Brad Slavin Presentation at MSP Global Conference 2023 | Elevating Email Security – A Comprehensive Guide to DMARC for MSPs
The MSP Global conference, held at the Nürburgring in Germany from November 14-16, 2023, was a major event in the Managed Service Provider industry. It featured over 100 speakers, including industry leaders and experts, and attracted more than 2,500 participants from over 75 countries.
The event focused on driving digital transformation, offering a mix of keynote speeches, breakout sessions, masterclasses, and networking opportunities.
Brad Slavin, CEO of DuoCircle LLC, was among the speakers, discussing DMARC, an email authentication protocol, and how the DMARC Report SaaS solution can help businesses.
The conference provided a platform for insights into the latest trends and strategies in the MSP space. For more detailed information, you can visit their website at MSP Global.
Overview of the Presentation by Brad Slavin
Brad Slavin, CEO of Duo Circle, discusses the significance of DMARC implementation for MSPs at the end of 2023, emphasizing the imminent changes in 2024 and the necessity for client awareness. Explaining SPF, DKIM, and DMARC, he underscores their interconnection and the need for alignment. Slavin highlights domain over signing in DKIM and the criticality of aligning the customer’s domain across various email services. He predicts email service providers treating authenticated emails differently and advocates for proactively configuring DMARC. This proactive approach aligns with major providers’ evolving spam filtering, offering a reporting-based solution for MSPs, boosting client trust, and offering a practical pricing model for MSP integration.
Presentation Transcription
Hello, everyone. It's close to the end of 2023. Most of you have heard of DMARC. Some of you have it implemented for yourselves.
Very few have it implemented for your clients, and almost none of your clients actually know or care about it. It's all going to change in 2024, and I'm going to tell you why that change is going to be important and why your clients are going to be reaching out to you to have you implement DMARC for them.
I'm going to do a very quick review. As MSPs, you guys are probably very familiar with SPF, DKIM, and you've heard about DMARC. So, SPF Records authenticate the IPs and the networks that your customers are authorized to send emails from. That says "V=spf1." It has an include and then a little minus or a tilde. DKIM, on the other hand, authenticates the account on the service provider.
SPF is the IPs; multiple people can be in the same IP range. There is a possibility that somebody can still impersonate you because they may have another sending service within those IP ranges. DKIM locks it down to that particular account because you've added a DNS record on behalf of your client. DMARC ties all of these things together and it tells the recipient's email server what to do when SPF and DKIM don't align. Without a DMARC record, it's up to them to decide, do they accept the message? Do they reject the message? But DMARC is actually explicitly telling them what you want them to do.
DKIM is something that most of you are going to be implementing for your customers. And one of the things we want to make you aware of is that it's important to get past the pass. So, you'll send an email to a testing tool and it'll tell you your SPF record looks great and your DKIM looks fantastic. But more than likely, DKIM passing is not what you really want. It's because of something called domain over signing. Most of the time, for about 67% of the emails that we receive, Office 365, for example, is sending on the default on Microsoft Domain. So, your customer is sending emails that's from their domain, but when their messages are being signed for DKIM, they are being signed with the Microsoft Domain and not the customer's domain.
So, in a world of DMARC and email authentication and DMARC alignment, making sure that your customer's domain is the default sending domain, not just in Office 365 but the opportunity here is to do it in all of your customers' third-party sending services.
What does it mean? In the top one in yellow, it says "D=sendingservice.com." So if you ever send a testing email through Google, if you haven't configured specifically authentication or in Office 365 if you haven't set up the selector one and selector two and then waited those 24 hours and then gone back in and then click verify and then switch the default domain. You are signing with the sending provider's service, aligned means "D=customer's domain." And that's ideally what you want.
The reason that this is going to become important in 2024 is because of some changes that the major internet service providers are going to do. But our goal is to help you bring awareness to your customers by providing reporting of these DMARC reports that get sent by the recipient's email server to an email address defined inside of DNS. Our philosophy is rather report than you having to support. So if you can get alerted early or if you can discover the problems before they or while they're happening, you can help your clients align their email domains.
And here are a couple of tools that help you to do it nearly instantly. Why is this going to be important in 2024? Google, Microsoft, and Yahoo have basically announced that they are going to treat authenticated emails differently than unauthenticated emails. So an authenticated email is going to be a user who has a valid SPF record, they have a valid DKIM record, and they have a DMARC record that exists.
However, they really, really want an SPF record that is at minus all rather than at tilde all. So, it makes it harder for your client's domain to be impersonated. And they would prefer that your DMARC record is enforcing either a reject policy or a quarantine policy so that your customer's domain is much harder to spoof. It makes their job as Google, Microsoft, and Yahoo easier, and we expect that almost all providers are going to follow suit with this is that they have to do less decisioning in their spam filtering engines because you are explicitly telling them what to do if things don't align.
And for us, early action is key to customer success. So our interface and most reporting tools allow alerts to happen so that you can be notified when your customers' SendGrid or their Mailchimp or that marketing decides to spin up a new service and it's not in the SPF record and you don't have DKIM for you to become alerted to these types of problems well before it happens.
What's the opportunity is to add reporting as part of the stack in the way that we approach it and our clients approach it is that they are configuring all of their clients with DMARC reports and they are reviewing those things. And then as a professional service, they are going in and helping them to configure all of their sending sources. And a typical customer tells us that from a revenue perspective, it's somewhere between four and €800 is what they're charging from a project basis to help an organization ensure that their SPF record is correct. Make sure that all of the sending sources are defined.
DKIM is configured and enabled and everything aligns so that they can move their client's domain from a reporting only to a reporting with quarantine or reporting with reject. And it helps to build additional client value and client trust because you're getting notified while they're having sending problems so that you could hopefully prevent a support ticket coming in when somebody said, hey, we just sent out this huge marketing email with this new service that we just configured and we've just had 5000 bounced emails. What happened and how can you help us fix that?
And for us, what's the next step? Well, our goal is that for every single one of you to at least be configuring DMARC for your clients. It's something you can do yourself. It's an open standard when it comes to DMARC.
Our approach is a little bit different. We believe that the MSP should be providing this as part of their stack. Our pricing is a dollar a domain per month to allow you to be able to do this and it's white-labeled to your name, your brand. So your clients can either log in or your support agents can log in and see reports and take action for your clients proactively.
The interface is in English, it's in German, it's in Spanish and if on request, it can be essentially in anything else. And we know that this is going to be something that your clients are going to be proactively asking you about within the next few months because they're going to notice that their deliverability has been dramatically impacted. They're gonna notice lower click through rates, lower email opens and things like that.
And you can step in because you have access to DNS, you have the expertise, you have the understanding that DKIM is really the component that you want to make sure is aligned and you can help them solve their authentication, which is going to be critical to the big three and their inbox placement because the emails are going to conform to a aligned DMARC policy.