Email Security Blog

DMARC 101 (Part I) – S/MIME, SPF, and DKIM

Michael Paiko February 3, 2021 DMARC

Why do you need DMARC to protect your email domains from being leveraged in phishing attacks? To get the full picture, let’s look at the basics—and how DMARC came to be.

What is DMARC?

Domain-based Message Authentication, Reporting & Conformance, or DMARC, is an open email authentication protocol that helps senders protect their email domains from being spoofed by fraudsters in phishing attacks and business email compromise (BEC) scams that lead to more than $700 million in consumer and business losses each month.

At its most essential, DMARC gives brands control over who is allowed to send emails on their behalf. It works with Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) to enable email providers to recognize when an email isn’t coming from a brand’s approved email sending domains, and gives the brand the ability to set policies that tell email providers what to do with these unauthorized emails.

Its most aggressive enforcement policy is reject (p=reject), which means email messages that don’t pass DMARC authentication will be rejected by a mail server and not delivered to its intended recipient.

Why Is DMARC So Important?

For impersonated brands, the ripple effect can be profound. The domain may suffer reputational damage, resulting in being blacklisted by some email providers, or experience reduced deliverability rates for the brand’s legitimate email communications and marketing programs.

With millions of corporate employees working from home due to the COVID-19 pandemic, email has never been more important—or more lucrative for fraudsters. According to the FBI, the total volume of phishing and BEC emails may have doubled in just the past year.

Brands are impersonated in 66% of these attacks. Beyond lost business and possible regulatory fines, emerging case law has held that the party who is in the best position to prevent email impersonations in fraud cases should bear the cost of any losses.

A short history of email authentication can help illustrate why DMARC has become so critical to helping prevent fraudsters from impersonating your brand in phishing and email scams that can cost you plenty.

The Road to DMARC

The first major effort to bring strong security to email was the S/MIME encryption and digital signing standard in the late ’90s.

Despite a solid technical base and strong vendor support, S/MIME, which stands for Secure/Multipurpose Internet Mail Extensions) never achieved meaningful market penetration. This is largely due to the level of user action and involvement required to use S/MIME effectively, along with other logistics issues that make it difficult to deploy and manage.

Starting in the mid-2000’s, a new set of security and authentication standards for email began to gain traction. Two in particular solved related aspects of the email security quandary.

SPF: The first of those standards was the Sender Policy Framework standard. SPF allows email senders to specify which IP addresses are allowed to send email from a given domain, i.e., only IP 1.2.3.4 is allowed to send email from @OurBrandDomain.com addresses, and to publish these policies in DNS records for the domains in question.

DKIM: The second standard from this timeframe is DomainKeys Identified Email. DKIM was created by merging two new technologies—Domain Keys (developed at Yahoo) and Identified Internet Mail (developed at Cisco). DKIM complements SPF by using encryption to give email senders a way to digitally sign all the outgoing email from a given domain, and publish the public key(s) necessary to validate those digital signatures. This lets the receiving email provider confirm that no changes have been made to the email in transit.

Both SPF and DKIM share an important, common attribute in that neither of them requires any change in behavior on the part of the end-user. This made them much easier to deploy than S/MIME, and within a few years, both SPF and DKIM had been widely adopted.

But here’s where an important “but” comes in. Whether on their own or used together, SPF and DKIM do not provide a complete solution to email authentication. There are a few elements of the equation missing even after an email sender has fully deployed both standards.

In Part II, see how these missing elements led to the development of DMARC–and why it matters to your brand!

To learn more about securing your email, stopping phishing, and protecting your brand from getting impersonated in email scams, read our eBook, “Getting Started with DMARC”

Agari Blog Image

February 11, 2021 Crane Hassold

Cosmic Lynx Returns in 2021 with Updated Tricks

In July 2020, we published a report on a Russian-based BEC group we called Cosmic…

Agari Blog Image

February 9, 2021 Michael Paiko

DMARC 101 (Part II) – DMARC Fills the Holes Left by SPF and DKIM

You can catch up on Part 1 here. As we discussed in part one of…

Agari Blog Image

December 18, 2020 Brent Sleeper

DMARC: 3 Best Practices for Capturing Next-Level Business Value

Implementing DMARC at its highest enforcement level is critically important to security and messaging operations.…

DMARC implementation

November 18, 2020 Brent Sleeper

DMARC: 5 Keys to Success

In this post, we will look at 5 keys to DMARC success both organizationally and…

Man working at computer

October 22, 2020 Michael Paiko

What is DMARC Policy? 3 Policies & Which to Use

Your DMARC policy tells email receivers what to do with unapproved (possibly fraudulent) emails, like…

mobile image