+31 (0)88 258 33 46

03 Mar 2022 Prevent email spoofing and avoid business email compromise with DMARC!

Posted at 10:17h in BlueFinch, Data Loss Prevention by

Wondering how DMARC affects email? Here’s a comprehensive guide explaining what DMARC is, how it affects email, and why your company needs it for security. 

By Ekron Dries

What is DMARC? 

What does DMARC stands for? DMARC, short for Domain-based Message Authentication, Reporting and Conformance, is an email authentication protocol to help email administrators prevent fraudsters from spoofing email domains by specifying whether spoofed emails should be allowed, quarantined, or rejected by recipients. 

DMARC is an open email standard created by the industry consortium DMARC.org that prevents malicious emails that impersonate other people and works to protect your email in conjunction with well-known email standards SPF and DKIM. These two separate records ensure the authenticity of the sender, as well as the validity of the email. Configuring emails to pass DMARC is the only way for email senders to tell email receivers that the emails sent from their domain are actually from them. 

Simply put, DMARC acts as a gatekeeper to a receiving email server. When an email arrives from your sending domain and it isn’t verified with SPF or DKIM, you can use DMARC to tell the receiver to reject, monitor, or quarantine the message. DMARC isn’t mandatory, but most modern email servers are now using it, which means if your email server isn’t configured correctly, your emails could be getting sent to spam. 

Using DMARC as part of your email best practices can: 

  • Authenticate all legitimate email messages and sources for email-sending domains, including owned and third-party domains. 
  • Publish an explicit policy that instructs mailbox providers how to deliver or dispose of messages that are determined to be inauthentic. 
  • Gain intelligence on all use of their domains in email messages from across the Internet. 

Now that you know the basics, let’s dive into some of the most common questions around DMARC. 

Are there other benefits to using DMARC? 

There are some additional benefits to using DMARC on your email server, other than just security. Government organizations and many of the most respected brands in the world have adopted DMARC, which allows them to: 

  • Gain visibility into their email channel to determine the legitimate and fraudulent use of their domains. 
  • Ensure legitimate email is getting delivered and fraudulent email is not. 
  • Receive alerts when changes to email infrastructure may impact the delivery of legitimate messages. 
  • Identify sources and forms of threat so that they’re equipped to proactively prevent attacks. 
  • Improve their overall email reputation score and trustworthiness. 

All of this is important, especially for those companies that send millions or even billions of emails each year. 

How do I know if I have DMARC for my email? 

You can check to see if you have a DMARC email policy in place by looking for a TXT record in your DNS server that begins with “v=DMARC”.  

Use the free Agari DMARC Setup Tool to check your domain. Here you can also find tools to see whether your domain has a DKIM or SPF record. 

Where are DMARC records stored? 

DMARC records are stored on the DNS server that your email server uses. Within your DNS server, you can create and modify DMARC, SPF and DKIM records to secure your mail server. Below is a quick overview of the types of policies you might see in your DNS server, and what they do. 

  • DMARC: Stops spoofing by ensuring inbound mail has SPF and/or DKIM present within the email headers. 
  • SPF: Sender Policy Framework (SPF) is a form of email authentication used to prevent spoofing that ensures emails being sent with your domain only originate from specific IP addresses. 
  • DKIM: DomainKeys Identified Mail, which accomplishes the same goal as SPF, uses cryptography to ensure the emails you send are not modified in transit, and also combats email spoofing. 

What are the options for DMARC policies? 

There are three main DMARC policies that determine what happens to email traffic that fails the DMARC check. 

  • p=reject refuses to accept email that fails the DMARC check. The non-compliant email is dropped, and the sender receives a bounce-back message detailing the reason for the failure. 
  • p=quarantine accepts emails that violates the DMARC check, but marks them as spam. This is typically usually done by moving the email in a spam folder, or tagging the subject line with a warning. 
  • p=none does not impact the flow of email, and is used to monitor which emails are passing or failing the DKIM check. While this policy can help gauge how effective your current policies are, and shape how you implement future email security rules, it does nothing to protect your domain. 

What doesn’t DMARC do? 

DMARC may protect against spoofing, but it doesn’t protect against all forms of email threats. Having DMARC in place does not protect against malicious attachments or links in emails, or from emails that are not coming from your domain. 

A simple DMARC email policy also doesn’t protect against cousin domain attacks. Simply put, cousin domain attacks register domains that look very similar to real companies in hopes of tricking recipients into clicking malicious emails. Here’s an example. 

  • joe@microsoft.com: Here we see this email is coming from the real company, Microsoft. 
  • joe@micosoft.com: At first glance, it may look the same, but attackers registered “micosoft” to trick users into trusting malicious emails. 

Since these attacks rely on tricking the recipient, rather than spoofing a real company, a DMARC email policy alone will not stop these attacks. 

However, Agari Brand Protection works to stop spoofing attacks by rapidly identifying and securing lookalike and cousin domains, while working with name server authorities to take down malicious domain names that already exist.

How do I implement DMARC? 

Implementing proper DMARC isn’t hard once you have a firm understanding of what it does and how it works. We’ve covered the DMARC setup process in depth, but here is an overview on how it’s done. 

  1. Use the Agari DMARC Setup Tool to easily create the required TXT record. 
  1. After choosing your DMARC policy, copy the DMARC rule that the Setup Tool created. 
  1. Log into the management console of your DNS hosting provider, and add a new TXT record. 

If you need additional resources, feel free to reach out to the BlueFinch team at sales@bluefinch.com.  

Larger organisations may find it useful to implement a product like Agari Brand Protection to automate and simplify DMARC email authentication. It helps to protect their customers and partners from email attackers that hijack their brand.  

Tags:
, ,