How Yelp took the fast track to spoof-proof email
Even though DMARC at enforcement is incredibly effective at preventing the vast majority of all cyberattacks, adoption rates remain relatively low. And many companies that do implement DMARC continually struggle to reach true enforcement.
We hear the same question over and over again from our peers and prospects: If DMARC at enforcement is so effective, why is it that less than 17% of all DMARC records worldwide are actually at enforcement? The answer is because it’s time-intensive, and organizations of all sizes struggle with dedicating the time needed to get there.
Take Yelp, for example. Founded in 2004, Yelp is a global platform connecting millions of people to local businesses and has more than 4,000 employees worldwide. Yelp’s users should be able to trust the company’s digital communications are secure and authentic. To offer this assurance, the company’s security team made a commitment to get its various domains to DMARC enforcement.
However, after it took two employees dedicated almost all of their working hours for nearly a year to reach DMARC enforcement for just one of its domains, Yelp’s Head of Security Vivek Raman and Security Engineering Manager Ioannis Koniaris knew the manual approach was not working. Dedicating this many resources over such a long time period was not prudent, and not to mention, the company was vulnerable to impersonation attacks every day that DMARC enforcement went unattained.
Further complicating the task was Yelp’s constantly evolving IT environment, which was in the process of shifting to a cloud-based infrastructure — a necessary change for most organizations looking to stay agile and relevant in a competitive market. Additionally, Yelp didn’t have a technical solution for the SPF 10 domain lookup limit, which was a significant hindrance to the process.
To implement a robust and layered security defense that included DMARC at enforcement for all of its domains, Yelp sought external resources to remove the burden from their internal team. After reviewing several different vendors, Yelp selected Valimail, noting it was the only complete enterprise solution designed to manage the entire process of reaching DMARC enforcement.
After implementing Valimail Enforce™, Yelp had instant visibility, helping the security team uncover every sender that was using its domains to send email, both on-premise and in the cloud. This included both shadow IT services as well as malicious senders.
“Valimail takes a big headache off of our team. There is a lot of tedious work that would be required [of our internal staff] if we didn’t use Valimail,” Raman says.
Koniaris adds, “In the past, we had to have one dedicated engineer look at the DMARC reports every week or every day; with Valimail we can just click one button.”
Right away, Yelp felt the benefits of having a holistic solution in place for managing DMARC enforcement, and the value continues to be evident years later. Valimail responds to all authentication requests in real-time, ensuring mail gateways around the world receive complete and correct DMARC, SPF, and DKIM records every time they validate an incoming email message that appears to come from Yelp.
In the first two years, Valimail authenticated more than 3 billion emails for Yelp and blocked nearly 11 million suspicious emails — and those numbers continue to grow. All 70 of Yelp’s domains are being monitored and protected by Valimail Enforce, allowing the company’s security team to manage the process of authorizing or deauthorizing emailing services in one dashboard, with the click of a button.
Furthermore, any of Yelp’s teams can change the email-sending tools they use at any time in order to keep up with modern advancements and emerging capabilities, and are confident they can make the switch seamlessly and securely.
“Valimail gives us the ability to let employees be flexible with the tools they use, without being overly burdensome to the company. As we evolve, it’s helpful to have a partner that can manage this for us,” says Raman.