Fight Email Spoofing with DMARC

Ransomware reached an all-time high in 2020, and ransomware usually begins with phishing or spoofing emails. In fact, more than 90% of all cyber-attacks worldwide begin with a bogus email message of one type or another. One of the most common types of bogus email messages you will encounter is the spoofed email message. Spoofing emails contain a forged sender address that makes them appear to be from a colleague or legitimate business. Naturally, people are more liable to trust such a spoofed email message than even a clever alternate phishing email scam. Luckily there is a good way to fight spoofed emails at your organization and it’s called DMARC.

Domain-based message authentication, reporting and conformance (DMARC) is an email protocol that was designed to protect email domains from email spoofing. It was created by PayPal together with Google, Microsoft and Yahoo and was first published in 2012. DMARC extends two existing email authentication mechanisms: Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM). It allows the administrative owner of a domain to publish a policy in their DNS records to specify which mechanism (DKIM, SPF or both) is employed when sending email from that domain, how to check the “From” field presented to end users, how the receiver should deal with failures and a reporting mechanism for actions performed under those policies.

Once the DMARC DNS entry is published, any receiving email server can authenticate the incoming email based on the instructions published by the domain owner within the DNS entry. If the email passes the authentication, it will be delivered and can be trusted. If the email fails the check, depending on the instructions held within the DMARC record the email could be delivered, quarantined or rejected. For example, one email forwarding service delivers the mail, but as “From: no-reply@<forwarding service>”.

However, even using DMARC your organization can still get spoofed. Businesses often relax their security settings to accommodate partners and third parties whose email security may not be as good as their own. It’s important to configure SPF, DKIM and DMARC with the strictest settings your organization can tolerate. It is also important to monitor and review the DMARC reports that are produced by the protocol. This allows you to see what the deliverability rate is for outbound emails, and also allows you to verify who is sending email messages using your organizations name. This can not only help you prevent spoofed emails from reaching your personnel, it helps boost your business reputation when communicating with customers and business partners.