DMARC

Email threats continue to persist as one of the most common infection vectors. Demonstrating the prevalence of email inbox targeting, Verizon’s 2019 Data Breach Investigations Report found that 94% of successful breached begin with email. There’s numerous threats to personal and business email accounts. These threats include, but are not limited to the following: spear phishing links, spear phishing attachments, spam emails, social engineering, business email compromise (BEC), and spoofed domains.

DMARC (Domain-based Message Authentication, Reporting and Conformance) is an email authentication protocol. It is designed to give email domain owners the ability to protect their domain from unauthorized use, commonly known as email spoofing. The purpose and primary outcome of implementing DMARC is to protect a domain from being used in business email compromise attacks, phishing emails, email scams and other cyber threat activities. Once the DMARC DNS entry is published, any receiving email server can authenticate the incoming email based on the instructions published by the domain owner within the DNS entry. If the email passes the authentication it will be delivered and can be trusted. If the email fails the check, depending on the instructions held within the DMARC record the email could be delivered, quarantined or rejected.

DMARC extends two existing mechanisms, Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM). It allows the administrative owner of a domain to publish a policy in their DNS records to specify which mechanism (DKIM, SPF or both) is employed when sending email from that domain; how to check the From: field presented to end users; how the receiver should deal with failures – and a reporting mechanism for actions performed under those policies.

DMARC also provides visibility into all outbound emails sent from an organization and the third-party providers organizations use. This technology also gives users information on where other senders are and their respective reputations. DMARC provides metrics providing insight into who is receiving emails sent from an organization, which emails are not authenticated, and where emails are being sent. The reports generated by DMARC similarly enable the owner of a domain to be notified when a user if attempting to send emails purporting to be from their organization.

Since so many threat actors rely on deception or exploiting the inherent trust built by reputable organizations, threat actors have experienced considerable difficulty delivering their lures to mailboxes employing email authentication technology. Third-party reputation services implementing DMARC, email filtering, spam-scoring, and other similar technologies can decrease the likelihood of malicious email delivery. The usage of email authentication technology is largely built on the continual threat actor targeting of email inboxes and problems technologies like DMARC create for threat actors seeking to conduct these types of attacks.

Limitations of DMARC

DMARC is not intended for or will not mitigate all types of threats to email including internal spear phishing, email spoofing of legit domains, or the compromise of unprotected domains. DMARC’s security is limited by users who do not register all domains regardless of it being tasked with sending emails or those who do not make full usage of DMARC policies to reject or quarantine mails. Although DMARC is widely adopted and adds additional safeguards for email security, it possesses a few limitations that should be considered when deciding to implement this technology.

• DMARC does not provide an all-encompassing protection against all type of threats sent via email and it is limited by user tendency to solely implemented DMARC for domains sending emails. This means that users are not protected against legitimate business emails that are compromised, internal spear phishing, or social engineering.
• Although DMARC has been gaining in popularity and self-proclaims almost five billion email accounts worldwide, DMARC does not enforce any policies on the organizations that implement its technology. This means that organizations themselves must designate whether emails should be quarantined or rejected.
• DMARC does not offer overall brand protection, which demonstrates the ability for threat actors to spoof an organization’s domain or leverage another enterprise domain not currently tasked with sending emails to send malicious content.
• Even if you enforce DMARC ‘reject’ action, some mail systems like Microsoft O365 still overrides the flag and treat it as same as ‘quarantine’ action. The unauthorized mails can still be delivered to receipt’s junk box. This means it relies on mail servers to honor the DMARC action or not. DMARC is not a hard control solution!
• DMARC reporting feature only provides very limited information. Timestamp, IP addresses and domain name are all information in the DMARC report email. Think about what you can do if you see a report shows a rogue mail server in India is keeping sending email on behalf of your domain.

Recommendations

• Implement a layered security approach and utilize email technologies to limit the amount of spam reaching user emails.
• Educate employees on the dangers of clicking on links and enabling macros, especially those originating from outside an organization.
• Educate employees on relevant phishing lures and campaigns.
• Ensure that Sender Policy Framework (SPF) records include all mail servers authorized to send emails.
• When few emails fail DMARC under the quarantine policy, consider implementing reject.
• Continuously monitor DMARC reports for any attempted phishing attacks to remain vigilant. A free service offered by Postmark for you to easily monitor DMARC reports weekly.