Advanced phishing

Guide to DMARC

by Egress
Published on 4th Aug 2021

What is DMARC?

DMARC stands for Domain-based Message Authentication, Reporting & Conformance. DMARC is an email authentication protocol that helps recipient domains verify that an email sender is who they say they are and not a cybercriminal spoofing a domain name. Essentially, DMARC determines the authenticity of an email message to protect organizations from malicious email attacks like phishing.

DMARC was built around two existing email authentication technologies: SPF (sender policy framework) and DKIM (domain keys identified mail). These technologies had been in use before DMARC was developed but as email security threats evolved, they had become less-effective ways to authenticate email senders on their own. DMARC was designed to be a more collaborative way to genuinely improve mail authentication and enable recipient organisations to detect and reject unauthenticated emails.

Unlike SPF and DKIM, DMARC offers reporting functionality that can be used to determine whether a domain is being used by cybercriminals to send emails. Domain owners are able to publish a DMARC record into the DNS (Domain Name System) record, providing a report of who is sending emails on behalf of their domain name. This information enables the domain owner to understand and control the emails being sent using their email channel, to prevent fraudulent emails that rely on domain-based spoofing. The types of attacks DMARC protects against include:

    • Phishing attacks targeting customers or third parties
    • Large-scale spear phishing, whaling and CEO fraud
    • Malware and ransomware attacks
    • Brand abuse and online scams

How does DMARC work?

DMARC is designed to integrate into the recipient organization’s inbound email authentication process – but it requires both the sender and the recipient to have DMARC protocol in place.

To explain how DMARC works, let’s take two companies: Company A (the sender’s organization) and Company B (the recipient’s organization). For the sake of this example, let’s assume both have DKIM, SPF and DMARC protocols in place.

When the sender at Company A sends the email, their email server will insert a DKIM header and then send the email to the recipient in Company B. This DKIM header indicates that the message is protected by SPF and/or DKIM.

As the email arrives at Company B, their mail server will carry out standard validation checks, such as whether the sender’s IP is blocklisted or they have a poor domain reputation. If the email passes these checks, the recipient’s mail server will then validate and apply the sender’s DMARC policy. This involves retrieving the verified DKIM-signature from the header, and the “Envelope From” (valid domain names listed in the SPF record) and the return-path address (again listed in the SPF record), and then applying appropriate DMARC policy in response to whether an email is perceived as legitimate or not. If the email passes through this stage, it will then go through standard email filtering processes (such as anti-spam filters) and ultimately be delivered to the recipient. If the email fails (i.e. because it is spoofing the domain name), this information is updated in the sender’s organization’s Aggregate DMARC Report (in this instance, the Aggregate DMARC Report for Company A). The record in the Aggregate DMARC Report will include the sender’s IP address, which can used to qualify whether an email is legitimate or not.

In this way, the domain owner at Company A can monitor and report on the emails that fail to pass through the DKIM and SPF stages to detect spoofing and fraudulent usage of their domain using the DMARC report. These reports can be shared with the domain owner on a daily basis for ongoing assurance about their domain’s usage.

Why is DMARC important?

Email is the most popular communication tool used by organizations today. Everyone within your organization will have access to email, and so email message exchanges have become a routine way of working. This makes email an attractive attack vector for cybercriminals, who can exploit complacency around everyday usage to trick people into doing things like clicking on fraudulent links, downloading malware, and replying to spear phishing emails.

This makes verifying the authenticity of emails using protocols like DMARC, DKIM and SPF incredibly important, so you can monitor how your domain is being used to quickly detect fraudulent activity.

In their 2019 Internet Crime Report, the Federal Bureau of Investigations (FBI) stated they received 467,361 complaints of internet crime over the 12 month period (on average, 1,300 per day) and recorded more than $3.5bn in financial losses to the individuals and businesses that fell victim to these attacks. The most financially costly complaints included business email compromise and spoofing, which require cybercriminals to impersonate a legitimate organization via email to trick victims into carrying out actions such as transferring money, opening malicious attachments or clicking on malicious links.

In some cases, cybercriminals are looking for a quick payday – for example, by spoofing a supplier’s domain to trick someone in your finance department into paying a fake invoice. Or by impersonating your CEO to obtain pre-paid gift cards that they can then spend. Where this involves large sums of money, this can obviously have significant impacts for your organization’s bottom line.

But email attacks can also put your personal data at risk, as well as that of your employees and clients, meaning you won’t be complying with data privacy laws. For example, some malicious email attacks are designed to trick you into entering your system credentials into fraudulent websites – for example, by pretending your password needs resetting or, as in the case of some COVID-19 scams, by pretending you need to log into a website to access training materials or education resources. Once they have your log-in credentials, attackers can then use them to access data stored on your company network, will sell them to others who might try this, or will use them to see whether they will unlock any of your other online accounts. If personal data is put at risk, this constitutes a data breach and must be reported to the relevant authorities.

Using DMARC means you will be able to monitor whether cyber criminals are using your domain for fraudulent email attacks, like phishing and spear phishing. When domain owners at other organizations also have DMARC enabled, organizations are able to act as a community to protect each other and, ultimately, protect sensitive data. Unfortunately, cybercriminals will continue to use email as a top attack vector – again, mostly because everyone has access to it, so the likelihood of being able to trick people increases. It’s important, therefore, you take every step you can to prevent instances of phishing, spear phishing and CEO fraud, and understand how DMARC helps.

Is DMARC enough?

While DMARC is something every organization should enable, on its own, it’s not enough to protect you from every type of threat.

DMARC is a proactive security technology. As a domain owner, you would use DMARC to monitor instances where your domain is being spoofed to prevent instances of phishing, spear phishing and CEO fraud, etc. Consequently, you are also relying on other organizations to use DMARC so they can protect you from similar attacks. Unfortunately, not everyone will do this so you will need other technologies to help detect and prevent inbound email attacks. (You should continue using DMARC even if not everyone else is to protect your domain authority and brand’s reputation by reducing the likelihood that a cybercriminal can successfully spoof your company’s domain to attack another organization.) In addition, not every cybercriminal spoofs a domain as part of their attack.

As well as DMARC, you should invest in inbound email filtering systems. These technologies will scan incoming emails for suspicious links and malware, as well as detect spam emails which can be reported to internet service providers who can blocklist the spammer to reduce the number of spam emails. Email filtering systems can also protect you for DDOS and zero-hour attacks.

In addition to DMARC and inbound filtering systems, you must also consider outbound email protection – because, as we’ve already established, everyone has access to email and, consequently, they use it to share sensitive data and privileged information. At Egress, we provide Intelligent Email Security, which can prevent emails being sent to incorrect recipients – whether that’s in response to a spear phishing attack or simply because you’ve added the wrong ‘Bob’. And because just getting an email to the right person isn’t enough to keep sensitive data safe, we also provide powerful encryption technology and detailed reporting functionality. Only by implementing holistic controls, such as DMARC to protect your name, filtering to remove unwanted or malicious emails, and outbound security like Egress Intelligent Email Security will you be able to truly keep sensitive data secure.

Related articles