 Thank you for being here. This is one of the English talks we have here today and this time we have Nicola Sereno. He's an Italian recognized in the expert in the industry of email security. He has over, he has 15 years of experience in email marketing and delivery, delivery, deliveryability. Yeah. And has worked with the biggest email senders in the world to protect their brands and to boost their revenue. And if you don't know it, he's a great comedian as well. I used to be, and I say that I used to be a comedian because if nobody loves to do something I say, I can say that now you know why I stopped. But thank you Violetta, thank you all of you, thank you all the organization WarCamp. It's awesome to be here, to be honest. And I actually speak Spanish as well, not Catalan, sorry, Castellano. If you want to ask me something in Spanish, I'll try to answer it in Spanish. But this will be in English. And I hope also to make sure that there is enough room for questions. So the topic we are going to cover today are huge. Are huge, are broad, are deep. In other words, I could spend hours if not day talking about them nonstop straight. That's not what I want to do. And not what I want to do today. Actually, I just want to make sure that everybody understand what they are, why they exist, and why this could be a problem but also there might be a solution for WordPress administrators, owners, et cetera, et cetera. So I know, you know, a little poll. Did any of you ever heard of SPF or DMARC? Just raise your hands. Okay. Love. Okay. But even just the fact that you heard of them. But I'm surprised, I'm happy, honestly, to know that many of you already know what they are. And for the others, it's perfectly fine. Because again, with the job that I have, the kind of stuff that I do every day, I encounter people that work in IT for 20 years and they never had to truly know what DMARC is. And it's okay because it's a very specific niche. But I feel that it's going to be more and more important. But let's start very quickly who I am. Violetta already introduced me. But basically, yeah, I've been working in email, especially in mass security, email deliverability for a very long time. I work for the biggest brands in the world. Doing what, you'll say? Good questions. Let's move on. Now, the deliverability means somebody probably already know, usually in Spanish translators, entragabilidad. But it means it's all the know-how related to make sure that emails are landing in inbox instead of spam. And other than that, there's also all the aspects about brand protection related to that. But deliverability itself, it's all the science and art related to the fact that email is reaching the inbox instead of the spam. But if any of you as a business knows that and is using the email as a channel, knows that if the emails are not getting the inbox or not getting open, you are losing money. So email is money, and especially deliverability is money. So I help legitimate business to make money they deserve because they are sending to subscribers. But one important thing of all of this is the email security part and we'll get there. Yeah, so, and many of you being probably technical know that email is super old, very old. It's more than 50 years old. This might surprise somebody here, but it's super, super old. And when it was created, when it was designed, email wasn't supposed to be safe, wasn't supposed to be secure. It's a very, the SMTP protocol, it's super easy and exploitable. Basically, the way it's designed, SMTP allows anybody to send email posing as somebody else. So probably you know that already. If you don't, that's the way it is. So I can literally pretend to be any domain in the world. There's an asterisk. That's where we are here today. But that's how it was supposed to be. Then we as a community, we started to say, okay, we have to figure out a way to put solution security layers on top of this because you can't just get rid of SMTP. So let's create additional stuff. And those are SPF, becoming DMARC actually. I wanted to, at the very first, I said, oh, I'm going to impress them with some numbers about how many billions of euros every day are being scammed out of people using phishing. I was like, they know, they already know that. I mean, I know that you are aware that phishing is a problem, that email scams are a problem. So you know that. The main points are, anybody can potentially impersonate you or your business. And I see that all the time, unfortunately, scumming people around and art you, your business, your family as well, depending the kind of scam they're running. You're going to lose money, the face, your identity sometimes. And the solution we came out with is email authentication. So why we are talking about email authentication at a work camp? Because, yeah, we have to face it, WordPress sends email. It doesn't matter if it's sending one to emails just to say, oh, they are, the plugins got updated or a transaction or stuff like, okay, this is your password recovery link or whatever. Those are emails. But we also know, we are very aware that WordPress has also been used as a e-commerce sometimes or a social network as well. So those websites send much more emails. So it becomes an even more serious issue. So the solution I said is email authentication. We didn't cover yet what it is. But there are mail authentication with WordPress. It's not an easy task. It's not something that you can do super easily out of the box. It's not something that it was meant to be done. And of course, if you don't do that, somebody can take advantage of it. And there's also people that it's not, I spoke with some of them, that are not pursuing email authentication on WordPress, or not on WordPress. I was aware because they can do it on WordPress. Because the thing is, when we implement email authentication, you should do it with all your mail streams. So that's the deal. That's the thing. Okay. So the solution is that, yeah, it was hard to do it. It's not like it was impossible, but usually you have to rely on an external SMTP service, something like that. And basically, me and a couple of friends, we came out with a plugin that allows to do that. And this speech is not about the plugin itself. Actually, it's about authentication while it cares, et cetera. I'm going to mention this now, share a couple of slides about it. But again, if you want to talk about the plugin, we'll do it elsewhere if needed. But just to give you an idea of what it does, since many of you are more technical and advanced than the usual user, well, as I was saying, many websites find a solution to rely on an SMTP service, right? But we all know, or many of us know, that WordPress sends email out of the box using PHP mail. So our solution is basically we are intercepting whatever is going out with the PHP mail. We take the message. We generate the signature that is required to properly authenticate the message. We put it back. The mail comes out. The mail authenticated. They didn't have to pay or rely on external service. Everything is coming out from the server using PHP mail. It supports itself in a way, the authentication. But actually, I also discussed with the maintainer and developer recently about this. We create a couple of workarounds to make sure that PHP mail works with our plugin. And it works. So that's good. But, okay, that means that what is a mail authentication for whoever doesn't know or wants to just understand more. And again, I don't know a lot of stuff, but I know a lot about the mail and about the mail authentication. So feel free to ask anything you want about the mail authentication. Year after, I don't know, during the night, my wife already gave up about it. Okay. So what it is, of course, as I said, it's to protect the identity of the sender. And the three main, there are more. But the three main protocols that are currently used are SPF, dkim, and dmark. SPF is about the source, the IP, the email is coming from. The dkim is about the content being encrypted and verified. So it's not changed. And the dmark is something that relies on that. And it does two slash three purposes. Reporting. So basically, you have visibility. You can monitor whatever is going on with your domain. That's huge, guys. If you're not using that, it's very important. And the policy. The policy means that you can instruct the mailbox providers, and by mailbox providers, I mean Gmail, Microsoft, Telefonica, whatever, it's providing a mailbox to the end user. It's telling them, if you see something fishy, if it's something that you don't like in the authentication, do that. Or do these other stuff. So the policy is like, if you don't like it, reject it. So bounce it. If you don't like it, put it in the spend folder. So the policy allows you, as administrators, to tell the end providers what to do with the email that is using your domain. That's the thing. Somebody is using your domain. Okay. Let's instruct them to do what we'd like to see to be done with regard to that. So that's the thing. Let's very quickly, again, I don't want to go too much in depth. I prefer to keep it more interactive as possible. So one of the commonality among those email authentication methods is that they rely on DNS. So the administrator, the webmaster, whatever, has to publish a DNS record somewhere. That's a thing. And each of them might end in a certain outcome. So an SPF could fail or could pass. DMARC could fail, could pass. So that's just the very basic concept that you have to keep in mind. There is a certain outcome. Okay. And well, the thing is, especially with DMARC, is that... So SPF and DMARC help you authenticate your traffic. But DMARC, as I said, is the one that gives you the ability to truly instruct the mailbox provider on what to do. So DMARC is definitely the best thing you can do to protect your brand, to protect the domain that you manage. Still, the way DMARC works is that basically it relies on SPF and Dikim. So if you don't put in place a proper SPF or not end or Dikim, the DMARC will fail. So the problem is that not always you can implement those, especially in a WordPress website. And that's why we are here again. So... And again, you have to imagine that there are many different types of businesses. There are businesses that only have one domain name. Others have one domain name, then they have the sub-domain for the shop, the sub-domain for certain communication, et cetera, et cetera. So sometimes they authenticate certain stuff. They don't authenticate others. So you should actually try to authenticate as much think as possible. So SPF, a little, little bit more into details, what it is. So just one. I also have a laser pointer. I can use this to annoy people that are falling asleep. Okay? Kidding, kidding. It's okay. Don't worry. No, it's... Okay. SPF. Sorry, guys. SPF is saying... Remember, this domain can be used only from this list of IP. It's a list of IPs. Nothing more. So Gmail will see the email, will check the SPF record, will see the list of IP, will compare the IP the email is coming from with the list and say, is it there? Yes. It's not there. Fail. Again, there are many, you know, things in between, actually. There are soft fails, stuff like that. But let's keep it simple. So that's basically the outcome that could be done. And that's what it is. It's about the source. Okay. What about Deakin? Deakin, it's interesting one. Deakin is about making sure that the content is not being edited, modified, changed, tampered in any ways. So if I send an email, potentially, again, we are dealing with the limits of the SMTP protocol. But basically, if I send an email, somebody that received that email could potentially replay or, in other terms, reuse whatever we send to them to impersonate us. So it's not good. They could change something and everything will look fine. Yeah, please. Okay. We'll do. Okay. So Deakin, what it does. Deakin relies on encryption and symmetric encryption. So basically, there's two keys, a private key and the public key. Again, to keep it simple, within the limits of discussing about this stuff. But the private key allows to create a digital signature by taking part of the message. So you believe that the from, adder, it's an important one. You believe that the subject is also an important one. So you decide, okay, I want to make sure that nobody changes the from and the object and the subject. Okay. So you say, okay, let's generate a signature using those and the private key. The private key is in a safe place. It's in a vault. Okay. Gmail gets your message. See the signature that is just a message. It's a line in the adders of your email. Check that. See that. Retrieve the public key. So not the private, the public key that is on your domain. And use that to validate the signature. Again, it's encryption stuff. It's okay. Sometimes even too nerdy, even for us. But the idea is, by using that, they can check it. They can check it. And again, they can say, yeah, it's valid. Pass. It's not valid. Fail. Okay. So this is a very interesting thing. And of course, the private key, you have, you are the only one having that specific private key. And you can only use that key to sign your messages. No one else hopefully knows the key. So can do, can pretend to be you. And that public key that is published on the DNS is the only one that can be used to verify, validate, you know, and anybody, literally everybody can access to that because it's on the DNS. Please. Sorry. Send it to you. Okay. Sure. Okay. Yeah, yeah. Perfect. Okay. Right. Okay. So to be honest, I didn't get why this has to, what this has to do with the, with the non-openers. Oh, probably I think I got it. But let me, yeah. So by picking the from and the subject, for example, for the signature, you are saying those are the, the others I want to protect. I want to make sure that nobody changed them. It's about the same campaign, the same message. It's, it's not about, yeah, you are thinking about a marketing strategy where you are saying, okay, I want to recent to send a new campaign to the non-openers. No big deal. It's you, it's you have full control, whatever you're doing. It's not big, it's not a problem. The problem is somebody. Yeah, yeah, yeah. Yeah. Yeah, don't worry. Yeah, yeah, yeah, I can flow because, yeah. Yeah, this brings us a little bit off-road, to be honest. Yeah, thank you. But we covered it for sure. Thank you. So the D mark, as I was saying, it's about, it relies on SPF and it's about the same thing. It's about the same thing. It's about the same thing. It's about the same thing. Okay. And as I was saying, also, it tells what to do. Now, we're likely already explained that. So we can move on. And this is the plugin that we developed. Okay. Somebody already took the QR code. Yeah, it's already in the repository. We didn't advertise that much. We didn't, you know, we didn't do a lot. We are just making it cooler, etc., but what this plugin does. So, the way SPF became a D mark work, basically, you can pretty easily implement an SPF and a D mark by themselves. Implementing D-kim, though, since it requires that private key in the vault is not that easy. That's why, usually, I have to rely on external services and SMTP services, etc. And as I was saying, we allow to generate a pair of keys, because it's a pair of keys. One, it's in a safe place. And the other one, the user can publish it and they can sign their messages. Since we are there, since we have a plugin about email authentication, we decided to basically put some sort of a score about the status of the mail authentication of the domain. So if you implement this plugin, you can also see how good you are. If there are any errors, again, I try to put as much as possible in terms of experience of common error, common mistakes when implementing those records. So the plugin will tell you there is this problem. Go fix it to get an IS core. And, again, we are still improving stuff. We are adding support for checking if the IP where you are in, the domain or whatever, on the blacklist. We are implementing so much stuff. But the core, the true core, as I was saying, is that this one is saying there's an error on the SPF, etc. We also have some stats about the emails being sent every day. And there is the, now I'm going to use this not to annoy anybody, but just to point that there is the public key. It's this bunch of nonsense. This is a public key for the user that the user can take and publish on the specific location on the DNS. Because that's how it works. Okay. So benefits of email authentication and why everybody should implement it. Okay. Well, you don't want your domain to be used by somebody else. So better to be abused. And we already discussed that. But there's more. There's more. As I was saying, sometimes you don't do full force. Enforcing, for example, DMARC because you can't do the game everywhere. So any of you ever implemented DMARC and maybe looked at some DMARC report? Don't be shy. Still. Okay. Cool. Exactly. Exactly. And again, we can discuss it if you want more understanding or just some technicalities related to it. I'm very happy. I really love to talk. Yesterday I spoke seven hours straight. So I will feel any silence. Don't worry. But a DMARC report is basically telling you those are the mail streams. So the mail streams for your domain mean your domain is being used by this mail server, is being used by this other mail server. So that's the kind of report that you get implementing DMARC. So that's why it's super cool. Because you have, finally, visibility on where is being used your domain. Now, there is a purpose on that. Of course, it's to fight any abuse, to prevent somebody abusing it again. But it's also about go and fix whatever it's yours and it's not authenticated. Because once you do that, you will realize that, oh, I forgot that I also have Zendesk. I don't know. For example, using the same domain or it's subdomain of it. So, okay, I go there and fix it. Oh, I didn't realize I have Zendesk. So that's the goal. And that's why DMARC should be implemented with some strategy, some logic, some understanding what they're doing. Because you start with a policy that says, just collect the data, just collect the reports. I don't want you to take any action DRG mail. Don't reject it. Don't put it in spam. Do nothing. But record it. I want to know. So after some time that you collected enough data, you can say, okay, you know what? Let's move to a more stricter policy. Let's move to a current time. The current time is, if there's something you don't like, put it in the spam folder. And so on. And then you go to the reject one. Okay, so that's how it works, how it does. And the thing is, sometimes people will have, again, a certain business and forgot that they have a WordPress website. So the marketing team heard that there is this new cool kid in town called Beeme. For example, did you ever heard of Beeme? No, not yet. Beeme allows senders to show, display their icon, their logo in the client, in the mailbox client. So if you open your mail, you will see a nice logo next to the brand. Not anybody can have that. And now, since a couple of days ago, Gmail is also showing, and now everybody is using just blue mark, but yeah, Gmail is also showing a blue mark other than the logo to say, you should trust them because it's truly them. If it says that it's from Groupon, it's truly Groupon. Okay, so that's the idea. So it's cool. So the marketing people, usually they have the budget. They, so we are just at their mercy. The market people say, okay, let's spend a lot of money to implement Beeme because it's cool, because it will show the logo and now the more tech people will be called, oh, you have to implement Beeme. Okay, how do you implement Beeme? Well, to implement Beeme, you need to de-mark. To implement de-mark, you need to dig in. And that's when people realize that some of their websites, for example, are running on WordPress, they could, or not easily, so they have to probably pay more money and external service, maybe some custom configurations and custom scripts to do it. Okay, so that's a thing, that's a kind of issue that we try to address. But again, it's going to be more and more important. If you are not outedicating your domain or your client's domain, please do it. Please try to learn more about this stuff so that you can start with the very basics. Because in the past, the bad guys, they didn't care about doing the right stuff. Now we have bad actors, so the abusers, the scammers, that are doing things better than legitimate businesses. Okay, so please, guys, do the right thing and make sure to differentiate yourself from the spammers. And that's it. Any question? Yes? Mike. Introduction. I'm curious, you said about collecting the information about abuse and then looking at the logs of what happens. If I'm having a client website, where do I collect this data? Do I need the third party and how do I analyze the data? Beautiful question. So once you will see a DMARC record, you will get it. You will see that in the DMARC record, there is the policy P equals something, so it's an attribute. And there's also another field. It's called RUAA, or RUF, depending which one we are going to use, that is listing an email address. So usually you put your email address as an administrator, or if you are relying on a third party service that is ingesting the data and is playing it somehow, you are using their email address, or the beauty of DMARC is that you can actually put as many email addresses there you want, so you can put both if needed. Now, those email addresses will receive a report in XML format. So it's not very easy to read if you're not familiar with it, because, I mean, it's not big deal, it's an XML, still you can read it, but a lot of people are just, oh, what's going on? So third party services exist, as I was saying. They ingest this data and they put it in a more readable form, and also the cool thing, and that's why actually, those are, even if they are page service or whatever, but they're doing the good thing because they allow you to really visualize, to filter the data, to dig, and again, they will tell you, this mail stream passed authentication, this other didn't pass authentication. So you start from there, it's not the end, it's the beginning, or another investigation, but it's very important one, again. The risk is implemented, and then you just put an admin at whatever, and nobody will ever look at it, and in five years, they're going to see they have 300 reports, and nobody was reading that. You are so right, so right. I see that all the time, not only people that put an email address, and just forget about it, but also people that don't put any email address. So the whole point of the eMark is to collect reports. If you are not collecting reports, what they are doing, nothing. It's, yeah, again, sometimes people do it because somebody told them to do it. So that's the very first thing, it's get interested, try to know more about the mail authentication, why, you know, all this stuff, and do it right. Yeah, so absolutely right, yeah, I saw it, it's often, yeah, it's arts, it's arts. Any more questions? Yes, please. They're down there. The operator, nice. Hi, thank you for the speech. In my case, yeah, I had a lot, yeah, I used to, when my customers get into spam, my solution for now was to install an SMTP plug-in. What is your position, what is your position regarding to this? Yeah, so email, starting from here, I'll say that email authentication is not by itself, not necessarily a solution to the spam folder. If you're landing in spam, it's not necessarily for the inbox. It's not like, oh, I'm landing in spam, I implement authentication, everything will be in inbox. Sometimes it is, and could be for a couple of reasons. One of them is eMark. If that client maybe added eMark record and you don't know it's possible, well, if they added eMark record, the eMarker was probably with a policy quarantine, P equal quarantine, so that email wouldn't be authenticated. So basically, eMark was just doing what was supposed to do, telling everybody it's not dedicated, putting in spam. So you say, oh, gosh, what do I do, what do I do? Let's try with the cemetery service. Well, it works. Probably it worked because it was passing SPF, probably. But I'm saying probably because I should dig a little bit more. There is another aspect that I didn't mention that is the concept of alignment. But it's completely, yeah, again, if we had more hours, we could cover the aspect of alignment. But could be because of that, or maybe they were actually decim signing because, again, external submit service do. So could be that. Could also be some other stuff because when you send the emails, the keyword, the magic keyword is reputation. So the mailbox provider not only want to see if it's truly you, they also want to know how trustworthy you are. So they have some sort of list saying you're good, you're bad, you know, that kind of stuff, a list of good people, good senders, a list of bad people. And to do that, they have to be able to identify you. And if you don't implement an email authentication, sometimes you are sharing the reputation with the space you are in. So you are sharing the reputation with the hosting provider and everybody that is using that certain space in the same hosting providers or stuff like that. Okay, so it's possible that by authenticating the customer, I was able to say, it's me, it's just me. Don't take into account the other people that is using the same, you know, so it could be more complex. But I will say that could be the mark, the age, yeah. Thank you. Thank you, hopefully it was enough. Yes, please. Yeah, yeah, yeah, yeah, but... So then you can use the two plugins at the same time or it's not... Yes, yes, you could do it. Now, you could do both together. Probably, so the thing is, if emails are being sent out with that, okay, I should check which one is using, if it's compatible and everything, the cool thing is that you could put as many Decim Signature you want. So it could be not a big deal that it's Decim Signing with that service. We can add an additional Decim Signature. It could be seen as an additional layer of security, so it could be good. And also, actually, my plugin provides all the other information. It tells you if there's an error, an error, which error is, if there are the other records that we are publishing, they are not publishing, and you are recommending to do it to improve. So, actually, yeah, it could work pretty well. I'd like to test it because I want to make sure that we are compatible with that. But yeah, you could use them both. Or if you just need to Decim Sign, you could use just mine. Right? Yeah, but you can... You add yours and then check it, okay? Right, thank you. Cool, I think we're done, right? Do you have another question, yes? Whoa, whoa. Does the plugin you develop only gives the information, but don't actually fix the issue? No, no, it does fix it. It does fix it because I know you need to add some records to the DNS, right? No, you still have to publish the public key. That's still important because it's the way the mailbox providers can verify the signature. So, we are providing a key that you have to publish in the DNS. But other than that, you're done because we are covering all the things under the wood, you know, behind the cartoon. We are using the private key that we generated for that specific client to generate the signature. So, the idea is that, yeah, they just have to publish the key. They don't have to, again, pay for another service, whatever, or use a signature because it's also about the technology. The way it works is that the plugin works with literally any website out of the box because we are relying on PHP main. It's already there. So, that's the thing. We found a workaround to do this without, you know, any other stuff. Yeah, thank you, cool. Thank you for the work you're doing with this plugin. Please upload, I still have the laser, guys. I'm really looking forward to test it on the website. Oh, yeah, please, please, please let me know any feedback. The plugin works, but it was released very recently. So, any feedback you can provide to improve it, please do. If there's any issue, any problem, just let me know. Thank you. If you want to have more questions, you're going to be in the speakers room now. And this is a little present for you. And please give him a big applause for this.