Email has profoundly changed the way all of us communicate—whether it’s for personal use, business use, or bridging the two to create brand-customer touchpoints.
But the very traits that have made email ubiquitous also contribute to its vulnerabilities. Email is so simple to set up that it’s easy for cybercriminals to send malicious emails that appear to be from a brand’s legitimate internet domain.
But brands can protect themselves by securing their outbound email using a global standard, Domain-Based Message Authentication Reporting and Conformance (DMARC). DMARC is one vital piece of the online brand protection puzzle that can help brands safeguard their reputation and protect their customers, clients, employees and suppliers from bad actors that fake their email addresses. Yet, new research from the State of Email Security 2020 found that only 28% of respondents were using DMARC, and only 22% of that group had deployed DMARC’s highest level of enforcement.
Why email makes brand exploitation so easy
Email recipients usually expect that senders are exactly who they claim to be, and that’s often the case. But this implicit trust creates an easy entry point for bad actors looking to exploit brands for phishing attempts, fraud, or malware attacks. It’s so easy to fake the “from” header of an email that almost anyone can do it, regardless of technical prowess, and it can usually be done for free. The potential for bad actors to spoof legitimate domains increases drastically when you consider that many companies have dozens of registered domains, and many also rely on third parties like customer relationship management systems to send emails on their behalf.
It also doesn’t help that humans are a major weak point in preventing cyberattacks, and that bad actors prey on our anxieties, vulnerabilities, and desires. An email that appears to come from a legitimate domain—a bank, for instance—may urgently request the recipient to change their password because their account was compromised. Ironically, that email might lure the recipient to a spoofed website that actually steals their account info, opening the door to identity theft, fraud, or even cyberattacks targeting the recipient’s employer.
Without a rigorous outbound email authentication strategy like DMARC, these bad actors can’t be stopped.
What is DMARC?
DMARC is an email authentication standard that can be used to help domain owners such as companies identify unauthorised email senders, in order to ensure that only valid emails reach recipients. It’s built on SPF and DKIM, two discrete email authentication mechanisms that are added to a domain’s DNS record to help prevent email spoofing. DMARC builds on the capabilities of SPF and DKIM by letting domain owners publish customisable policies in their DNS record. These policies help protect email recipients by enabling their email systems to detect and reject phony incoming emails before they can reach the recipient’s inbox. SPF and/or DKIM are required for DMARC to work, but it’s best to deploy both to avoid weak spots.
How does DMARC work?
Every time an inbound email server receives an email message from a domain with a DMARC record in place, it runs a DMARC check to determine if:
- The email is being sent from an IP address permitted by the domain’s SPF records
- The DKIM signature is valid
- The email’s “from” header matches that of the sending domain
This process is then used for two key purposes: reporting and conformance.
- Reporting: DMARC tells a brand owner who is using a brand’s domains and how, including cybercriminals as well as legitimate third parties working on their behalf. DMARC provides two types of reports: aggregate and forensic. Aggregate reports provide an overview of all email traffic, including legitimate and illegitimate IP addresses attempting to send emails on behalf of a domain. Forensic reports send similar information in near real-time whenever an email fails a DMARC check.
- Conformance: DMARC tells recipients’ email servers which emails are genuine and what to do with phony emails. There are three options, which can be customised and set by domain owners: do nothing other than report activity, quarantine emails in the recipient’s spam folder, or reject the email altogether.
A “reject” policy is DMARC’s gold standard and the ultimate goal for many brands. But it’s generally recommended that domain owners should take an incremental approach to implementing DMARC, to avoid getting their authentic emails inadvertently blacklisted.
The first step is to use a “none” policy that simply reports all email activity, so a brand can get an accurate assessment of all email that’s sent on its behalf, legitimate or not. Because many companies have multiple domains and third-party senders, this step can be challenging. Furthermore, some experts say that DMARC can be hard to configure, likely contributing to DMARC’s low adoption rate. But third party DMARC solutions are available to simplify the process, and they’re “often the most effective way of getting to the point where emails can be rejected if they fail DMARC,” according to Gartner Inc.
In general, a brand should only change its DMARC policy to “reject” when it is confident that it has identified all legitimate senders and added them to its DNS record. With a “reject” policy, brands can protect their own reputation, and prevent innocent recipients—and their organisations—from becoming victims of brand exploitation attacks that utilise email as a delivery mechanism.
Still, while it’s highly effective, DMARC is only one piece of the online brand protection puzzle. It does not prevent emails sent from “lookalike” domains—so a bad actor can bypass DMARC checks by simply creating a domain name that looks similar to the brand’s domain but has a slightly different spelling. It doesn’t address other forms of spoofing like forged websites, and it doesn’t solve the issue of human error. Thus, it must be combined with other cybersecurity strategies like AI-based brand protection solutions and regular security awareness training.
The bottom line
Life as we know it wouldn’t be possible without email, but its ease and ubiquity is also a breeding ground for cyberattacks that spoof brand domains. DMARC is a tool that helps companies protect their brands online and help to make the internet a safer place. It makes sure the emails received by a brand’s customers, employees, or prospects are authentic—all while protecting a brand’s reputation. The more brands that use DMARC, the more every email user is protected from the threats hidden in spoofed emails.
This article was originally published on Mimecast’s blog and has been shared with permission.