DMARC (Domain-based Message Authentication Reporting & Conformance) is an open email authentication protocol, established in 2012 by organizations including Google, Microsoft, Agari, PayPal, and others to protect the email channel. DMARC is the best way for email senders and receivers to determine whether or not a given message is legitimately from the sender, and what to do if it isn’t.
For 95% of breaches, email is the means of communication to the target. Verizon Data Breach Digest, 2017
Phishing…continue[s] to present threats to both the federal government and public at large. US Federal Information Security Management Act (FISMA)
Email is the #1 way attackers target citizens and government employees.
DMARC functions like an ‘identity check’ for your agency. It prevents spammers and criminals from hijacking your valid organization domain names and brand for email.
Stop email phishing attacks using your agency’s reputation: Agencies reduce the likelihood that their domains and brand will be used in an attack.
Reduce account takeover risk: By preventing delivery of phishing and malware-laden messages directed at your employees or constituents, you can reduce the number of account takeovers.
Increase email deliverability: By deploying DMARC, you ensure that legitimate email from your agency gets delivered and is not blocked at the receiver.
Gain visibility into cyberattack risk: Do you know every third party company that sends email on behalf of your agency? DMARC provides this critical visibility, allowing you to ensure that anyone sending on your behalf complies with email best practices.
Fact: The Department of Homeland Security (DHS) has mandated adoption
of DMARC on all government agency email domains.
Fact: DMARC (and email authentication) is evolving into a key metric that impacts the FISMA scorecard against your agency.
Fact: NIST recommends using DMARC authentication tools to provide protection against phishing (SP 800-177, Trustworthy Email, Section 4.6).
What steps does my agency need to take to use DMARC?
When you set a DMARC policy for your agency you, as an email sender, are indicating that your messages are protected. The policy tells a receiver what to do if one of the authentication methods in DMARC passes or fails.
Here’s a typical policy in DNS. Note that this domain is configured with a policy of ”reject”.
Once your DMARC policy is implemented, you will start to receive thousands of reports every day, depending upon the number of emails your organization sends. Because it’s difficult to process the reports manually, you can work with a commercial vendor to display and process the data. Commercial vendors such as Agari can help with DMARC policy creation and hosting, third-party sender identification and alignment, and ongoing visibility as you progress through your DMARC implementation.