DMARC, short for Domain-based Message Authentication, Reporting and Conformance, determines the authenticity of email messages and makes it easier for ISPs to prevent malicious email practices. Now approaching its 10-year anniversary, it sounds great on paper, so why hasn't every domain on the planet adopted DMARC? Although there’s great value to DMARC, it’s not always easy to properly deploy.
The case for DMARC
Email fraud destroys brand reputation and consumer trust while costing organizations billions of dollars, elevating email fraud to a board-level conversation. Low volume, highly targeted business email compromise (BEC) and email account compromise (EAC) scams are the most dangerous—even more costly than ransomware.
The FBI Internet Crime Report found that BECs/EACs cost global organizations $1.8 billion in 2020 alone. These scams are difficult to detect as attackers rely on social engineering, are highly targeted, and leverage both impersonation tactics and compromised accounts jointly in an attack.
Attackers using BEC focus on human frailty. They use various impersonation techniques, including domain spoofing, lookalike domains, and display name spoofing. These techniques are successful because of the complexities involved in addressing domain misuse. Stopping domain spoofing requires specialized resources and identifying lookalike domains takes even more expertise.
Solving email fraud means security teams have to detect and take away the tactics that fraudsters use in identity deception attacks. Fraud actors either use the company’s domain, a lookalike domain, or include something in the message to deceive their targets.
DMARC adoption today
It has now been a decade since DMARC was published. As of December 2020, 23% of sending domains reject unauthenticated mail, while another 11% of sending domains send mail to quarantine, according to Farsight data published on DMARC.org. While this data represents continued implementation growth, it also means nearly 80% of domains are still not rejecting unauthenticated mail. Stopping BEC requires a multi-layered defense, and DMARC plays an essential role in addressing these complex attacks. So, with such clear benefits, why are so few domains taking advantage of DMARC?
DMARC hazards
Organizations choosing to navigate the DMARC journey—without outside assistance—using internal resources and building data management systems, tend to stumble. However, this need not happen. As the security teams decides whether or not to deploy DMARC to protect its trusted domains, there are several potential hazards team members should know about:
- The high risk of blocking legitimate mail.
- DMARC requires extensive expertise.
- How to store, render, and analyze large data sets.
- A process for identifying and contacting stakeholders.
- Ongoing support and management.
Take the DMARC journey
Email fraud has become a 360-degree problem, as criminals can leverage multiple identity deception tactics to target various stakeholders involved with an organization. This tends to include their employees, customers, and business partners, so mitigating these potential hazards should become a high priority. Consider these four steps to kick off your journey:
- Select a domain. Consider a sub domain vs. primary domain to get started.
- Enable monitoring. Set the mail receiver policy to “none.”
- Add the DMARC Record to DNS. Use the organization’s standard DNS addition process.
- Receive and analyze domain reports. Starting with one domain will reduce the noise.
Like most implementations, the success of DMARC depends on defining objectives, identifying resources, and developing and executing a plan. Start with monitoring to identify a single sender subdomain. Then, use that data to create a phased project plan. Once the team identifies legitimate senders and have fixed authentication issues, it can move to a policy of “reject” and block phishing, business email compromise, and other email fraud attacks.
When most organizations think of DMARC, it’s from the perspective of protecting their domains from abuse. The DMARC policy of “none” is a good first step on the path to “reject.” Using “none” lets the domain owner monitor and ensure that the legitimate email authenticates correctly. DMARC reports then help ensure that legitimate email gets identified and passes authentication. Additionally, the use of DMARC report data offers the opportunity to work with legitimate senders with incorrect settings to ensure the mail sent is accepted.
Protecting the company’s receiving email is the other half of the equation. An organization should ensure that its secure email gateway enforces the DMARC policy implemented by other domain owners as an email receiver. In addition, applying that policy to inbound mail will help protect an organization’s employees against inbound email threats.
If the team finds that the benefits are clear, but its resources limited, consider bringing in someone the company can trust to guide the team through the process. The DMARC standard stands as one of the most powerful and proactive weapons to date in the fight against phishing and spoofing. Now’s the time to implement and enforce DMARC to help the organization reshape the email fraud landscape, disrupt long-standing phishing strategies, and force cybercriminals to no longer consider the company an easy target.
Deborah Watson, Resident CISO, Proofpoint
