Gartner includes DMARC, or known by its full name as Domain-based Message Authentication, Reporting & Conformance, in its list of top 10 security projects for 2021. With very few exceptions, the best way for organizations to prevent getting impersonated in email attacks is to integrate DMARC into their Office 365-based email ecosystems.
To understand why, let’s consider the benefits of deploying DMARC within Office 365 environments, and tips for success when deploying DMARC for your organization.
Fraudulent emails appearing to come from a legitimate, trusted source lead to nearly $7.5 billion in business losses worldwide each month. When these scams lead to a data breach, the cost to US businesses now averages $3.86 million per incident, according to Ponemon Institute.
DMARC is designed to prevent that. DMARC is an email authentication standard that works as a policy layer for Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) to help email receiving systems recognize when an email hasn’t been authorized by the company owning the From: header domain. DMARC provides instructions to email receiving systems on how to safely dispose of these unauthorized messages.
Its most aggressive enforcement policy is reject (p=reject), which means that email messages that do not pass DMARC authentication will be blocked from ever reaching their intended recipients. Less rigid policy settings include quarantine (p=quarantine), which places those emails in the spam folder, and monitor only (p=none), which helps organizations monitor how their domain is being spoofed, but does not protect the recipients of those emails.
DMARC is already part of the robust security controls built into O365, so you have ample protection against most inbound phishing and spam attacks. In fact, you don’t have to do anything to implement DMARC for email that you receive within Office 365. What’s more, if you don’t use a custom domain for outbound email, and instead use the standard onmicrosoft.com subdomain, you don’t need to do anything else to configure or implement DMARC on your Office 365 tenant.
However, if you have configured your Office 365 tenant to use a custom domain (ex: yourcompany.com), or if you use any third parties to send some of your email, such as SendGrid, MailChimp, Salesforce, Marketo, or others, you’ll want to implement DMARC yourself. But how do you get started on DMARC in your Office 365 environment? Let’s take a look at some good practices, some better practices, and the best thing you can do to get the most out of your DMARC deployment.
We recommend using a phased deployment when implementing DMARC. This is especially true for large companies implementing DMARC across a large number of domains spanning divisions, departments, and third-party senders. Doing so helps ensure that you don’t impact the rest of your email flow.
Agari recommends a multi-step plan for DMARC implementation. Execution for each step should start with a single subdomain, then proceed to other subdomains, and finally finish with the top-level domain in the organization, before moving to the next step. Best practices for implementing DMARC include:
When implementing DMARC for multiple domains, it’s important to remember that DMARC records are hierarchical. This can be useful, as you may be able to specify a smaller number of high-level DMARC records for wider coverage. However, care should be taken to configure explicit subdomain DMARC records where you do not want the subdomains to inherit the top-level domain’s DMARC record.
While deploying DMARC on a single domain is relatively simple, a large scale implementation is fraught with complexity.
That’s why you might want to consider a solution like Agari Brand Protection, which simplifies the challenges associated with implementing DMARC in Office 365-based email environments and has been shown to drive spoofed messages from your domain to near zero levels almost instantly. The founder and CEO of Agari is one of the authors of the DMARC standard, and Agari pioneered DMARC deployments for the enterprise. Today, we manage 230,000 domains for DMARC—driving scale and efficiency in implementations for our customers.
In fact, more than 40% of the Global 2000 rely on our solutions and know-how to reach maximum DMARC enforcement efficiently, and Microsoft itself has selected Agari to protect its own iconic brand. When selecting a DMARC solution to protect your outbound Office 365 email, what could be better than the product Microsoft trusts to protect a brand estimated to be worth $163 billion?
As fraud actors continue to refine evasion and obfuscation techniques, enterprises can no longer depend on siloed and fragmented point products to effectively protect their employees, customers, suppliers, and partners. Azure Sentinel, the world’s first cloud-native SIEM/SOAR/UEBA platform from a major cloud service provider, is at the forefront of a secular trend of consolidation and integration in the cybersecurity stack.
DMARC is not an island, but rather a critical component of an integrated security strategy. Agari Brand Protection, along with two other solutions from Agari, integrates seamlessly with Azure Sentinel to share threat intelligence. Agari Phishing Defense is a highly specialized, complementary solution to Defender for Office 365 (previously ATP) that uses ML/AI techniques to detect and remediate sophisticated identity-based threats such as spear phishing, business email compromise (BEC), vendor email compromise (VEC) and account takeover-based attacks. Agari Phishing Response is a turnkey solution that automates the process of phishing response, remediation, and breach containment.
And the recently launched Agari Data Connector for Sentinel allows customers to ingest logs from Agari Brand Protection and Agari Phishing Defense to detect, correlate, and remediate threats more effectively. With this data connector, Agari becomes the only email security vendor to share threat intelligence with Azure Sentinel.
The data connector comes with sample queries that inform the creation of additional Azure Sentinel analytics, workbooks, and workflows around insights such as attack types, policy hits, and most attacked users. In addition, customers using the federated model of Microsoft Graph Security API can benefit from investigation IOCs shared by Agari Phishing Response and malicious domains or URLs reported by Agari Brand Protection in their quest to triage and isolate threats more effectively.
In summary, an integrated security architecture that encompasses Agari solutions with Defender for Office 365, Azure Sentinel, and Graph Security API allows organizations to leverage the rich visibility from email security as the first line of defense to reduce attack surface, strengthen core defenses, and enhance overall security posture.
Want to learn more about how Agari works with Office 365? Get a look at how the solution can work for you with a free demo from our team.