What is DMARC and Does It Protect Email Recipients From Fraud?
Discover how an innovative approach to email security protects against phishing
What if there was a way to protect your brand from bad actors using your email address for fraudulent activity?
It’s a well-known fact that cybercriminals impersonate trusted contacts in order to commit fraud. In fact, 70 percent of all email fraud is sent from a domain name that doesn’t match the one named in the email header.
This approach relies on the fact that email clients do not automatically check whether individual messages actually come from the domain they claim to come from. However, there is a way to independently verify emails that claim to come from your domain.
This method is called Domain-based Message Authentication, Reporting and Conformance – DMARC for short, and it protects your brand against spammers forging email addresses that appear to come from your domain even if they did not originate from your validate Outbound SMTPsmtp server.
This technology offers numerous benefits to brands, and it isn’t hard to implement. Read on to find out more about DMARC and how you can use it to stop fraudulent email activity conducted in your name.
What is DMARC
DMARC is an important tool for maintaining trust between your brand and its customers and partners. It provides a foundation of trust between your brand and everyone on your email contact list, ensuring that the messages coming from your domain name are secure.
DMARC gives you control over emails that purport to come from your domain. It acts as a filter for messages that claim to come from your domain but that did not actually originate in your mail servers.
This technology lets senders tell email providers which emails really come from them, and further instructs email providers on what to do with messages that fail authentication. It sends reports back to the original sender, letting domain owners know that someone out there is attempting to forge their name for fraudulent activity.
Who needs DMARC
Any organization that operates its own domain name and relies on email to communicate, internally or externally, needs an authentication solution like DMARC. The global volume of email phishing attempts grew by 65 percent in 2017, and it’s not stopping there.
You can no longer trust customers and employees to identify phishing emails by bad grammar, suspicious visuals, and other tell-tale indicators. In fact, a recent Intel study showed that of 19,000 respondents, 80 percent incorrectly identified at least one fraudulent email.
If your business is under your own domain name, then your entire contact list is at risk. Whether a cybercriminal forges your domain name to obtain sensitive data from customers or impersonates executive leadership to steal financial records from your employees, email headers are the easiest tools to counterfeit.
Even if you don’t have an email client set up on your domain, DMARC can help you mitigate the risk of email fraud. Google’s G-Suite follows DMARC protocols and lets users decide how Gmail should treat unauthenticated mail that claims to come from your domain.
Remember that since cybercriminals forge email headers, it doesn’t matter whether you actually send emails from your domain or from a commercial email client like Gmail. In both cases, DMARC sets the record straight by verifying that your messages come from the same server. If your business uses a third-party mail server, you still need to deploy DMARC.
How DMARC works
Email, as a system, has numerous security flaws that have remained largely unaddressed due to the decentralized nature of the Internet. One of the primary flaws is the fact that every email message actually has two from addresses:
- The Envelope from is embedded in the hidden email message header. Mail servers read this data as a return address.
- The Header from is the one you are most familiar with. It is visible to all email users in the From field in your email client.
Cybercriminals can forge either one of these addresses to generate fraudulent emails. DMARC combines two email authentication frameworks to generate an elegant, reliable system for verifying the trustworthiness of both addresses. These are briefly described below:
- The Sender Policy Framework (SPF). SPF lets domain owners specify the mail servers that they use to send emails from their domains. This lets email providers verify that messages come from the correct server as mentioned in the Envelope from field. However, SPF is not perfect. For instance, simply forwarding an email can break the system if the forwarded message originates from an untrusted server.
- DomainKeys Identified Mail Protocol (DKIM). DKIM uses cryptography to ensure that email messages are sent from authentic sources. The cryptographic protocol is quite complex and it has not been widely adopted, which means that DKIM alone cannot reliably verify a sender’s identity. Additionally, DKIM is invisible to non-technical users and does not prevent the forging of Header from fields.
While these two technologies do not provide for reliable email authentication on their own, when combined they provide a powerful framework for aligning domains with Envelope From and Header From addresses. This is where DMARC’s two innovative features, domain alignment and reporting, come into play.
When a DMARC user sends an email, the email provider that receives the message checks if DMARC tags have been implemented in the Header from domain. If the answer is yes, it checks if the Header from domain matches the Envelope from domain as verified by SPF, and if the Header from domain matches the DKIM-verified domain name.
Using DMARC, domain owners can control what happens to messages that fail these checks. You can have these message quarantined (sent to the recipient’s spam folder) or rejected (sent directly to the trash). DMARC automatically generates and sends reports to the domain owner for each failed attempt.
This combined solution is so successful that both the United States and United Kingdom governments are implementing DMARC. Fortune 500 businesses in the financial and technology sectors are also increasingly incorporating DMARC.
How to implement DMARC
The easiest way to implement DMARC is through a third-party deployment service. Vendors like DMARCian.com provide ideal reporting services for low-volume email users interested in protecting a single domain.
If your business has multiple domains and sends a high volume of emails on a regular basis, you will need to use an enterprise-level authentication service.
If you wish to implement DMARC manually, you need to access your Domain Name Server (DNS) and publish a text like the following:
v=DMARC1; p=quarantine; pct=100; rua=mailto:yourmail@yourdomain.com
This tells email clients that receive your messages:
- DMARC (v=DMARC1) is used
- Messages that fail DMARC are treated as spam (p=quarantine)
- 100 percent of your messages should be treated in this way (pct=100)
- The address that the reports must be sent back to (rua=yourmail@yourdomain.com)
For this code to work, you must publish your SPF record and your DKIM record as well in your outbound smtp service. You must then ensure that your emails carry a DKIM signature that matches the one in the DKIM record.
Do you want to learn more about DMARC deployment and implementation? Have DuoCircle walk you through the steps so that your domain remains secure against cybercriminal forgery and while you are at it check out our Phish Protection service.