What is DMARC (Domain-based Message Authentication, Reporting, and Conformance)?
What is DMARC?
DMARC explained: Domain-based Message Authentication, Reporting, and Conformance (DMARC) is an email security protocol designed to protect email domains from being used in cyber-attacks like phishing and spoofing.
Originating from the collaboration between various industry stakeholders, DMARC builds on existing protocols like DomainKeys Identified Mail (DKIM) and Sender Policy Framework (SPF). By verifying email senders and aligning them with their domain policies, DMARC enhances email authentication and safeguards the reputation of email domains. Implementing DMARC protection is crucial for organizations to ensure their emails are legitimate and secure.
Major email service providers Google and Yahoo recently made the protocol mandatory for bulk senders in an effort to make inboxes safer worldwide. The new requirements demonstrate an increasing need for a standardized solution as misconfigured or nonexistent authentication systems continue to allow threat actors to evade detection and leverage the legitimate reputation of third parties.
DMARC is a powerful tool that allows email administrators to confidently identify and stop certain spoofed emails; however, more organizations must implement the standard for it to reach its full potential. The success and effectiveness of DMARC is dependent on broad adoption of the standard – by organizations of all sizes.
Why is DMARC in email important?
DMARC email security is an essential measure for protecting your domain from unauthorized use and safeguarding your brand reputation. DMARC stands for Domain-based Message Authentication, Reporting, and Conformance, which works by verifying the authenticity of email senders using protocols like DKIM and SPF. This process, known as DMARC email authentication, helps to combat email spoofing and phishing attacks, where malicious actors impersonate legitimate email addresses to deceive recipients.
By implementing DMARC, domain owners can instruct email receivers on how to handle messages that fail authentication checks, thus preventing fraudulent emails from reaching inboxes. The protocol boosts email security and enhances visibility and control over your domain's email traffic. Regular DMARC verification and monitoring ensures ongoing protection and helps maintain the integrity of your email communications.
How does DMARC work?
DMARC (Domain-based Message Authentication, Reporting, and Conformance) provides a way for domain owners to specify their authentication practices and define actions to be taken when an email fails authentication. DMARC also enables recipients to report on email that fails authentication, enhancing visibility and control over email security.
DMARC builds on two key authentication technologies, Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) and helps to significantly improve their ability to prevent domain spoofing. SPF verifies that a sender’s IP address is authorized to send emails on behalf of a particular domain and DKIM ensures integrity of email content by providing a verifiable digital signature.
DMARC adds to this by allowing domain owners to publish policies that set expectations for how SPF and DKIM verification checks relate to email addresses presented to users and whose authenticity the receiving mail server is looking to establish.
These policies work in tandem to help authenticate email senders by verifying the emails are from the domain they say they are, working to prevent domain spoofing attacks. Key benefits of DMARC include:
- Phishing protection DMARC protects against direct domain spoofing in which a threat actor impersonates a legitimate domain, a common phishing technique threat actors use to trick employees to obtain sensitive information such as privileged credentials, bank information, etc.
- Improving brand reputation: As DMARC helps to prevent impersonation of domains, it stands to maintain and increase an organization’s brand reputation. Additionally, as organizational reputation improves, so will the deliverability of emails.
- Increased visibility: DMARC provides enhanced visibility into email communication channels, including reports of all emails sent on behalf of your domain. This allows security teams to identify shadow-IT and any unauthorized parties using their domain.
What DMARC does and how it works
DMARC performs several critical functions in enhancing email security:
- Prevents Email Spoofing: DMARC helps to prevent attackers from using your domain to send fraudulent emails, thereby protecting your brand and reducing the risk of phishing attacks.
- Specifies Authentication Practices: Domain owners can outline their authentication practices and policies, providing clear instructions on how to handle emails that fail DMARC verification.
- Provides Reporting Mechanisms: DMARC offers a mechanism for recipients to report on emails that fail authentication, allowing domain owners to monitor and respond to potential threats.
- Enhances Email Deliverability: By ensuring that emails are authenticated, DMARC improves the overall deliverability of legitimate emails, as authenticated emails are less likely to be marked as spam.
DMARC works by leveraging existing email authentication protocols, SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail), to validate the authenticity of an email sender. Here’s a step-by-step breakdown of how DMARC operates:
- Publishing a DMARC Record:
- The domain owner publishes a DMARC DNS record at their DNS hosting company. This record includes instructions on how to handle emails that fail DMARC verification and where to send reports.
- Email Sending and Receiving:
- When an email is sent from the domain, or someone attempts to spoof the domain, the recipient mail server checks for the presence of a DMARC record.
- Authentication and Alignment Tests:
- The mail server performs DKIM and SPF authentication tests:
- Does the message have a valid DKIM signature?
- Does the sender’s IP address match authorized senders in the SPF record?
- Do the message headers pass domain alignment tests?
- DMARC domain alignment ensures that the From domain matches the domains used in DKIM and SPF.
- Applying the DMARC Policy:
- Based on the results of the DKIM and SPF tests, the mail server applies the domain’s DMARC policy, which could be to quarantine, reject, or do nothing with the message if it fails the authentication tests.
- Reporting:
- The recipient mail server sends DMARC Aggregate Reports to the email addresses specified in the DMARC record. These reports provide insights into the domain’s email traffic and authentication results.
What DMARC can't do?
DMARC is often positioned as a way for organizations to ‘solve’ their email security problems, however, 65% of the phishing emails observed by Darktrace successfully passed DMARC verification, indicating that a significant number of threat actors are capable of manipulating email security and authentication systems in their exploits. While DMARC is a valuable tool in the fight against email-based attacks, the evolving threat landscape demands a closer look at its limitations.
As threat actors continue to innovate, improving their stealth and evasion tactics, the number of attacks with valid DMARC authentication will only continue to increase in volume and sophistication. These can include:
- Phishing attacks that leverage non-spoofed domains: DMARC allows an organization to protect the domains that they own, preventing threat actors from being able to send phishing emails from their domains. However, threat actors will often create and use ‘look-a-like’ domains that closely resemble an organization’s domain to dupe users. 3% of the phishing emails identified by Darktrace utilized newly created domains, demonstrating shifting tactics.
- Email Account Takeovers: If a threat actor gains access to a user’s email account through other social engineering means such as credential stuffing, they can then send phishing emails from the legitimate domain to pursue further attacks. Even though these emails are malicious, DMARC would not identify them as such because they are coming from an authorized domain or sender.
What users can expect from DMARC?
Despite the criticality of DMARC for preserving brand reputation and trust, adoption of the standard has been inconsistent. DMARC can be complex to implement with many organizations lacking the time required to understand and successfully implement the standard. Because of this, DMARC set-up is often outsourced, giving security and infrastructure teams little to no visibility into or control of the process.
Implementation of DMARC is only the start of this process, as DMARC reports must be consistently monitored to ensure organizations have visibility into who is sending mail from their domain, the volume of mail being sent and whether the mail is passing authentication protocols. This process can be time consuming for security teams who are already faced with mounting responsibilities, tight budgets, and personnel shortages. These complexities unfortunately delay organizations from using DMARC – especially as many today still view it as a ‘nice to have’ rather than an essential.
With the potential complexities of the DMARC implementation process, there are many ways security and infrastructure teams can still successfully roll out the standard. Initial implementation should start with monitoring, policy adjustment and then enforcement. As business changes over time, DMARC should be reviewed regularly to ensure ongoing protection and maintain domain reputation.
Implementing DMARC provides several benefits for users:
- Enhanced Security: DMARC helps prevent unauthorized use of your domain, reducing the risk of phishing and spoofing attacks.
- Improved Visibility: DMARC reports offer detailed information about email authentication results, helping domain owners monitor and analyze their email traffic.
- Better Control: Domain owners can define specific actions for handling failed authentication attempts, improving control over their email domain’s security.
- Increased Trust: By ensuring that emails are properly authenticated, DMARC enhances the trustworthiness of your domain, leading to better email deliverability and recipient trust.
What could happen without DMARC protection?
Without DMARC protection, companies are vulnerable to various email-based threats that can have severe negative impacts. Here are some examples illustrating why DMARC protection is crucial:
Email Spoofing
Without DMARC protection, cybercriminals can easily spoof your domain, sending fraudulent emails that appear to come from your legitimate email addresses. This can lead to phishing attacks, where attackers deceive recipients into providing sensitive information or clicking on malicious links. For instance, in early 2020, the World Health Organization’s domain was spoofed to send fraudulent emails, exploiting the trust recipients placed in the organization.
Phishing Attacks
Phishing is a common tactic used by attackers to trick individuals into divulging personal information or credentials. Companies without DMARC protection are at a higher risk of being impersonated in these attacks. According to the Verizon Data Breach Investigations Report 2018, phishing and pretexting account for 93% of data breaches. DMARC protection helps prevent these attacks by ensuring that only authenticated emails from your domain reach recipients.
Brand and Reputation Damage
Receiving fraudulent emails purportedly from your domain can severely damage your brand’s reputation. Customers and partners may lose trust in your communications, associating your brand with insecurity and fraud. DMARC protection helps maintain your brand’s credibility by preventing unauthorized use of your domain in email communications.
Business Email Compromise (BEC)
Business Email Compromise (BEC) involves attackers impersonating executives or employees to trick recipients into transferring money or sensitive information. Companies without DMARC protection are more susceptible to these targeted attacks, which can lead to significant financial losses and data breaches. DMARC protection helps mitigate BEC risks by authenticating emails and rejecting those that fail verification.
Lower Email Deliverability
Without DMARC protection, legitimate emails from your domain may be marked as spam or rejected by recipient mail servers due to the presence of unauthenticated messages. This can result in lower email deliverability rates, hindering your communication efforts with customers, partners, and employees. DMARC protection ensures better deliverability by validating your emails and enhancing their trustworthiness.
Legal and Compliance Risks
Many regulations and standards, such as the U.S. government’s Binding Operational Directive 18-01 and the Payment Card Industry Data Security Standard (PCI DSS), mandate the use of DMARC protection for email security. Companies without DMARC protection may face legal and compliance risks, including fines and penalties for failing to meet these requirements.
Understanding DMARC within email security
As email-based attacks continue to rise, the industry must recognize the importance of driving adoption of foundational email authentication protocols. To do this, a new and innovative approach to DMARC is needed. DMARC products must evolve to better support organizations throughout the ongoing DMARC monitoring process, rather than just initial implementation. These products must also be able to share intelligence across an organization’s security stack, extending beyond email security tools. Integration across these products and tools will help organizations optimize their posture, ensuring deep understanding of their domain and increased visibility across the entire enterprise.
DMARC is critical in protecting brand identity and mitigating exact-domain based attacks. However, organizations must understand DMARC’s unique benefits and limitations to ensure their inboxes are fully protected. In today’s evolving threat landscape, organizations require a robust, multi-layered approach to stop email threats – in inbound mail and beyond. Email threats have evolved – its time security does too.