swear it's related. There are different drivers for why people have deployed DMARC. Originally, it was the phishing problem, you know, CEOs, executive teams, oh God, we've got something horrible, and we just send $50,000 somewhere which should have gone oh God, we do. Shit rolls downhill its person's like, you need to fix this IT person says, oh, crap, I'm gonna do my job. Or fix this fire. What do I do? DMARC looks like the thing because, you know, they read the magazines and on top blogs. They tried to get the work done. That's number one driver and it really lifted DMARC from being nothing to being something good. The other driver at the same time was for deliverability. You know, if you're trying to send your newsletter, make it so that people can identify you, makes delivery a little bit easier, you know, avoid some of the dangerous spam engine stuff if you can. So that was a really minor thing. What we're seeing now is that regulation is taking up the slack. So instead of having to wait for everybody be defrauded before they take action. Industry associations and governments are stepping in and saying, you need to do this thing. I thought in the United States this would happen forever, because the United States government is really bankrolled, like, you have to have money to make something happen. And if you're an internet, interoperability standard, you don't have any money, by definition, you're not even a thing, you're just a way to work together. So, who's gonna pay everybody to be regulation, nobody. But it happened, United States has got stuff rolling through the federal government from the legislative branch, it says, US has to do this. And all of a sudden, we don't have to wait for everybody to be defrauded anymore, which is really, really great. That's the next big driver. The last one that we're seeing is, from a compliance perspective, insurance companies are starting to look at all the different data breaches. And because they've been authoring policies for cybersecurity insurance, people are getting their asses kicked. And now they're like, my policy should pay for something. So, insurance companies are now saying, oh, you don't even have a DMARC record, you know, they don't even have to look at the company. Or if they have doors in their locks from their office, they can just use their internet browser and be like, click, click, you don't even have this basic signal in place for keeping your pants on. And you want us to pay you for what happened to you. That's ridiculous. So that by far is driving DMARC adoption in today's modern world. More than people think the fraud is more than an IT person being we've got a firewall and other stuff. It's mainly, we're not going to get there of our insurance money, or you know, so we have to go do this thing.

Paul Ogier

That's amazing. I haven't heard about that one. I've heard about everything else. But the but the insurance when it's completely wonderfully evil.

Tim Draegen

It's the culmination of technology advocacy, I think you have to push technology to the point where insurance companies get involved, or financers. If you could somehow tie your thing to how financers rule the world then like your technology is gonna be baked in everywhere. Cuz that's just the way it goes.

Paul Ogier

Yeah, and if you can get the insurance and the financial people to talk together, you will basically be a…

Tim Draegen

Yeah, we're talking about anyway over governments and stuff now. But let's get away from the weirdest illuminati stuff. There is one last thing I can share about barriers, which is when people try to get DMARC done. Mainly, it's a technical person who's been told by an angry C level executive, like how can you let me do a bad thing, you need to fix this, you need to put DMARC in place and you're like, oh, crap, what do I do? And then it comes down to, at a larger company, you have a domain that you need to put DMARC in place, you get your data, you do all the technical stuff, you get a list of vendors that you have to work for work through to get DMARC compliance in place. A lot of time, this is the first time a technical person has ever had to leave their cube to go talk to, like people in marketing and what like newsletter they're using first time, they've had to talk to legal teams or vendor management teams. It's super weird. And its way outside of what they normally do and what they signed up for when they got into IT. So that in itself can be a big barrier of adoption to DMARC is letting technicians know that they can get the work done. It's just like no other work they've done before. And so, cracking that nut has been interesting for sure.

Paul Ogier

Yeah, no, that does sound uncomfortable for people who haven't done it before.

Tim Draegen

Yeah. So well, we could do is, you know, yes

Paul Ogier

send them love. We send them love. Yes. Okay. Yes. Okay. Um, so, if you are okay, let's look at the top 100 companies.

Tim Draegen

Yes. So, I'm not a data researcher.

Paul Ogier

That's fine. Neither am I.

Tim Draegen

This is going to work out quite well for us. So, we've got the screen share thing going on. All I've done is use dmarcian, tools to dump in the top 100 companies and not trying to highlight the platform. I'm just showing that we've got domains on the left column. We have DMARC records in the middle and SPF records on the right, DKIM. I turn that part off because if we don't have data collected from DMARC can't really tell you much about DKIM, because of the way DKIM works, you just can't probe the internet to find results very easily. So, we're just going to put those aside. So, there are quite a few companies top 100 list where there are reject policies in place. I think seven you know according to this this screen here and they've got SPF,

Paul Ogier

okay. This is listed like jumping here we talk about the top 100 companies. I pulled this from the top 100 stock market companies in South Africa. Some of them actually are listed twice or three times on stock market and they use the same outgoing sending email domain so They might only be 95 or something in here, but I'm sure we'll be able to figure that out going forward, yes,

Tim Draegen

I will be able to tell you about it. But that brings up an interesting problem that a lot of companies have, which is they often think that their main domain is the only one that they need to put DMARC controls in place. When really, if you're the security person at a large company, you should be getting all of your domains in compliance with DMARC, even the ones that don't send email. So, you know, in terms of efficiency, don't do just one domain at a time, roll the technology out all at the same time, it just ends up being more efficient.

Paul Ogier

If someone is going to have a normal domain and an email sending domain, are they looking at having both of those domains protected? Or should you rather just protect your email sending them?

Tim Draegen

Well, it's my understanding that if you're the CISO, at a company, or even if you're in charge of just security for internet domains, it's far simpler to say, we have DMARC in place across the board. That's just a matter of policy. The technical twist is, not only is that you know, PR positioned better, but it's incredibly easy to put DMARC policies in place for emails that do not send domains, sorry, do not send emails, they're not being used, all you have to do is monitor data for a week, verify that they're not being used legitimately. And you put your controls in place, and you're done. The thing is, just because you don't use the email, I'm sorry, just because you don't use that domain for email doesn't mean fraud people, you know, aren't going to use them. So, you should really,

Paul Ogier

absolutely, because if it does, say your domain name, and I go, that's a known domain to me. And I get spoofed on that domain, because you don't have your records in place, then it's quite easy to do it.

Tim Draegen

Yeah. And the worst part is, if it's a legitimate domain, you know, researchers on the internet are going to look and say, oh, this really does belong to you know, BHP or whatever company, and but it doesn't have a DMARC record. And now, like, try to be the machines figuring out like, is this a malware domain? No, it looks like it's registered to a real entity. So, if we have to guess, you know, maybe it's good, let's put in front of the user and let them figure it out. Better to put a DMARC policy in place that explicitly says, this domain does not send any legitimate email makes everybody's, it makes good actor’s jobs far, far easier.

Paul Ogier

Okay, so in terms of the top, let's pretend 100, we have got like nine rejects, which is the top security, blocking, right?

Tim Draegen

Far more in quarantine, really, I'm going to drive towards the bottom of lists, because that's where it starts getting interesting. So, Quarantine is the second kind of mode the DMARC can be in. And being basically means if you get a piece of email from my domain, and it's not compliant, you know, scrutinize it. If you have a spam folder, throw it in the spam folder. If you don't have a spam folder construct, then really turn up the dials on your anti-spam engines and really, like you know, give that message what for, see if it's real or not. Most of the time Quarantine is an intermediate step on the way to reject, which allows people to just block email that's not compliant outright. That's really where most companies want to be.

Paul Ogier

Okay, and then something like Hammerson, for instance, they say that they're going to quarantine and they're going to quarantine 50%. Is that a good way to do it, so go from none to quarantine, a certain percentage quarantine 100% and then reject?

Tim Draegen

Yes, but the percentage tag is when DMARC has been developed, we knew that some really large companies didn't want to have the big 440 Frankenstein switch where they're like, Okay, across the financial sector, let's throw this switch and see what happens. So, the percentage tag is more like a volume dial where you can say I want to, I want to apply this policy to illegitimate email. But I really don't want to do it, you know, all at once. So, you could go from percentage to zero all the way to 100. More as a dial, in practice, most companies will do the work. And by the time they get to the point where they're ready to put a policy in place, they go to quarantine, they wait a little while and then they go to reject. The important thing isn't so much, you know, technical control the dial being in place, rather, it's making sure that the organization has remediation paths and some escalation paths in place. So, if something does go wrong, you know, which it will at some point in the future, just make sure that people aren't bouncing off the walls, trying to figure out what to do about it, like build those escalation paths. So, the controls are there in terms of percentage to give you some ability to say don't roll this out 100% from the get-go. In my in my perspective, it's far more important to make sure that the company knows how to respond to issues, you know, build out that little minor operational process, and then the percentage stuff becomes less important.

Paul Ogier

Okay, as we scroll down the list, we've got obviously quarantines, we've got a couple of SPF attention need, which either there's too many includes in there, or they didn't actually set it up properly. And then we get down to the nones. Now, the first the first couple of nones that I actually would like to talk about, there's quite a few banks in here, the Standard Bank, there's Nedbank, those are the ones that, you know, they need to like take a step back. In South Africa, we have quite a few mining companies. And those mining companies might have 100,000 people working for them. But in those 100,000, there's only 90,000 People who are actually miners, and only 10,000, or 1000, or whatever it is, that are actually working in that office. And those people are actually only dealing with as a handful of suppliers and a handful of clients. If you're looking at something like a Standard Bank, if you're looking at something like a PEPKOR, for instance, PEPKOR is a clothing brand clothing shop chain in South Africa. So if I'm going to be doing that they have got accounts on their clothing, things, they've got specials that are going out there going, whatever it is, they've got millions of people on their mailing lists, Standard Bank, Nedbank, all of those have got millions and millions of people or hundreds of thousands of people on their mailing lists, and they have a DMARC record of none. Yes, they've got an SPF record that is there. And they probably have a DKIM record. But they have a DMARC record of none. How does this kind of percentage actually work in comparison with what you're seeing internationally? Are people looking at banks or other banks internationally, actually putting a DMARC record that's either rejected or quarantine in place? Or are they sitting on it?

Tim Draegen

it really depends on the bank. larger banks that have dedicated security budgets and capable teams have already moved to put reject policies in place. That said, a lot of banks look at DMARC, they turn the records on, they start collecting data, as you can see by P equals none. But then they have a project internally that says we need to roll these emails, security controls out. A lot of times, though, the value proposition, you know, either gets stuck, or there's no one there to make it internally. Because DMARC, again, is just an interoperability standard. It's not a product, there's not a sales team or a vendor saying, we need to push this security initiative forward, you know, unless you unless you talk to a DMARC deployment company like dmarcian,

*Editor: OSH.co.za works with your company to deploy DMARC and help you with the DMARC policies. This allows you to get your DMARC policy from NONE to Quarantine to Reject easily*

there's just no one doing that. And when you. Even then if you turn on the, if you turn on the lights, if you collect data, and you get a list of all the different vendors and offices, there might be so much technology sprawl that the company decides to say, we're gonna tackle this initiative, when we decide to clean up all of our technology sprawl, because we can't do one without doing the other. And that just takes a really long time at some companies.

Paul Ogier

You know, I get that and with 2020, and COVID, and things like that, we've seen a lot of people approaching us to change the email systems. They change from pop emails, IMAP emails to M365, to Google Workspace, whatever it is. And what we've also found, because there's a decentralized company, people working from home, they are looking at the layers of security. And what we found is that people are starting to get targeted, companies are starting to get targeted, especially small companies, it's obviously the big companies are being targeted to, but it normally was just the big companies. And we're starting to see a lot of smaller companies. 10 People 20-100 where they're starting to have their clients emailed and saying that you owe us money or the bank account has changed or whatever it is, at looks like it's a legitimate email from their domain. With this, we then partnered with dmarcian and started putting none records in all of them, so that we could actually see what's actually happening. And once you once you put that record in place, and you can actually see what's happening. For the small, companies or 10-100, even 1000 people in a company Yes, that's going to be an effort to change it and to figure out. Are using MailChimp? Are you using M365? What are you using? If you're using 10,000 20,000 people in a company and you are a bank, and you've gone through 40-50-60 years of technology and you've acquired different companies and you've brought on staff and things like that. I understand that they've got legacy systems that might be 20-30 years old, and to change those legacy systems that are still running COBOL, or whatever it is, might be very, very hard. But when is, when is it going to happen? When can we actually get out the stick and say, Okay, it's 2021 is 2030, it is 2040? when do they actually have to have this done by to actually keep up with the Jones’?

Tim Draegen

Think about that, that's a great point. The thing, the thing with email that keeps it interesting for me is that it's a free, essentially a free medium, anybody could become an email player in any layer of the email stack. And because of its open nature, email is by far the largest online application. And so, to change it, it's not something that you could say, hey, on today, we're gonna say that it's just done. So that the size of the space keeps it interesting to me. But I just know, I still don't really understand what it means in terms of being a massively big number. But what it means from different company’s sizes, is that a large bank does have the resources to roll this technology out, they do have the teams and they've got access to the training and expertise that they need to roll it out. But then they also have problems of priority and whatever, they've got their own internal decisions that they can make. As the companies get smaller, their access to resources gets more limited, until you get to a kind of a magic point where there are no dedicated technologists that could take on this work. Even though it's just email. Email has been around so long, that it's actually quite complicated how it works, there's a lot of acronyms. And it can be difficult to fix up not because of the technology, because there's a bunch of humans using it all the time in really creative and weird ways. As companies get smaller, we at dmarcian, our whole point is to get DMARC rolled out everywhere. But we're stuck as a company because we can only directly service larger companies that have dedicated technical staff, because that's how our business has evolved. That's the only way we can do it. But the real issue from a technology deployment aspect for DMARC is that there are a bunch of internet domain owners in small businesses where their internet domain is used for things like a restaurant or you know, an accounting firm where they have nothing to do with really an online presence. They just have to be online to do their work. You know, if that makes sense, right? is they're using the tools, but their business is not Internet facing. So how do you get them to deploy DMARC. And we tried doing a direct sales model to them, but we just can't hire 100,000 support people to help people cut and paste, you know, DNS changes into their DNS software. It's just not practical. And there's no technology that makes that easy today. So dmarcian, we have to work with managed service providers in the managed security service providers that augment teams, because they're the ones that can actually get the work done. So, for change to happen, because of the compliance in the legal and the regulation, drivers actually having things happen. People don't care so much now, why they need to do DMARC. Really, they're coming about like, how do they do it? You know, is there someone that they call on the phone right now to say, I need to do this thing, you know, support, just told me I need to do DMARC and it's not the religious council in Iowa, I call them they said that they're not actually the thing. So, who do you call now? Everybody who's got a small business calls up their technology provider, you know that that service provider gives them a cash machine, you know, they've got their printer, paper, the receipt, paper, whatever, they got their VoIP system, and they get email, like a crappy website. They're the ones that need to be able to provide the DMARC deployment part because they're already supporting all the other technologies. So how do you get all those all that work done? You know, in a year? I have no idea. But I, yeah, we've been throwing ourselves at it for long enough where we know that there is an end in sight. Eventually, it'll probably happen pretty quick, once a major mailbox provider says okay, we've read the critical path now. And even more, so when they flip the switch that you have to do it. The wave of people who need help, can actually get help. That's really what it comes down to.

Paul Ogier

Okay, so we've spoken a lot about how the person internally is going to start freaking out which is fine. They need to freak out just a little bit. But people are going to look at the top 100 And look at how many people are on the none. And we haven't even looked at the at the people who haven't even done any DMARC records. What is your preemptive rebuttal? When someone reaches out and says, oh, I've got something, what is the argument that they're going to say, it’s too big, and we've got 100,000 people we've got 400,000 services, we've got COBOL systems, what is what is the rebuttal that you have for them to say, you know what? You need to be better.

Tim Draegen

Yeah, we've actually had that we've sat down with CISOs. And they're super busy. You know, CISOs are an interesting role at large companies, they're in charge of security, they almost always come up from a very strong technical background. But as a C level executive, they have to talk like a businessperson with an MBA. And so, they're a bit schizophrenic. So, when we sat down with them, and we say, hey, you've got, you know, 400 internet domains, these are all of your public assets. They're just hanging out on the internet, and they don't have any basic security, you know, in terms of email, this is your ass on the line. Our first pitch was like that. But then the CISOs, of course, don't like being told that they have got exposure on the internet. So, they say it's an impossible problem. No one could solve that. And so, we show them a dashboard like this, who say like, no, we'd like we can help you. This is not really that big of a deal. Here's all the internet domains. Here's the progress. You know, your company is so large, probably take you six months just to have human time to march through the project. But flip it all the way around in six months’ time, do you want a really nice list of all the assets that are in on the internet, with like, you know, all green saying that you've got this strong email protection in place, just as like, you know, a policy? And they're like, wow, that sounds like a good way to preserve my job. So, we have,

Paul Ogier

and we like the color green.

Tim Draegen

Yes, green really sells, and you know what I mean. And if you flip it all the way around, you know, of course, we stumbled through all this just learning and now we've known we flip it all around and position it the right way. It's like we can help you manage this problem like it because it's really about how do people get the work done? We no longer have to argue that you know, the ROI calculation for protecting your CEO is $50,000 a year and it's only going to cost you 45,000. So, you're saving $5,000. We know we no longer have to pitch stuff like that, because of the regulatory aspect. Now, it's like people like I need this, how do I do it? And you know, if you're a small business, no one can afford to say, hey, small business. I'm going to hang out with you online. And I'm going to help you cut and paste these text records. Or I'm going to help you take a course in learning SPF, because you should be an expert too. It's just they're all non-starters, when you try to do it a million times over, we can always scroll down and see more terrible stuff because it gets worse.

Paul Ogier

Okay. Okay. So, let's, let's scroll down some more and get more terrible stats.

Tim Draegen

The good news is there's so much green because a lot of people are paying attention, like the top 100 list is actually not that bad. There's data being collected. But I bet people are stuck trying to figure out how do we do this? We make no DMARC red. But you know, it just means like, they need to take some attention. So, these companies here, if you're an outside insurance company, you look at this, you kind of feel they might have a security department, but they're not doing the basics. So, what are they focused on like advanced, hardcore, you know, like laser satellites, shooting, like people jumping over fences or whatever, they're not doing the basics, which is arguably something that should be done first? What's interesting,

Paul Ogier

okay, so, what we have got here in the no DMARC records is you've got things like Clicks, we've got Old Mutual, who's an insurer and a financial company. We've got Mediclinic, who is a hospital group, and if you scroll down, so these are the ones that I'm kind of picking on not just to be nasty, but to say, these are the ones that the average person on the street is actually going to get interactions from. They might be okay, there's Barloworld and Fortress Fund. So, Telkom, for instance, is our telephone suppliers. They do the landlines and things like that. So, there are millions of people that are getting emails from Telkom, for instance. And every time I get an email from Telkom, it hits my spam folder every single time. And I can't then tell if Telkoms actually a real email, or it's spam, or spoof or whatever. So yeah, there's obviously some that need attention, and which is a bit concerning. ABSA is another bank of ours. And if we scroll down a little bit more. Yeah, and there's Naspers which is a financial institution and a couple of things. Yeah, so there's some very big companies here and obviously the top 100. But the needs attention, the errors or the not actually implementing it kind of scares me.

Tim Draegen

That needs attention ones, just to pull out some random ones. They're trying to collect data. But they're but they're not able do it or there's just some basic syntax problems, like someone put mtn.co.za. They published a DMARC record that says we'd like to collect data, but then they did not put the address where data should be sent. So, this is a big do nothing done. So, technically someone's like, yes, we have a DMARC record. But an insurance company would look at and be like, you don't actually have any controls, and it looks worse than having none. It's probably worse to do half ass security than it is to do you know, any. Okay, so, yeah, there's here, AB InBev. I don't know, I think it's from a movie or something. But I bet a lot of South Africans drink. So, AB InBev, should probably protect their domain a little bit better. But they're not actually South African domain here. And AB InBev. is massive. So, I'm not gonna blame South Africa for that one.

Podcast: Implementing DMARC - dmarcian
Feb 23, 2022 ... dmarcian's own Ash Morin, Director of Deployment, appeared on Mailgun's Email's Not Dead podcast with hosts Jonathan Torres and Eric ...

Paul Ogier

Okay, thank you. Thank you, I appreciate that.

Tim Draegen

They have a syntax error, so and took the time to make an update. But then they just walked away without seeing if it is actually working, which is bad. But well, I think a lot of this is just email has been around for so long. Everybody's using it, as long as it works 99.9% of the time. Most people like that. It always been done, like email, if you fail to deliver an email. It's designed to retry. So, most people have been trained to be like, oh, you didn't get that email. Just wait a day, you know, and maybe I'll just kind of fix itself. And if not, it wasn't really that important, because I called you anyway. And now you've got the information, so we just keep going. So, I guess email suffers from a built-in resiliency. There are others where there are, you know, the 10 lookup is a problem. Most major receivers don't care about the 10 lookups, because it's just been around for so long. They just they accept what it is, and they keep on checking. But as a maintainer of the records, it means that no one's taking any time to keep things tidy. And they're just, they're basically saying we have a problem that we're not taking very seriously. And it's only a problem of security envelope in terms of email senders, with you know, email being the number one attack vector for malware. Yeah, maybe we shouldn't pay too much attention to it. Who cares? until someone does. But so there, I honestly, I've been doing this for so long that I've gone through the cycle of being pissed off and jaded cynical, until I finally popped out and realize like, oh, you know, people just need help. And, like, it's really about finding the person that can take action within a company and saying, look, we're here to help you. And if the person's like, I really want to do this, but I can't because my management, that's an entirely different problem. Doesn't matter what the technology problem. It's just human nature at that point. And like, good luck, right?

Paul Ogier

Okay, so we like to compare ourselves against other people and other countries, how bad are the top 100 companies in South Africa versus other companies that you're seeing around the world, we're looking at a percentage of, let's say, 10% of reject. And let's say probably another 20% of quarantine.

Tim Draegen

I would say just slightly behind the curve. But it might be because most companies that have adopted DMARC already have a visible problem. And so other countries might be heavy on public facing retail companies. So, they might have a lot of big banks that dominate their top 100. And so, it's probably more useful to look at on a sector basis. Retail companies that are publicly visible, are already set up to think about their security in terms of brand protection, and anti-counterfeiting. And so, they're already there. They're at a place already, where they can look at DMARC as a control that they need to take advantage of, because they already have programs in place. The ones where adoption suffer the most are business to business companies that don't have that kind of existing problem. And so DMARC, and email security is an entirely new thing. And the way that email security is currently sold into those kinds of companies, is that it very much as a firewall, protect your employees, build a secure space for your workers and treated like that. But the problem with DMARC is it control is that it's different. You're not adding to the firewall. It's a different kind of security solution that you can't easily procure. I mean, you could get the data processing part pretty easily. But you can't easily hire a project management manager to fly into your company and start making changes to all your vendors. It's just very not like anything else that they've ever dealt with before. And I believe that's why a lot of companies haven't moved forward it is because they just don't know what they're getting into.

Paul Ogier

Well, you've definitely given people a nice thing to go you know what, it's difficult. I'm not going to do it because it's difficult. It's a nice happy.

Tim Draegen

Well, I probably spoken incorrectly. It's not difficult. It's just different from how most companies have procured what they consider to be security technologies, right? It's probably more like a business process or, but that's why I'm about as excited as one could be about a regulation or a technology compliance thing coming from insurance companies like yay, that really gets me hot and heavy. It is amazing. But when you go to a large company, and you don't say, oh, this is an email security solution that needs to be rolled out, they're like, you need to go talk to the IT team, because they deal with, you know, the firewall and whatever else. And that seems like Oh crap. It's not like something we've ever dealt with before. The compliance regime coming in saying, you have something like ISO 27001, that needs to hook into that kind of series of controls, all of a sudden, this is no longer a problem. Like, it's just another dish on the buffet line that people need to come by and scoop occasionally, and it just ends, it ends up being different. I think it's what it is right now is, DMARC is currently stuck in email security land, when really, it's probably better to consider is something else. Business security, compliance, like it just when people can think about incorrectly it makes all those past problems into nonissues.

Paul Ogier

So, a couple of things while we while we finish it off. Yeah. When I was doing research on you and getting this Podcast up and running. And I was looking at some actual stats. There are 4 billion as of right now, there are 4 billion emailers. People who are emailing per year. And that will go to about 4.6 billion by 2025. There are 320 billion emails sent per day now, and by 2025, 380 billion emails. There are currently almost 3 billion people on Facebook. And as you know, they'll probably at least two or three emails a week, so you're probably, they're probably sending out at least 3 billion emails a week from Facebook. MailChimp sends a billion emails a day, which blew me away, I thought MailChimp was big, but I didn't realize how big and a billion emails a day is a lot. The thing that that does make me a little bit happy. In 2014, the percentage of the total email traffic was 71%. Total email traffic was 71% was spam. As of 2021, it's 45%. I think that comes down to a couple of things. One, I think people are getting better at blocking spam. I think the regulations and standards that are in place, like SPF, DMARC, DKIM, all of them are making it more difficult to actually send out spam messages. And hopefully, it's on a downward trend. If you're going 45% in 2021, I hope it will get down even further. But we are sending more and more emails. So, a lot of emails that are going that are spam emails.

Tim Draegen

I was just gonna say for, for a follow up episode, we can talk about the next wave of emails evolution, which has to be email clients. You know, web browsers have the World Wide Web Consortium, but email clients don't have any kind of communities, everybody's using, you know, technology from the 1990s for their email clients having to filter through stuff when arguably, that part needs to be fixed. I would love to talk about that. There are not enough acronyms that spaced out for me to get involved.

Paul Ogier

I wanted to ask you that, with all of these emails that are getting out, there's obviously standards and regulations that have been worked on, obviously, you've got the DMARC what is the next layer that's coming out that is on the horizon? I mean, I've been reading about BIMI records and BIMI  record is a thing that is called a brand indicator message identification record, where it does a little company logo inside your email inbox to say that the email is legitimate. And BIMI record is quite fun except right now you have to have a trademarked logo to be able to upload a trademarked logo into an SVG to actually attach it to your website and say this is actually what my domain is. So, when that becomes a normal non-trademarked logo that will obviously be better and quite cool. But what else are you seeing on the on the horizon?

Tim Draegen

Um yeah, for DMARC you know, deployment is still the thing that has to happen but let's fast forward to and everyone in the world is sending DMARC compliant email. Then it's all about people managing legitimate communications and then having their own kind of hyper local thing that they trust, you know, if you're in Russia, dealing with Russian companies, your trust profile is radically different than if you're in Washington, DC in the defense industry. Right? There's no such thing as like, oh, I can trust you or not. It's all about context. So, I think it's gonna go in that direction. But in terms of developments, today, BIMI is there providing logos, but as a technology, it's faces some, some headwinds in that you can get your logos displayed today by just making a Google profile, or by creating a Microsoft business profile and adding your logos there. So, companies have been doing that for a long time. So, there's a headwind. So as a driver for DMARC, BIMI is just not there, it's more like a nice addon saying, hey, you've done DMARC. Now you get, you know, you can get your logos in certain places, if you, you know, you could do that. So, looking beyond DMARC, in terms of in terms of standardization of existing efforts, I don't think there's anything there except for people talking about how to do things like improve email clients, because the problems are really moving to the human users and less as an interoperability problem.

Paul Ogier

Okay, so now with DMARC, there's obviously the big players have bought into DMARC, the Gmail, the Google, the Microsoft, the Yahoo, all of them have bought into it. But in testing a couple of things today, actually, I was testing between Google workspace and 365. And just a normal pop email that I've had since 2001. That one was the pop email, it just went in, and life was good. And it said, it's Yeah. When I tried to send it to 365, or Google workspace, it went no, no, and bounced back. How many? What kind of percentage are we looking at in terms of people actually adopting DMARC? From the email server perspective?

Tim Draegen

Yeah, yeah, I mean, if you look at, if you look at it from a different perspective, you get different views. But with the major providers doing DMARC, the percentages are really high. I think the United States, it's like, you know, 80, something plus percentage of mailboxes is covered. But if you move outside of the United States, into countries that have, you know, established players that are not Gmail or not Microsoft, the adoption is far, far less. When you look at individual operators, it really comes down to someone's patching their machines, and they're operating their machinery as, not as a hobbyist, but they're actively maintaining their email server, chances are they've done DMARC, because that's why they're running their own. But if you look at it from a hosting provider perspective, there are a lot of hosted VMs that have built in software packages that will run an email server that has nothing to do with DMARC whatsoever. It's never, it's not going to change until package admins make it single click easy for this work to get done. And that means there's a lot of technical work to get to push buttons, simplicity for DMARC, to work in a hosted environment, where VMs are the rule. So, they really, it really depends upon context. In South Africa, I'm unsure what the numbers look like in terms of where most mailboxes are being hosted. It might, you can go down the list and say, Okay, let's get the big players and then get to the long tail, the long tail for mailbox providers supporting DMARC, it almost starts to mirror the long tail of internet domain owners, they end up being not very sophisticated. You know, DNS itself is already a technology that most people stay far away from if they can, because you have to cut paste records and heaven forbid you do a typo and things light on fire. Right. Like it's terrifying for most people. So those are the barriers that if you wanted to see widespread adoption anywhere, once you get past the large providers, that's where it's at.

spf dkim dmarc

Paul Ogier

Okay, okay. So, I think we've covered everything, and we've introduced a whole lot more acronyms and abbreviations. So, I'm quite excited about that. And all the additional information will be in the show notes, which will link to at the bottom of the Podcast. But one last question. Where can people reach out to you Tim?

Sender Policy Framework
revised a paper about email authentication covering SPF, DomainKeys Identified Mail (DKIM), and DMARC (DMARC). In their revised "Sender Best Communication Practices"

Tim Draegen

Oh, you can find me at tim@dmarcian.com That's the best way.

Paul Ogier

Perfect, perfect. Thank you so much for taking time out of your day and I really appreciate everything you've done for the DMARC industry and for the internet industry and well done on being just that cool

Tim Draegen

Thanks, Paul. I've even more fun in real life. So, if you ever have a party in South Africa and you need like, you know, not an ice sculpture, but someone like me to take the place of an ice sculpture. I'm really great. I like martinis. So, all you have to do,

Paul Ogier

as long as long as you do it naked, as long as you do it naked and then I am on board

Tim Draegen

that goes without saying, get that party together, get a little pedestal. If it rotates, that's even better.

Paul Ogier

Rotating pedestal with your naked body. Okay, okay, this this podcast went downhill very quickly. Thank you so much.

Tim Draegen

Good luck salvaging at least 5 or 10 good minutes out of this. Alright, take care Paul.

Podcast recorded using Riverside.fm

Other Podcasts