Scott McKellar is currently a Technical Consultant at Mimecast where he has been since early 2019. Scott has been working in the technology industry for fifteen years and is passionate about technology & security. Scott enjoys understanding his customers and prospects often complex business challenges and aligning them with technology to solve problems and add value. Prior to his role at Mimecast, Scott headed up the technology team for an Australian leading Wi-Fi analytics SaaS and IaaS provider; Discovery Technology (a Data#3 company).
Spoofing emails can cause serious problems for the people that receive them, and for the organisations that appear to be sending them.
It seems like no one is safe – phishing messages even spoofed the Australian Cyber Security Centre in January 2021 in a bid to rip off consumers. Systems such as Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) can help authenticate mail, but they won’t defeat email spoofers on their own, since the emails are originating from an external source. That makes DMARC a vital tool in beating the scammers.
How email spoofing can hit your organisation
What would it mean to your organisation's brand and reputation if a group or individual were delivering socially engineered or phishing emails on behalf of your domain name?
These emails are typically very targeted. They will be delivered beyond your perimeter to one of your partners, customers or suppliers. And they will come with a forged “ from” address, often your CEO's or CFO’s. This won’t be a lookalike domain or a display name with a free email address behind it. Instead the cybercriminals will use one of your executives’ actual email addresses to steal data or finances from people who trust your brand.
The spoofed email will typically carry a different “reply-to” address, such as a Gmail address, or will contain a lookalike URL in the message body. Such tactics are widespread and effective. Mimecast's research on organisations in Australia and New Zealand showed that 47% saw fraudulent use of their company’s brand via spoofed emails in 2020. Around the world, over three billion such emails are sent daily.
If these emails appear to come from your account, they’ll damage your brand reputation. Better authentication can protect your company from being abused, and help your own email delivery.
SPF and DKIM have their limits
When a cybercriminal delivers spoofed email from your domain, they often get through SPF and DKIM authentication. Yet the “header from” (P2) email address the recipient sees in their inbox will be an exact match of your executive’s address.
How is this possible, you might ask? It all goes back to the fundamentals of email and the fact that email expects two “from” addresses.
The first “from” address (P1) is often referred to as the bounce address, return-path address, or “envelope from” address. This is the email address that the recipient of the message will never see. It’s used during the transmission of the message to tell the receiving mail server where bouncebacks should be delivered.
It's the second address, the “header from” (P2) address, that the recipient sees in their inbox. Unfortunately this address has nothing to do with the SPF or DKIM validation that the receiving mail server performs before accepting the message.
DMARC works with SPF and DKIM
SPF and DKIM are still relevant; in fact, DMARC depends on these existing authentication protocols. SPF provides an IP authentication against the hidden envelope from (P1) address, and has dramatically reduced backscatter – incorrectly automated bounce messages sent by mail servers - typically as a side effect of incoming spam. Reflecting on over 15 years working with email, I remember a time when email backscatter was a real nuisance. But that was a long time ago, and thankfully SPF went a long way to stopping most of it.
DKIM, meanwhile, provides a way for integrity checks to be performed which assess whether an email has been tampered with from point A to point B. This is done by using a public and private key pair, where the public key is publicly available in a DNS TXT record. This allows the receiving mail server to use the public key to check that the integrity of the message has not changed. DMARC works with both SPF and DKIM, building on their strengths to create a solution.
DMARC is a new standard
So how does an organisation prevent an adversary spoofing their brand’s domain name in the P2 address? Domain-based Message Authentication, Reporting, and Conformance (DMARC), an internet standard created in 2012, empowers you to take back control of your organisation’s domain.
DMARC protects the domain names your organisation owns from spoofing. The DMARC protocol is not a third authentication protocol on top of SPF and DKIM – instead it works with these two existing authentication protocols. DMARC introduces four key benefits:
Visibility of who is spoofing (legitimately or not) your domain through reporting.
A way to lock down your domain and prevent spoofing of the P2 address.
Identification of shadow IT, where a colleague may have signed up to a third-party service like Mailchimp to make their job easier but not yet notified IT about it.
Improved deliverability of legitimate emails you are sending to your prospects and customers. DMARC-aligned mail has far greater email hygiene and the receiving mail system has a better chance of accepting and delivering the message to recipients’ inboxes instead of a junk mail folder.
How DMARC prevents spoofing
DMARC enables you to prevent spoofing in the P2 address by focusing on this address and checking for alignment. Alignment can be achieved using either or both existing authentication protocols:
DMARC-compliant mail relying on SPF first needs to pass SPF. Secondly, alignment is checked: the “from: domain” in P2 address must match the domain in the “envelope from” (P1) address.
Adding DMARC on top of DKIM first requires that DKIM must be passed, and secondly requires alignment: the P2 domain the recipient sees in their inbox must match the DKIM domain used to sign the message.
Emails that pass SPF and DKIM and achieve alignment via both are referred to as “fully aligned”. This will give your mail the best possible chance of delivery.
How DMARC’s policies work for you
Because DMARC was created approximately 30 years after email (the Simple Mail Transfer Protocol, or SMTP, dates from 1982) there is no need to worry about DMARC preventing legitimate messages from being delivered. DMARC has you covered, and the protocol does this by using policies to communicate with the receiving mail server and determine what action should be taken. DMARC policies include:
None: This is also referred to as “monitor mode”. It tells the receiving mail server to take no action other than to send a DMARC report to the addresses published in your DMARC record for your aggregate report (which presents data from numerous messages) and/or forensic report (which shows the text from a single failed email).
Quarantine: Moving your domain to a policy of quarantine is often done to test the waters, telling the receiving mail server to hold or treat as junk any email that is not DMARC-compliant. Typically, you will have spent the last several months reviewing the DMARC reports and taking positive action to introduce alignment on all critical applications, systems and services your business relies on (CRM, Payroll, HR systems etc) before moving to this state.
Reject: Once you are comfortable through your reports that nothing has been missed and all legitimate systems are sending DMARC-compliant mail, you can move your domains into a DMARC policy of reject (p=reject ). At this point you will have done most of the work to retrofit authentication and DMARC alignment to your mail flow. It is no longer possible for adversaries to use the reputation of your brand and its domain names against you, since the protocol will instruct the receiving mail server to discard fraudulent messages.
The goal of course is to move your domains to a policy of “reject”, but it is very important to monitor mail flow by analysing DMARC reports. Therefore it’s best to start with a DMARC policy of “none”.
Below is an example of a DNS TXT DMARC record where you will see the DMARC policy configured and the destination email addresses for DMARC reports (rua = aggregate reports, ruf= forensic reports):
rua=mailto: [email protected];
ruf=mailto: [email protected];
DMARC and email spoofing
By building on SPF and DKIM, DMARC can prevent spoofed emails using your domain names, and stop cybercriminals impersonating your senior executives. Adoption should be gradual, with your organisation moving from a “none” policy through “quarantine” to “reject”, monitoring your systems as you go.
Adopting DMARC brings further benefits. Your email is more likely to reach the desired recipients, and you will be in a strong position to adopt future protocols like BIMI (Brand Indicators for Message Identification). DMARC offers security for today, and opportunities for the future.