Navigating DMARC Complexity: Insights from EasyDMARC's CEO on Email Security for SMBs with Gerasim Hovhannisyan

[00:00:02] Let's talk some DMARC. I've talked about it being rolled out on the show as a requirement, and so the CEO of EasyDMARC joined me to mix it up and talk about the strategies behind it, what the implications of the protocol might mean, why there's value in the open protocol of SMTP, and gives us some real insights into the way that he's thinking. A quick disclosure, I'm actually a paid customer of this, but they made no... This episode is supported by Flexpoint.

[00:00:32] Flexpoint offers a purpose-built payment solution from managed service providers, automating billing operations to enhance efficiency and cash flow. With features like accounts receivable automation, branded client portals, and secure same-day payments, Flexpoint streamlines financial management. Integrations with accounting software such as QuickBooks and Xero, as well as professional services automation tools like ConnectWise and Autotask, ensure seamless data synchronization. Experience improved cash flow and client-side

[00:01:02] satisfaction with Flexpoint's comprehensive platform. Learn more at getflexpoint.com. Well, Garrison, welcome to the show. Hi, Dave. Thanks for the invite. Well, I was excited to have you because you're in an interesting portion of the cybersecurity space and I'm intrigued by the different approaches to solving problems within this space. Let's go ahead and start with the real basic. Give me a sense of

[00:01:32] the founding story. You identified a specific gap and it led to the creation. Talk me through how you came to find that solution and attack it.

[00:01:41] Yeah. Yeah. My background is engineering. I spent a huge amount of time building infrastructures, large distributed infrastructures, was responsible for security. And one day I lost a huge amount of money because of the email phishing attack. I started to dive deeper to understand the root cause and mitigate, protect my organization and the brand and discovered email authentication protocols for

[00:02:11] me. I tried to deploy manually. Later, use some open source solutions, some services which were available that time, but end up with a huge,

[00:02:25] huge, huge hard time consuming processes. The problem was not totally solved. With my co-founder, we started to craft, automate things to have easy email authentication. After a year of development, we discovered that we have really good platform which can solve our problem. Works very well from command line interface. We just decided to put a landing page just from

[00:02:55] engineers to engineers to engineers. And we named it easy DMARC as email authentication or DMARC protocol stack family is very hard. And since then, we have the same approach. It's an engineering company. We provide good solutions, automation to have email authentication really work for you.

[00:03:21] Now, DMARC is one of those areas where it's been traditionally seen as really complex to deploy. You know, what are the, as you rolled this out, particularly with MSPs and small business customers, what have you observed have been the biggest friction points on the deployment of a DMARC solution?

[00:03:40] As always in security risks. If you do something wrong, totally valid emails will be rejected. Imagine an IT guy or an MSP, you receive complaint from your boss, from business people or from your customers about rejected emails. Why my emails not delivered to the inbox? Why I'm not sending my invoices, etc., etc.

[00:04:06] The first place is risk, risk of the failure mistakes. The DMARC itself is really very hard. 70% of organizations which try to deploy DMARC themselves, they fail. It's really very simple from the first place. And for the really very small organizations which are using only one, two sending sources.

[00:04:34] But it goes really very hard when you have multiple sending sources. And for MSPs, risk is even higher. They don't have the full information. They don't have the full visibility. They don't have the full control.

[00:04:52] Organizations, lots of them delegate the controls or they expect help from MSPs. But at the same time, they do something for marketing, for support, for billing, invoicing, etc.

[00:05:05] And it can become a really very messy situation. I know my first hundred MSPs by face. Now we have hundreds of hundreds of MSPs. I wish to know them all. But at least several hundred direct customers and MSPs, I never meet the one customer who knows all their sending sources.

[00:05:34] Initially, everyone tells that I know what's going on in my infrastructure. Okay, that means the integration is just five minutes. So, if you need, I'll help you. I'll deploy email authentication. I'll show the gaps. I'll show the risks just for help. I don't need to sell anything.

[00:05:52] And yeah, we discovered lots of interesting cases. We provided nice visualizations, visibility, transparency over the infrastructures.

[00:06:07] And by removing these frictions, visibility, control, risks, risk for failures, MSPs become more comfortable to deploy security stuff for their customers. Now, the emerging narrative is that everyone must implement DMARC, SPF, DKIM. That's the emerging narrative.

[00:06:32] But is there a point where the effort actually outweighs the benefit? Particularly as I'm thinking of micro businesses, very, very small businesses. Is there a point where actually the effort does outweigh the benefit? Look, even micro businesses, they close the door when they leave their office.

[00:06:58] Your car is cheaper or more expensive. You close the door. It doesn't matter. And information is very important to authenticate to be able to encrypt, keep the confidentiality component, keep the integrity component. The communication is key in a business.

[00:07:22] And you can't protect if you are not authenticating. It's a problem. So in this sense, you have to do. It is for everyone to keep your reputation, to keep your business. Because security problem or any big incident can destroy your business. And the small business is even more vulnerable today.

[00:07:54] The question is really very great. If you have a team of people who are not authenticating, you have to do. It's hard. Use the vendor who can help you. With automations, with appropriate products, with appropriate pricing and the model. Use appropriate solution for you. It doesn't matter if it's easy to demark or any other vendor, but you have to demark.

[00:08:22] That is why we are always telling that it is us or any other vendor, but you have to demark it. Security starts from authentication. You have to have it. So you've got a tremendous dependency on Google, Microsoft, and Yahoo in terms of the security infrastructure.

[00:08:42] And I would argue this because in order for demark to be effective, Google, Microsoft, and Yahoo have to actually start enforcing that and really rolling it out. Because ultimately, for most small businesses, their email is flowing through one of those three sources. And in order for this to truly be a thing, they have to be part of the solution. How do you view that relationship with those large cloud providers?

[00:09:11] Very interesting question. Look, on one hand, as a responsible security guy, I don't need anyone to force me to apply best practices. But on the other hand, I need to request a budget from the business owner. I need to cut the budget from someone else, etc., to apply appropriate security measures. The regulations can help me.

[00:09:39] Since 2018, it started from the U.S. government when they adopted law to enforce demark of domains. After we have seen the adoption, Canada, New Zealand, Australia, UK, Europe. So it started from government level. After we have started to see the large vendors started to enforce demark, at least require demark.

[00:10:07] Or they are naming email security best practices because only demark is nothing. Several days ago, Microsoft joined this movement. And they also required demark. And it dramatically helps the adoption. Adoption itself means more clear environment.

[00:10:34] Less phishing, more protected environment. The fact that I protected myself doesn't mean that I'll not receive the phishing. You also need to protect yourself, customers, partners. By increasing the email authentication landscape or the demark protocol coverage, we'll have better environment.

[00:10:56] And I'm happy that this large vendor is constantly helping this initiative to have larger deployment of the demark protocol or email authentication. The last step of this adoption, we started to see security standards requiring demark.

[00:11:17] From April 1st, PCI DSS, the last version, 401 version, also requires, it's a strong suggestion to have email authentication on place, demark, dcam, SPF on place. Which means standard already or the protocol already proved it's a good solution against phishing or impersonation attacks. It works.

[00:11:47] It is getting really good adoption. This is very common for security standards and they are adding in their requirements. So, we'll start to see during this year and the next several years, also the ISO adopted. We'll see the other requirements also. It's really a very natural adoption process.

[00:12:10] Now, you seem like exactly the right person to ask about a premise that I've been contemplating for a while in terms of email and its delivery. Now, email SMTP at its core is a very old core technology. It was designed, you know, decades ago in a world that didn't have security built into it, right? It was academics trading information back and forth in a purely trusted environment.

[00:12:37] We have continually built on top of this very old technology. In other industries, we choose to throw away old technologies when something new comes on. So, for example, AM radio is replaced by FM radio, gets replaced by streaming. SD television gets replaced by HD television because of new capabilities. And we go through painful transitions completely from one technology to the other.

[00:13:03] In a world where SMTP servers were everywhere, this felt really, really hard. But now, Google, Microsoft, Yahoo control most of email. Like, actually, the vast majority of businesses run through one of their platforms. They could just say, you know what?

[00:13:21] We're going to actually sell an authenticated encrypted email and we're going to switch from an old technology to new technology in the same vein as like going from SD television to HD television. And for a couple extra bucks, my Google Workspace account or my Microsoft 365 account has a new version within the same inbox showing me secure emails.

[00:13:46] That makes perfect sense to me for them as they look to expand their market. What am I missing in this premise? Why wouldn't they just do this and start taking away the problem? For me, email at this moment is the only independent and sovereign communication channel which exists.

[00:14:15] I'm not dependent on Google or Microsoft or whomever. I can set up even free my email server and I can communicate directly with you. And no one can close your contact or forbid to reach you. So the communication between me and you is really very independent.

[00:14:42] In case of WhatsApp or Viber, these are really good platforms which I like or any other, Signal, Telegram, whatever. It's a secure communication, but yeah, it's a single platform. They go to the decentralized way. Maybe in the future, if it will be the decentralized way of communication, maybe it will happen.

[00:15:08] But decentralized, owned by everyone, it means it is not Google or Microsoft or Yahoo or whomever. You moved from the analogy to the digital podcast, but you still have the chance to raise your independent voice. It's your choice how to do it. You can be controlled, you can be paid, you can be independent, but still you have a choice. It's your choice. The same with email.

[00:15:35] So with SMTP protocol, for now, it's the only solution to communicate without any control. Gotcha. So one of the things that around EZDMarks is you focused on addressing the complexity around email authentication. And ultimately, that's the core value. If we're going to maintain an open protocol for that value of communication, we have to reduce some of the complexity.

[00:16:02] Some of the MSPs still find complexity in onboarding their own clients. What are you thinking about in terms of being able to make that process easier? Yeah. The integrations can be the solution. Integrations with other solutions, other services, etc.

[00:16:29] To have sort of one-click deployment or adoption or wizard-based adoption. We are on that direction. Just several years. We see that before it was taken to deploy and to reject policy from months to three months. Now, when customer is responsive, we are getting in a week or two.

[00:16:59] So with our automations, integrations, we are leveraging some AI solutions to detect anomalies. We're constantly enhancing the algorithms to provide them the best insight to move to reject and start from monitoring to reject policy really very fast. Just deployment, just to discover your sending sources, apply appropriate configurations and to move forward.

[00:17:27] At the same time, you need to show value to your customers. What you have done, what is the impact, the appropriate reporting mechanism, the appropriate notification, alerting mechanism are key.

[00:17:43] To not every time go to the dashboard, spend huge amount of time there, but solve problems and stay ahead of important events when they happen or when they are coming. So with this approach, MSPs should be able to onboard customers much more easier.

[00:18:06] There are more than 1,500 MSPs already who are reporting that the deployment is really very easy. The data separation classification for customers, which we provide is key. Confidentiality, privacy reasons, they see it. The reports for MSPs, for IT guys, for MSP owners, the different reports to the business owners.

[00:18:34] To keep the relationship really healthy and effective. And what MSPs are telling about our platform and why we like each other with MSPs, we help them to improve customer stickiness and customer happiness. At the end of the day, this is about security. What we do matters. We help them to generate revenue. We help them to save time. We help them to mitigate the risks, etc.

[00:19:02] But customers stay protected and they need to see that they are protected. They need to see that their email is getting to the inbox instead of spawn box, which is really, very hard. For an IT guy, you can do your job. For an MSP, you can do our job. And yeah, at the end of the day, someone needs to recognize it.

[00:19:26] So this whole pipeline with our partner portals, with all these resources, with EZDMark Academy for marketing, for sales, for support. We always hear our customers and we always improve. And this is constant feedback loop with our customers. And that goes very well.

[00:19:55] Well, Gerson Havasan is the CEO and co-founder of EZDMark, an email security firm simplifying DMARC implementation and monitoring for organizations globally. With prior leadership roles at Cisco Academy and PickArt, he brings deep cybersecurity expertise and a practical approach to solving enterprise email authentication challenges. Gerson, I really appreciate you joining me and particularly willing to tackle some hard questions. I really appreciate you joining me today. Thank you. Thank you for having me, Dave.

[00:20:26] This episode is supported by Comet Backup. Whether you get hit with ransomware, hardware failure, or human error, there's nothing more heart-stopping than losing business-critical data. Backups are your final stand when a threat penetrates your layers of defense. That's where Comet Backup comes in. Comet is an all-in-one backup solution. Whether you need to protect computers, servers, virtual environments, emails, or databases, Comet Backup empowers you to manage backups on your terms.

[00:20:54] Visit cometbackup.com to start your free 30-day trial today. Get $100 free credit when you sign up with the promo code MSPRADIO. Start running backups in 15 minutes or less. Comet Backup. The backup solution that MSPs trust. The Business of Tech is written and produced by me, Dave Sobel, under ethics guidelines posted at businessof.tech.

[00:21:20] If you've enjoyed the show, make sure you've subscribed or followed on your favorite platform. It's free and helps directly. Give us a review, too. If you want to support the show, visit patreon.com slash MSPRADIO and you'll get access to content early. Or buy our Why Do We Care merch at businessof.tech. Have a question you want answered? We take listener questions, send them in, ideally as a voice memo or video to question

[00:21:48] at MSPRADIO.com. I answer listener questions live on our Wednesday live show on YouTube and LinkedIn. If you've got a comment or a thought on a story, put it in the comments if you're on YouTube or reach out on LinkedIn if you're listening to the podcast. And if you want to advertise on the show, visit MSPRADIO.com slash engage. Once again, thanks for listening and I will talk to you again on our next episode.