Email Security Blog

Can’t Time Travel? DMARC is a Second Option.

Guest Blogger September 21, 2016 DMARC
Fallback Featured Image

By Edward Amoroso, CEO of TAG Cyber LLC

Back when Nixon was telling us all that our President was no crook, the fathers of the Internet decided that it would be just fine for computers to lie.

Before this vastly consequential decision by Kahn and Cerf, just about all technology worked on the idea that communicating devices, also known as telephones, should connect across a circuit and should most definitely not lie. So-called point codes designed in the Bell System could be reasonably trusted to reveal the calling party, and this was a handy feature in circuit switching.

But with TCP/IP, Kahn and Cerf decided that it would be fine for you, the sending party, to make your own decision about what to write down as a “from” source address. And they also based their network on packets, which could be scattered in such a manner as to survive nuclear holocausts – perhaps the most awesome example of an original design feature that we’re all glad turned out to have been somewhat extraneous.

Look, this telling-lies and using-packets stuff was obviously a good call, as evidenced by everything that ensued after their design . . . what with their protocol and Internet, like, changing Planet Earth and all . . . but if I could time-travel, I might bop back to 1973 and ask whether it might be possible to reconsider that design decision. I doubt they’d have listened.

Nevertheless, until someone can find a DeLorean, we must all try to do what we can to improve the robustness of source deception at the protocol and application levels. Email, in particular, has been a bit of a mess recently, with senders figuring out that they can send email from “Your Trusted Bank,” without actually being “Your Trusted Bank.” This is a real bummer when the email looks like it most definitely came from “Your Trusted Bank.” It can get really confusing, and we call the result phishing.

Two super geeky standards with the acronyms SPF and DKIM  were designed to try to help fix the problem at the infrastructure level. What they do is help email providers connect “from” addresses in email to the actual domain they claim to be from, as well as some other checks to improve the integrity of email content. A newer standard called DMARC was created recently to combine and integrate SPF and DKIM into something more usable with reporting and other good stuff for domain owners.

The whole thing is a really great idea that solves a really tough problem and has solutions from some really great companies – like Agari. So it is perhaps a bit confusing that this control is rarely included in audit reports, compliance standards, regulatory frameworks, and on and on. Such omission might be because, admittedly, understanding DMARC requires that you be a bit of a techie. I cover the standard to some degree in my new report 2017 TAG Cyber Security Annual, available for free download on the Agari website and the TAG Cyber website.

But here is my request: Even if you are not a techie, you probably know how to complain and whine – right? And this is exactly what you should do with the group managing your business domain if they are not presently using DMARC to reduce the risk of phishing. So why don’t you take a moment and send them a note asking if DMARC is in place to reduce security risk in email . . . and if they are not, then you have my permission to complain.

Leave a Reply

Your email will not be published. All fields are required.

Agari Blog Image

June 26, 2019 Armen Najarian

Ticket to Fraud: Airline Industry Sees Increased Consumer Phishing Scams

For many, there are few things more satisfying than receiving an email confirmation for a…

Agari Blog Image

June 13, 2019 Fareed Bukhari

DMARC Adoption Worldwide Slows with Australia's ASX 100 Remaining Most Vulnerable

DMARC adoption rose a tepid 1% in the first quarter of the year, with the…

Agari Blog Image

May 23, 2019 Suela Vahdat

DMARC Remains Elusive with 86% of Domains Open to Impersonation

More than three-quarters of UK government organisations haven't yet adopted Domain-based Message Authentication and Reporting…

Agari Blog Image

May 21, 2019 Armen Najarian

Why DMARC Could Make or Break Your B2B Email Marketing Programs

In B2B email marketing, nothing says amateur hour like a landing page with the words…

Agari Blog Image

April 17, 2019 Fareed Bukhari

The Time is Now: Underscoring the Importance of DMARC for State and Local Governments

Scammers know that impersonating a trusted government agency is an extremely effective way to trick…

mobile image