Implementing DMARC to eliminate phishing emails

In this interview with Help Net Security, Alexander Garcia-Tobar, CEO at Valimail, explains the importance of implementing DMARC, as email is still greatly used by cybercriminals to infiltrate and attack organizations.

Email has been and still is one of the most common attack tools used by cybercriminals. Why do you think this is so?

Email is the leading communications platform used daily by billions of people. Yet, it has no built-in authentication mechanism, allowing anyone to claim they are a trusted person or company, leading to unmitigated fraud and abuse. Compared to other transaction markets like credit cards and HTTPS (e-commerce), every transaction needs authentication.

Another example involves ransomware attacks. They aren’t new and the money at stake has grown dramatically. Cybercriminals have access to the same technology developed to stop them — and they’re expanding their reach to an even greater range of targets. More companies continue to connect their systems and add more access points, making them tempting targets for hackers.

That said, email remains the leading source for cybercrime, implicated in over 90% of all cyberattacks, with the pandemic providing a new vantage point for these attacks. Since the beginning of COVID-19, email security providers (ESPs) reported a surge in pandemic-themed phishing attacks taking advantage of people adjusting to working from home, in environments where they’re easily distracted, with less-secure computer hardware and networks. Meanwhile, phishers readily deploy attacks, with the average phishing campaign lasting only 12 minutes, according to Google, which reports blocking 100 million phishing emails per day.

By having valid email authentication in place, companies protect themselves and their customers from privacy violations. Without it, emails are sent without permission, fines are issued, confidential information is obtained and reputations sink. This wave is only a starting point. Companies must step up as the risk of going without enforcement will only get worse.

Why is it important to achieve DMARC enforcement?

Many studies show that 90% of cyber attacks start with phishing campaigns. Ignoring this incredible danger by failing to implement some form of email authentication leaves companies vulnerable to financial and reputational damage. Email authentication is a must, especially since 89% of email attacks with cybercriminals pose as someone else. Implementing DMARC eliminates the most common attack vector — phishing emails — and adds another layer of protection.

DMARC enforcement enables domain owners to identify and reject unauthenticated, unauthorized and illegitimate emails. This enforcement prevents fraudulent emails from reaching their intended targets and protects organizations from direct domain spoofing, email phishing and impersonation attacks.

With such a high percentage of data breaches and cyberattacks originating from email, it has become best business practice and even a compliance issue to include DMARC enforcement in a company’s GRC processes. By deploying strong security measures against fraudulent emails, organizations benefit from simplified delivery and increased brand reliability and reputation. Visibility and transparency also benefit domain owners when it’s easier to see how their domains are used.

Can you explain the technology behind DMARC and how it protects from phishing and spoofing?

DMARC is a domain name system (DNS)-based authentication standard that publishes who is allowed to send emails as you. It also provides for email gateways across the world to both send reports to the domain owner and confirm your authentication/permissions policy. DMARC provides the domain owner with complete control over the use of their email domains both internally and externally. In other words, it stops criminals from sending your employees fake emails claiming to be your executive/employees internally. It also prevents the abuse of your brand/domain outside of your company — for example, a criminal sends an email to your customers, etc.

DMARC ties together two existing standards — Sender Policy Framework (SPF) & Domain Keys Identified Mail (DKIM) — and provides a feedback mechanism that previously didn’t exist. SPF and DKIM both indicate the origin of an email, which gets compared against your published DMARC policy to understand whether that gateway should allow the email through or deny delivery.

Because it’s based on DKIM and/or SPF results, DMARC needs at least one in place for the email domain. The DMARC record refers to a text entry in the DNS that identifies an organization’s email domain policy when the domain owner verifies whether a DKIM or SPF has passed or failed. Once an email has been sent, a DMARC record tells servers to send extensible markup language reports to the reporting email address on record.

Sending verified emails that DMARC has authenticated offers brands and individuals another layer of security and protection against potential phishing attacks. DMARC gives operators a way to quickly and easily identify legitimate, authentic emails by replacing the “filter out malicious” email security model with a “filter in the good” email model.

In-house or DMARC-as-a-service: Is one better than the other and why?

One of the biggest myths out there is that DMARC is easy. But really, it’s challenging — only about 15% of all companies, including those working with vendors, achieve enforcement. However, with the right approach, clients achieve enforcement at over 95% success rates without blocking good emails.

DMARC done incorrectly is risky. DMARC comes down to how well you’ve instrumented your policy. Setting up a correct policy depends on your ability to interpret XML reports and tie those to third-party services correctly and precisely.

In addition to setting up the policy, the older DKIM and SPF standards must be understood at a deeper level. For example, SPF has a 10-look up limit, which is easily reached and then breaks authentication.

The right outside vendor will simplify the setup, configuration and ongoing DMARC authentication maintenance. Regardless of which option you choose, the most important part is growing your knowledge about how the standard works and understanding why you need DKIM and/or SPF. You have to commit to keeping up with the required maintenance, like keeping server addresses updated and refreshing DKIM encryption keys regularly.

How does an organization implement DMARC?

Before implementing DMARC, you have a little preliminary work to do which includes:

• Gathering all of the organization’s authorized email domains, including external domains — an email domain sending email on the organization’s behalf.
• Alerting the service provider (or person) in charge of your DNS infrastructure that you’ll be submitting a text record to the DNS record.
• Creating an email address specifically to receive DMARC reports. You can determine the frequency of emails — most people prefer one daily aggregate email.

After you’ve finished the preliminary steps, prepare for deployment by creating your first DMARC record — the record connected to the parent domain. When you set it up, you’ll specify the email address to which it should send the daily reports.