What Is DMARC?
DMARC (Domain-based Message Authentication, Reporting and Conformance) is an added layer of email authentication intended to let Internet Service Providers (ISPs) know the email’s validity. DMARC was designed to help protect email senders and recipients from spoofing and phishing emails.
What Is Spoofing & Phishing?
- Spoofing – An email is sent to a recipient to trick them into thinking it’s from a genuine sender. Sent using the actual sender’s domains, spoofing emails can look compelling. Spoofing is used to spread misinformation, distribute malware through harmful links and phishing purposes.
- Phishing – A type of spoofing email where recipients are prompted to disclose sensitive information. For example, the email appears to be from the recipient’s bank with action required to unlock their frozen account. The recipient clicks the link, and they are taken to a fake website that looks identical to their banks. When they attempt to log in, their credentials are stolen and then potentially used fraudulently or sold.
How Serious Is The Problem?
Very serious. Over 90% of all cyberattacks involve email and aren’t just limited to examples like the one given above. There have been some high profile phishing attacks where scammers targeted companies using business email compromise (BEC) campaigns.
Internet giants Google and Facebook fell victim between 2013 and 2015 when one phishing email set off a two-year fraud costing campaign costing the companies over $100 million. A cybercriminal posing as a vendor of computer components sent multiple fake invoices which the companies paid. The culprit was eventually found and prosecuted.
The scale of the incident and the companies involved highlights just how serious the problem is and how sophisticated cybercriminals are getting. It’s important not to forget that there is a human element to all this too.
Phishing emails are often more successful in vulnerable groups within society, particularly the elderly. When someone falls prey to these kinds of scams, they can feel highly embarrassed and ashamed, which can cause genuine personal distress. Organisations must do everything in their power to mitigate the risks posed to their customers.
How Does DMARC Work?
It works by aligning Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM). Both have been around since the early 2000s, and both are forms of authorisation to let an ISP know an email is legitimate.
SPF is a public list of servers that are authorised to send emails on behalf of a domain. By querying SPF records. ISPs and business operators of email servers can identify if an email originates from the genuine servers allowed to send an email for that domain or elsewhere.
SPF usage has seen a significant rise in recent years as Microsoft Office 365 usage has also increased. It is a compulsory prerequisite for running your domain on the Microsoft platform, meaning any organisation wanting to run Office 365 email must also run SPF.
DKIM are in their simplest form, email signatures which let ISPs know if an email came from the correct sending domain. A DKIM record is entered into the sending domain’s DNS records as a TXT record containing a public key. This TXT record is then used to let the receiving IPS verify the email signature.
DKIM gives emails an encrypted signature in their header and two DKIM Keys that are used to unencrypt the signatures and allow the IPS to validate the email. DKIM has a significant advantage over SPF in that it remains effective during subsequently forwarding emails.
Domain owners can use DMARC with either SPF, DKIM or both. A DMARC record is put in the DNS, creating a text file containing your organisation’s DMARC Policy which you will have previously set. When an ISP receives an email, the text file will give instructions on what to do with the email. There are three options.
- p=none – Do nothing with the email
- p=quarantine – Send the email to the spam folder
- p=reject – Do not deliver the email
Ultimately it’s every organisation’s goal to get to the third option; however, the journey there needs to be a cautious one. When you implement DMARC for the first time, you should choose the first option. By rushing into things and selecting a reject all policy, likely, legitimate emails will also get blocked.
It’s best to let things run with no action taken and monitor results. You can then improve your SPF and DKIM authentication rates and gradually impose tighter restrictions on your policy.
DMARC offers a real insight into your email channel because not only does it help prevent spoofing and phishing emails from getting through, it also provides reporting. Every time an ISP sees a DMARC TXT record, it sends information back up the chain.
The Aggregate (RUA) DMARC report is sent daily, with an overview of all email traffic and a list of all IP addresses which have tried to send emails using your domain. The Forensic (RUF) report works in real-time, only sending failures but includes the email header and sometimes even the email content. The RUF reports are sent to you via email to the email address set against the DMARC record on your DNS, usually your postmaster (usually IT Team).
Should I Be Using DMARC?
If you can implement DMARC with both SPF and DKIM, you are taking essential steps in securing your email channel. Although you can’t stop cybercriminals from attempting to imitate you, you can reduce the chances of doing so successfully.
You are also taking steps in securing your organisation’s identity and brand. Although it’s not technically your fault if an incident occurs, it’s still not the kind of press you want to be associated with your organisation. Having DMARC in place reduces this risk, and if something does happen, at least you’re trying.
Eventura are cybersecurity experts. We can help assess your businesses current level of protection and assist you in strengthening it.
If you would like to speak to cybersecurity and IT security team members, please request a free callback here.