The battle against phishing, spam, and malicious emails is never ending. 3.1 billion domain spoofing emails are sent every single day, forcing email provider filters to work extra hard to filter out malicious emails and prevent them from reaching inboxes. In this ongoing, multifaceted battle, DMARC email authentication is one way that every organisation can help reduce the volume and damage caused by spam emails.
What is DMARC?
DMARC stands for Domain-based Message Authentication, Reporting and Conformance
email authentication policy and reporting protocol. Its purpose is to make it easier for email senders and receivers to determine whether or not a message is genuine, and what to do if it isn’t. By creating a two-way process, DMARC email authentication makes it easier to spot spam and phishing emails, and prevent them from reaching email inboxes.
How does DMARC email authentication work?
DMARC email authentication enables domain owners to register their domain, and identify the IPs from where genuine emails using that domain will originate. When a sent email is received by an ISP, the receiving ISP will check the DMARC record for the sender’s domain, checking first whether the email can be authenticated, and if not, the DMARC record will provide instructions for what to do with it.
DMARC email authentication builds on the authentication of two other protocols, SPF and DKIM to verify an email’s sender, and takes them a step further by adding the protocols for handling unauthorised emails. DKIM (DomainKeys Identified Mail) is an authentication protocol that allows a sender to digitally sign an email with the organisation’s domain name, ensuring the message’s authenticity. SPF (Sender Policy Framework) is an email validation protocol used to verify the legitimacy of a sender’s domain by defining which IP addresses are allowed to send email from a specific domain.
What is a DMARC record?
A DMARC record is a text entry within the DNS record that tells anyone checking your email domain’s policy after checking your SPF and DKIM status. DMARC will authenticate the email if either SPF or DKIM, or both pass.
The DMARC record also tells email servers to send XML reports back to the reporting email address listed in the DMARC record. These reports are useful for showing the sender how an email travels through the ecosystem, and identify who is using their email domain.
What DMARC policies can be set?
There are three DMARC policies:
p=none – monitors email traffic but doesn’t take any action. This policy instructs ISPs receiving emails from a domain to send reports back to the sender. This enables organisations to understand who is sending email using their domain.
p=quarantine – unauthorised emails are sent to the spam folder.
p=reject – ensures that the unauthorised email is not delivered at all. p=reject is the ultimate goal of implementing DMARC on your domain, and is the point at which malicious, unauthorised emails are entirely removed.
Best practice for implementing DMARC policies is to work up through the levels of policy as you understand more about your domain, improve SPF and DKIM authentication, and ensure overall compliance with DMARC before implementing the p=reject policy. Going too soon to p=reject could lead to legitimate emails being lost.
Why is DMARC important?
Social engineering attacks in the shape of phishing emails, spam, and other malicious emails are an ever present threat for organisations of all sizes, and 90% of all cybersecurity attacks originate with an email. Large email providers (think Google, Microsoft, and others) have filters which make decisions about whether emails should be passed through to inboxes, but this is a very imprecise science, and they often get it wrong. DMARC helps email senders and receivers work together to better secure emails, protecting users and emails from malicious emails.
Why you should get your domain DMARC protected
As a domain owner, DMARC email authentication comes with many benefits, and ultimately no downsides.
- It allows organisations to protect domains from being abused by attackers. With a full DMARC p=reject policy in place, attackers are not able to use the domain for phishing emails, brand abuse, scams, malware, or ransomware attacks. Ultimately this protects an organisation’s reputation.
- DMARC email authentication smooths the way for emails to make it through spam blockers, which is particularly important if you send any form of email newsletter or marketing email. More and more ISPs are adopting DMARC email authentication checks before accepting an email, and emails from non DMARC registered domains will often be blocked at this point.
- DMARC email authentication is free to use.
Will DMARC authentication stop all spam emails?
In a word, no. DMARC authentication significantly reduces the amounts of spam and malicious email reaching users, but it can’t stop them all.
DMARC email authentication only protects against direct domain spoofing. This means that DMARC stops the domain example.com from being spoofed by an attacker. However spammers are inventive, and will change small details in order to evade detection. DMARC does have an additional side benefit though as it forces attackers to use slightly more obvious changes, which are easier for users to recognise as spam.
Network administrators have protected example.com under DMARC, and it can’t be used in malicious emails. The attackers realise they can’t use example.com, and start using ex4mple.com instead. DMARC will not detect malicious emails using this domain as ex4mple.com is not a protected domain.
DMARC also doesn’t protect against display name abuse. Display name abuse is when at first glance, the email address seems legitimate – email@example.com. It is only when a user hovers over the display name that they see that the sender is in fact firstname.lastname@example.org – a malicious attacker.
Therefore the best email security policy for all organisations is to combine technical methods, including DMARC email authentication with continuing to ensure that all employees are able to recognise the signs of a phishing email.