DMARC (Domain-Based Message Authentication, Reporting & Conformance) is the most effective way to combat the most common form of spoofing: FROM Address Spoofing. Keep reading to learn why and how to secure your domain with DMARC.
The impersonation of legitimate corporate email addresses to obtain sensitive information or defraud organizations (more commonly known as phishing) costs businesses billions of dollars every year. It’s estimated that 90% of these attacks are from forged or deceptive email sender addresses – also known as spoofing. In fact, a recent report by the FBI shows that just one type of phishing attack (Business Email Compromise, or BEC) causes more than 5 billion dollars in damages each year.
While DMARC adoption is optional, you should begin looking at whether DMARC makes sense for your organization and planning your roadmap to implementation. But in order to understand DMARC, we first have to understand SPF and DKIM (two widely used authentication methods) and the limitation of those two protocols in addressing FROM Address Domain Spoofing.
What Is SPF? (No, not that SPF)
SPF is an email authentication protocol that allows the owner of a domain to identify which email servers (IP addresses) are authorized to send an email on behalf of their Envelope Domain. During an SPF protocol check, email providers verify the SPF record by looking up the domain name listed in the Envelope Domain address in the DNS. If the IP address sending emails on behalf of the Envelope Domain is listed in that SPF record, the messages will pass SPF protocol authentication.
In the above example, SPF passing authentication tells the mailbox provider that the Envelope Domain (mail.abc-company) gives permission to the sending IP (22.214.171.124) to send in its name.
So what’s the problem?
Well, while SPF tells us that the sending server has permission to send on behalf of the Envelope Domain (mail.abc-company.com), it tells us nothing about whether this sending server has permission to be sending on the FROM Address Domain ([email protected]). This disconnect leaves brands unprotected against cybercriminals who more frequently spoof the FROM address since it’s more visible to the email recipient.
What Is DKIM?
DKIM is a protocol that allows the sending server to encrypt and sign an email in a way that declares a specific domain that is responsible for the untampered transmission of that piece of mail – and that does so in a verifiable manner.
Here’s an example:
DKIM Signature in the email of a header that tells the mailbox provider what domain (d=) is signing this email:
The email provider checks to see if the public key can unlock the private key and allow the mailbox provider to decrypt the signature.
The DKIM Passing tells the Mailbox provider two things:
The DKIM signed domain (d=mail.abc-company.com) really does “take authority” of the email. (Otherwise, the private and public key would not have matched.)
The elements of the email signed by DKIM were not changed in transit.
Again, though, there’s a problem.
A sender can sign a piece of mail with any domain they own, regardless of which domain is being used in the FROM address, and it will still pass DKIM! Again this means that while passing DKIM tells us that the email has not been tampered with in transit, it does not necessarily tell us whether the sender truly is the owner of the From Address Domain.
Thankfully, the DMARC protocol instructs mailbox providers not only to look at whether an email passes SPF and DKIM – but also whether the SPF-authenticated domain (the Envelope Domain) and the DKIM signed (d=) domain are also aligned with the FROM Address Domain.
The DMARC protocol also then specifies whether that email should be rejected (bounced), quarantined (placed in SPAM or networks quarantine), or left alone entirely based on whether DMARC passes or fails. DMARC also provides a feature that allows major email providers to report back to domain owners, helping them identify weaknesses in their domain authentication at different platforms they use while also alerting them to potentially fraudulent use of their domain.
When implemented correctly, DMARC helps to ensure that forged emails using their company domain will not be accepted by recipient servers.
Act-On Is Here to Help With DMARC Implementation
DMARC authentication will apply to any service (corporate servers, marketing automation, CRMs, ESPs) that utilizes your company domain (and even subdomains of your primary domain). This means that successful deployment requires thorough planning, cross-department buy-in, and technical support from your IT department or a third-party specializing in DMARC adoption.