Following stricter email management mandates from Google and Yahoo, organizations around the world have rapidly adopted three email authentication technologies, and organizations in the Middle East are adopting them just as quickly – or in some cases faster – than the global average.
Compared to approximately three-quarters (73%) of global organizations, approximately 90% of organizations in the Kingdom of Saudi Arabia and 80% in the United Arab Emirates have implemented the most basic version of Domain-based Message Authentication Reporting and Conformance ( DMARC), which, along with two other specifications, the Sender Policy Framework (SPF) and Domain Key Identified Mail (DKIM) protocols, makes email-based impersonation much more difficult for attackers.
As of February 1, both Google and Yahoo began requiring that all emails sent to their users have verifiable SPF and DKIM records, while bulk senders – companies that send more than 5,000 emails per day – must also have a valid DMARC record.
New rules implemented by Google and Yahoo have had a dramatic impact on adoption around the world, says Matt Cooke, cybersecurity strategist at Proofpoint.
“After the deadline, organizations around the world can no longer confidently assume that their emails will arrive in an inbox if their company doesn’t take email authentication seriously,” he says. “Up until this point, very few companies required the people and companies they communicated with to authenticate their emails. Now it will, and will, become an acceptable practice.”
While the requirements of large email providers have given significant momentum to the adoption of DMARC and its associated authentication mechanisms, government regulations have also pushed companies to push for adoption. Gulf Cooperation Council (GCC) countries, including Bahrain, Kuwait, Oman, Qatar, Saudi Arabia and the United Arab Emirates, have created a number of national and industry regulations, such as the Gulf Monetary Authority’s cybersecurity regulation ‘Saudi Arabia (SAMA). frameworks, which are pushing organizations to adopt tighter email controls, Cooke says.
Google, Yahoo Mandates
While the vast majority of regulations implemented by Middle Eastern nations do not specify that organizations must adopt DMARC, some European governments are mandating the email authentication protocol, as well as the Payment Card Industry Association’s PCI DSS 4.0 for any card processing entity of credit .
In the first two months of 2024, more than 12% of domains saw the addition of a DMARC. Source: Red Sift
Overall, Middle Eastern nations are ahead adoption of DMARC. About 80% of members of S&P’s Pan Arab Composite index have a strict DMARC policy, which is higher than the FTSE100’s 72% and still higher than the French CAC40 index’s 61%, according to Nadim Lahoud, vice president of strategy and operations for Red Sift, a threat intelligence company.
There is “a strong maturity that is starting to spread across the region’s supply chain,” says Red Sift’s Lahoud. “Widespread adoption promises a transformed landscape: dramatically reducing the success rate of phishing scams, improving email reliability, and strengthening overall digital security.”
As in much of the world, rigorous enforcement of DMARC — setting your domain record to reject non-compliant emails — is lagging behind. Only 43% of domains in the UAE are set to reject suspicious emails, while 57% of these domains in Saudi Arabia have the strictest setting. However, according to Proofpoint data, both countries are ahead of the third of Global 2000 companies (31%) that have set DMARC to strictly reject emails.
THE mandates from Google and Yahoo for email senders the use of email authentication technologies has led to accelerated adoption of DMARC. More than 2 million new DMARC records were created in the first six weeks of 2024, including a 41% increase in records in the African market and a 29% increase in the Middle East, says Seth Blank, Valimail’s chief technology officer, in an email authentication platform.
“Implementation across organizations can be complex and time-consuming, especially when considering new requirements from Google and Yahoo,” he says. “It’s critical to ascertain your security level and understand your gaps now, so you don’t get caught with undeliverable mail or, worse yet, abusing your company’s email to defraud users.”
Start small with DMARC
Security teams and email administrators who haven’t yet implemented SPF, DKIM and DMARC should use Google’s mandate as impetus to get the project off the ground, says Proofpoint’s Cooke.
“If you communicate with customers through Gmail and Yahoo and haven’t yet implemented email authentication protocols like SPF, DKIM, and DMARC, the biggest challenge you face is time,” he says. “Implementation requires multiple steps for each protocol and can be complicated, especially if you have multiple domains. Once protocols are implemented, you face additional challenges, as you need to maintain your DMARC, SPF, and DKIM records over time.”
In South Africa, for example, 94% of banks and insurance companies have implemented the Sender Policy Framework (SPF), one of the fundamental protocols on which DMARC is based, while a smaller share of organizations – 78% of banks and 51% of insurance companies — had implemented DMARC.
Since email is used in almost all phishing attacks and approximately 90% of successful cyber attacks begin with a phishing email, updated email authentication regulations are essential for every business, especially in Middle East, says Gerasim Hovhannisyan, CEO and co-founder of EasyDMARC. , a provider of email authentication services.
“As political tensions increase both in the Middle East and globally, the likelihood of cyberattacks targeting critical infrastructure increases significantly, underscoring the imperative for strengthened cybersecurity protocols,” it says. “Given the prevalent use of email as a channel for such attacks, implementing robust email authentication measures emerges as a crucial strategy to safeguard businesses and nation-states for the foreseeable future.”