Email Security Blog

DMARC 101 (Part I) – S/MIME, SPF, and DKIM

Michael Paiko February 3, 2021 DMARC

Why do you need DMARC to protect your email domains from being leveraged in phishing attacks? To get the full picture, let’s look at the basics—and how DMARC came to be.

What is DMARC?

Domain-based Message Authentication, Reporting & Conformance, or DMARC, is an open email authentication protocol that helps senders protect their email domains from being spoofed by fraudsters in phishing attacks and business email compromise (BEC) scams that lead to more than $700 million in consumer and business losses each month.

At its most essential, DMARC gives brands control over who is allowed to send emails on their behalf. It works with Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) to enable email providers to recognize when an email isn’t coming from a brand’s approved email sending domains, and gives the brand the ability to set policies that tell email providers what to do with these unauthorized emails.

Its most aggressive enforcement policy is reject (p=reject), which means email messages that don’t pass DMARC authentication will be rejected by a mail server and not delivered to its intended recipient.

Why Is DMARC So Important?

For impersonated brands, the ripple effect can be profound. The domain may suffer reputational damage, resulting in being blacklisted by some email providers, or experience reduced deliverability rates for the brand’s legitimate email communications and marketing programs.

With millions of corporate employees working from home due to the COVID-19 pandemic, email has never been more important—or more lucrative for fraudsters. According to the FBI, the total volume of phishing and BEC emails may have doubled in just the past year.

Brands are impersonated in 66% of these attacks. Beyond lost business and possible regulatory fines, emerging case law has held that the party who is in the best position to prevent email impersonations in fraud cases should bear the cost of any losses.

A short history of email authentication can help illustrate why DMARC has become so critical to helping prevent fraudsters from impersonating your brand in phishing and email scams that can cost you plenty.

The Road to DMARC

The first major effort to bring strong security to email was the S/MIME encryption and digital signing standard in the late ’90s.

Despite a solid technical base and strong vendor support, S/MIME, which stands for Secure/Multipurpose Internet Mail Extensions) never achieved meaningful market penetration. This is largely due to the level of user action and involvement required to use S/MIME effectively, along with other logistics issues that make it difficult to deploy and manage.

Starting in the mid-2000’s, a new set of security and authentication standards for email began to gain traction. Two in particular solved related aspects of the email security quandary.

SPF: The first of those standards was the Sender Policy Framework standard. SPF allows email senders to specify which IP addresses are allowed to send email from a given domain, i.e., only IP is allowed to send email from addresses, and to publish these policies in DNS records for the domains in question.

DKIM: The second standard from this timeframe is DomainKeys Identified Email. DKIM was created by merging two new technologies—Domain Keys (developed at Yahoo) and Identified Internet Mail (developed at Cisco). DKIM complements SPF by using encryption to give email senders a way to digitally sign all the outgoing email from a given domain, and publish the public key(s) necessary to validate those digital signatures. This lets the receiving email provider confirm that no changes have been made to the email in transit.

Both SPF and DKIM share an important, common attribute in that neither of them requires any change in behavior on the part of the end-user. This made them much easier to deploy than S/MIME, and within a few years, both SPF and DKIM had been widely adopted.

But here’s where an important “but” comes in. Whether on their own or used together, SPF and DKIM do not provide a complete solution to email authentication. There are a few elements of the equation missing even after an email sender has fully deployed both standards.

In Part II, see how these missing elements led to the development of DMARC–and why it matters to your brand!

To learn more about securing your email, stopping phishing, and protecting your brand from getting impersonated in email scams, read our eBook, “Getting Started with DMARC”

Agari Blog Image

April 27, 2022 Monica Delyani

5 Big Myths about DMARC, Debunked

With email attacks contributing to billions of lost dollars each year, a growing number of…

Computer Showing Secure Email Server

March 9, 2022 John Wilson

Securing Your Email with DMARC

Understanding the What, How, and Why of DMARC You probably already know this, but it…

Agari Blog Image

May 11, 2021 John Wilson

Office 365 + DMARC: Best Practices for Protecting Your Company & Customers From Phishing Attacks

Gartner includes DMARC, or known by its full name as Domain-based Message Authentication, Reporting &…

Agari Blog Image

May 5, 2021 Michael Paiko

5.8B Malicious Emails Spoofed Domains; 76% of Fortune 500 Still at Risk: DMARC Results from Agari

Global adoption of Domain-based Messaging, Reporting & Conformance (DMARC) topped 10.7 million email domains worldwide…

Agari Blog Image

April 27, 2021 Michael Paiko

What Is SPF and How Does It Work?

We're going to delve into what SPF for email is, how to implement it, the…

mobile image