European Law - DMARC is obligatory

[bejbi]

I would like to thank cPanel Developers for implementing 2FA authentication for webmail in cPanel version 114. Great job.

In Poland (in the European Union) there is a new law entered into force in August 2023, which requires every hosting company that serves public entities to have the following enabled BY DEFAULT: SPF, DKIM, DMARC.
SPF and DKIM are enabled by default in cPanel, but DMARC must be enabled manually.

An option to globally enable DMARC when adding new domains is urgently needed.

A competing hosting solution provides a ready-made solution for global DMARC enablement.

Of course, in cPanel we can create a hook that adds a DMARC record when adding a domain, but it seems to me that cPanel developers could easily add an option in cPanel.

Especially since this applies to the law in the European Union (not only in Poland).

legal basis in Poland: ACT of July 28, 2023 on combating abuses in electronic communications

:wq

 

[ffeingol]

Not to side track your post, but that's going to be very interesting to implement. You'd have to contact every hosting customer to verify that they only send from your service or you're going to publish an incorrect SPF record.

 

[cPAdminsMichael]

Yeah - would be nice with some kind of DMARC implementation where cPanel users can also customize.
We also see that more and more mail providers actually check for DMARC records and it has impact on spamscore if DMARC record does not exist.
What we have done a couple of places is placing a DMARC CNAME as part of the DNS Zone Template and then point it to a centrally TXT record which can easily be adjusted.
This is indeed more a workaround than a fix (as we just have the most basic DMARC record to not get a spamscore for missing DMARC)

 

[cPRex]

@bejbi - the best advice I have would be to email [email protected]. While forcing DMARC does seem to be the way of the future (yay, another email authentication protocol..........) I can't speak to whether or not cPanel itself would need to follow any particular laws. That email will get it on the radar of the "higher ups" and get the ball moving if that ends up being something we have to follow.

 

[ITHKBO]

The law you mention CAECA is not showing up in any EU publications at this time nor any propositions.
While I absolutely think it is a great idea I am not seeing any legal ramifications outside Poland.

If it was mandatory across the EU we would have heard a lot of noise beforehand but there are none publications only advisories.
The most recent publication we have at this moment is Email communication security standards: an analysis of uptake in the EU
If you take a look at the executive summary of the publication KJ-NA-31-497-EN-N

https://publications.jrc.ec.europa.eu/repository/bitstream/JRC133313/JRC133313_01.pdf

Regarding Domain-based Message Authentication, Reporting and Conformance (DMARC), its adoption is medium with an average of around 50% in the EU and 53% in non-EU countries. Compared to Q3 2022 there is a small decrease of 5 percentage points in the EU average and an increase of 8 percentage points in the non-EU average. It is also evident that the support of DMARC strict policies is very far from the support of the 75 DMARC protocol itself. The support rates for each EU MS are presented in Figure 1d.

And at 4. conclussion

The results presented in this report are consistent among the different sources analysed, providing us with an overview of the state of email security protocols in the MSs. These results must be completed with the 370 assessment of other relevant email services (e.g., .com, .org, .net, etc.). The results also present opportunities for improving the security and adoption of email security standards, in particular in the cases of DMARC and DANE. DMARC results present a gap between the adoption of DMARC and the implementation of strict policies. Without a strict policy, DMARC has no effect in the security of email services. Reducing this gap would have a positive impact in the overall security of these domains.