We met with dmarcian’s Netherlands-based deployment consultant, Alwin de Bruin, to tap into his 15+ years of experience in the world of email. At dmarcian, he is responsible for helping organizations of all sizes deploy DMARC and boost the adoption of open standards related to email and domain security.
In this interview with Alwin, we dig into safe email adoption trends and the forces at play in the email ecosystem.
Have you been involved with legislative and lobbying activities around DMARC and other open technical standards?
I’ve personally been involved with the standardization of safe email open standards for the Netherlands government; these standards are listed as part of a regulatory approach called Apply or Explain. The list contains the following technical standards: SPF, DKIM, DMARC, STARTTLS and DANE.
My lobbying activities have included speaking about these safe email technologies at various events with various target audiences including the Dutch Government, Top-level Domain Registries, Webhosters, and the like.
Addressing the possibilities of implementing safe email technologies boosted the awareness of the implementation possibilities. Resulting in the adoption of DMARC, DKIM, SPF, STARTTLS and DANE to be adopted as Dutch Government wide standards. All based on the Dutch model of Comply or Explain. This model has now been shared with an EU wide initiative called Modern Email Security Standards for EU (MESSEU) and is gaining traction and awareness EU wide.
Is the Netherlands representative of what the EU will do or has done, and is the U.S. lagging behind?
The Dutch model of Comply or Explain has been shared with various European countries. Based on this knowledge sharing by the United Kingdom, Netherlands and German governments, an EU initiative MESS EU (Modern Email Security Standards for EU) was formed to spread this knowledge to more countries in Europe. They offered a roundtable conversation about increasing email safety implementations within the European governments as a catalyst for other countries to start adopting these technologies.
While the US Department of Defense Binding Operational Directive 18-01 was published in 2017, the Dutch Comply or Explain list already contained DMARC as one of its requirements in 2014. When DMARC as foundation was introduced, a bank and an Internet service provider rapidly picked up the potential of this standard.
When looking back at the introduction of the standard, we definitely saw a concentration of activities around this specification in the US and the Netherlands. I think that the political atmosphere is just right in the EU to spearhead these kinds of technologies and perhaps the US complexity caused it to lag behind a bit. But we are seeing growing adoption across the board.
What countries/regions are at the forefront of DMARC adoption?
When looking at the EU, the Netherlands, the UK, Denmark, Germany and France.
What trends have you seen and do you see in DMARC mandates relative to adoption?
The adoption and implementation of DMARC in countries that are ahead of the curve are slowly expanding their scope to other technologies that might secure a domain. DMARC has become a foundational technology to start building other services.
Mandates boost adoption, but we’ve seen a lot of self-regulation in specific sectors where DMARC was originally intended. Banks have been the first ones to adopt, expanding to Internet service providers to close the loop and protect the recipients.
After the implementation at banks, governments will eventually follow; ultimately, everyone is talking to each other to start adopting these technologies. Of course, the first vulnerable and susceptible sectors lead the way. Recently I’ve seen more implementations at healthcare and insurance organizations.
In the Netherlands, DMARC adoption sparked the introduction of a healthcare security standard NTA 7516—Safe Email in Healthcare—which was released in 2019.
With DMARC as a foundation, we see safe email now expanding to connection security with DANE and MTA-STS; in addition, the encryption of messages is being discussed again. It will be interesting to see how the market is adopting these standards, how the email ecosystem is maturing, and how all participants are putting these technologies on their roadmap.
Back in the day we saw senders or ESP’s adopting SPF and DKIM for message deliverability reasons. Because they are serious stakeholders in the ecosystem, they are participating and preparing their platforms to be future proof.
To create a safe email ecosystem and a more trustworthy Internet, public and private domain owners, along with email and network providers, need to work in unison to adopt standards that challenge threat actors that impersonate domains and the people behind them. As the Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG) states,
The need for the widespread adoption of email authentication can not be understated. Not only is it crucial to ensuring the flow of critical information from organizations on the front lines of the battle against COVID-19, but the impending general election in the United States, and those in the rest of the world, must be protected from misinformation campaigns and phishing.
As a vital, first step, M3AAWG recommends that all domain owners create SPF records, sign email with aligned DKIM, and publish a DMARC enforcement policy for all domains and subdomains.
As the email ecosystem evolves, the importance of security is a theme that withstands the time and change. DMARC is and continues to be one the most important security tools that senders have in their arsenal. To learn more about DMARC visit this page.
Alwin de Bruin is the DMARC Deployment Consultant at dmarcian. A recognized and respected cybersecurity expert, Alwin shares his expertise at industry events and trainings to help organizations secure their domains and make email and the Internet more trustworthy.