With phishing attack rates soaring, the DMARC email standard is increasingly gaining traction—but so are some dangerous misconceptions.
With email attacks expected to contribute to more than $600 billion in losses this year, a growing number of organizations are adopting Domain-based Message Authentication, Reporting & Conformance (DMARC) in an effort to protect themselves and their customers from fraudsters.
Adoption of DMARC has tripled in just the last year, and more than 70% of all email inboxes worldwide support this standard for detecting identity-based fraudulent email attacks. DMARC’s email authentication protocols, first introduced in 2012, have proven extremely effective in stopping billions of email attacks from ever reaching their targets.
But that’s only when it’s done right. As it stands now, there are a number of myths about DMARC that could hinder deployments and undermine efforts to thwart attacks. Let’s debunk 5 of the most prevalent:
Makes sense, right? After all, getting started with DMARC only requires publishing a DMARC record to your DNS after which you get immediate visibility of your email sending environment. But in addition to reporting, DMARC also acts as the policy layer for email authentication technologies already widely in use, including Sender Policy Framework (SPF) and Domain Keys Identified Mail (DKIM). Visibility, reporting, and policy enforcement all with a simple DNS record seems pretty easy, and in fact it is, but the devil is in the details.
DMARC reports (in the form of raw XML) can be difficult to parse and more importantly, difficult to correlate sending IP addresses with the actual organizations that send on your behalf. Most organizations are surprised to discover how complex their email ecosystem is—especially for those with thousands of domains across multiple geographies and countless 3rd party partners. And because authenticating your email with SPF and DKIM has to be done before any policy actions can be implemented, knowing who to contact at which email service provider is the necessary first step in implementing DMARC. Fortunately that’s where a feature like Email Cloud Intelligence in Agari’s Customer Protect product eliminates all of the guesswork and positively maps sending IP addresses to the email service provider that send on your behalf and why our customers have said using Agari is like “turning the lights on in a dark room.”
When configured correctly, DMARC enables receivers, either webmail providers or secure email gateways (SEGs) w/ DMARC support, to detect deceptive emails sent by attackers spoofing the domains owned by the organization. That’s true whether the message is inbound or outbound—right?
That’s correct, with some important distinctions. When configured properly, DMARC stops phishing attacks that appear to originate from trusted domains. That makes it ideal for outbound phishing protection, because the organization sending email controls its implementation. But it can also mitigate certain threats found in inbound traffic—at least as part of a multi-layered approach to email security. However, based on multiple independent studies, the overall number of attacks using “owned domain spoofing” as an attack vector is in the low double digits of percentage and decreasing. More than 80% of spear phishing attacks leverage Display Name Imposters (DNI), either brand or individuals, and DMARC provides no defense against that. Additionally, DMARC doesn’t protect against look alike domain spoofs in either the inbound or outbound direction.
The good news is that DMARC is supported by 2.5 billion email boxes worldwide, and more are joining these ranks in every day. By establishing a DMARC record, email senders can help receivers spot spam that’s impersonating an organization known to be DMARC protected. So aren’t you good to go?
Not quite. Yes, a DMARC record enables senders and receivers to exchange data that can help them spot scams. But it does nothing to enforce any policies on its own. For that, organizations must specify in their record whether unauthenticated emails should be quarantined in a junk folder or rejected outright. The bad news: Almost 80% of organizations with DMARC have yet to enable any enforcement policies, leaving them wide open to impersonation attacks. That includes 67% of the Fortune 500. Remember, DMARC is both a reporting standard as well as a policy enforcement standard. Visibility is a great first step to understanding your email sending environment, but enforcement needs to fast follow to ultimately protect your organization and your brand.
With DMARC properly set and appropriate enforcement policies activated for the domains from which they send email, organizations have everything they need to effectively monitor email and make informed security decisions, correct?
Any domain can be impersonated, so it’s not a matter of locking down just domains that currently send email. Every domain you own should be DMARC protected to make sure email receivers can assess whether incoming messages purporting to come from any of your domains is authentic. Brand protection that only covers some domains isn’t really brand protection at all as the attackers will quickly move to other domains that look or sound like you.
DMARC is awesome: Get your domains locked down, set your policies, and enjoy a drop-the-mic moment, right?
Setting up DMARC is just the beginning. How will you ensure enforcement throughout the email ecosystem? What happens if your marketing team signs up another vendor to send email on your behalf? What if somebody registers a new domain or sub-domain as part of a new email marketing campaign? How will you use data from all your email streams to gain visibility into fraud tactics and fight active threats as they emerge? If “eternal vigilance is the price of liberty” then continuous monitoring of your email ecosystem is the price of a 100% safe and secure brand. Fortunately Agari has been in this market longer than any other vendor and our track record of success with the world’s largest brands proves we are the best at it.
Myth-busting aside, it’s unclear how many organizations will use DMARC to its full potential. Still, when you consider that 95% of successful breaches start with email, we should all hope a growing number decide that doing DMARC right is worth it.
To learn more about how DMARC works, and best practices and challenges during implementation, download an exclusive Agari whitepaper, “Getting Started with DMARC,” here.