Authentication has been around for thousands of years. For example, in ancient times monarchs would affix their royal seal to important letters and other documents. This helped to prevent tampering, and assured the recipient of the genuineness of the message.
Of course, in today’s digital world methods of communication and authentication have changed dramatically from past generations. However, the importance of message validation has never been greater.
Take email, for example. Businesses that leave themselves vulnerable to email spoofing and other forms of fraud can easily lose credibility with their customers. In contrast, companies that take email security seriously will not only enjoy a competitive advantage in the marketplace, but will also earn increased customer loyalty and all the subsequent benefits that come along with it.
One important aspect of making your email secure is to implement the DMARC protocol. What is DMARC? Why is it so critical to email security? Why should you adopt it? This article will address those questions in depth. First, though, let’s briefly examine the history of email security to better understand where DMARC fits into the picture.
A Brief History of Email Security
When email was first invented in 1972, it was described by one user as “a nice hack,” but there was never any intention to make this new form of communication a high-security medium. Email routing and labeling protocols would state which computer sent the message, which computer received it, and what time this exchange occurred. None of this information would be encrypted or authenticated.
In the early 1990’s, the first attempts were made to establish robust security measures around email correspondence. Companies began to rely on public-key cryptography (PKC), an encryption technique that utilizes a paired public and private key algorithm to ensure secure communication. Pretty Good Privacy (PGP) encryption, version 1.0, was created in 1991, followed in short succession by other cryptography protocols such as (GPG), S/MIME, and TLS.
However, such encryption solutions also featured significant drawbacks. For one thing, PGP and other protocols have a reputation for being unwieldy, inconvenient, and next to impossible to scale across an enterprise-level corporation. Inconsistency across applications, services, and client processes also factors into the frustration with email encryption.
As a result, email security in today’s world often involves a multi-pronged approach that encompasses both extensive employee training and a comprehensive set of security protocols. While encryption protocols are still in use today, many companies focus on achieving a level of email security that is simultaneously robust, flexible, and intuitive.
Thus, DMARC comes into the picture as part of a multi-pronged approach to email security.
What is DMARC?
DMARC stands for Domain-based Message Authentication, Reporting and Conformance. DMARC is a technical standard that serves as a protection against such practices as phishing, spamming, and spoofing.
In short, DMARC allows a business organization to publish its specific policy on email authentication procedures. In turn, mail servers that have access to the policy can enforce it against messages claiming to originate from the company that fail to authenticate. Not only will the servers block or flag those fraudulent messages, but they will also report such occurrences to the appropriate authority within the company.
DMARC implementation almost always begins with the creation of a DMARC record within DNS (Domain Name Servers). This is comparable to listing a business within a phone book; the Internet keeps a directory of registered domain names, and translates them into Internet Protocol (IP) addresses.
Publishing a DMARC record to DNS is a good start; however, this initial step only involves the reporting side of matters. To make DMARC truly effective as a security measure, the company must “build” DMARC onto the foundation that DKIM (DomainKeys Identified Mail) and SPF (Sender Policy Framework) provide.
In fact, DMARC unifies DKIM and SPF functionalities into a streamlined authentication process. For instance, DMARC domain alignment helps to prevent spoofing by ensuring that a message’s “From” domain corresponds to its Return-Path domain (in the case of SPF).
The bottom line? DMARC is a crucial aspect of cutting-edge email security. It utilizes and combines pre-existing protocols from DNS, DKIM, and SPF to efficiently authenticate messages, and generate reports in the case of authentication failure.
Why is DMARC Important to Small and Midsize Businesses?
For businesses that regularly send commercial or transactional email, properly configured DMARC is a protection for owners and their customers alike. This is especially true of SMBs that may lean heavily on email for marketing initiatives and even revenue streams.
Some advantages of using DMARC include the following:
- DMARC allows mail servers to accurately evaluate whether messages that claim to originate from your domain actually do. Then, messages that fail authentication can be flagged or outright rejected. This means that subscribers to your email list and other current or potential customers won’t be bothered by fraudulent emails purporting to come from your company.
- Correctly implemented DMARC can also significantly improve your deliverability. ISPs are less likely to flag messages as spam if they can verify the sender’s identity.
- Small to midsize businesses often have an easier time fine-tuning their DMARC strategy since they have fewer domains to address than enterprise-level companies. For instance, if you send a high volume of email from your domain to mailing lists that will result in a DMARC “fail” result, you have the option to relax DMARC security for those messages (no “flags” or “rejects”) so that they can reach their target destinations.
Potential Consequences of Not Implementing DMARC
While there are several benefits that come from implementing DMARC, there are also many risks associated with not doing so. Many businesses around the world leave themselves and their customers open to malicious phishing attacks, as well as other forms of fraudulent activity. In fact, one study found that over 84% of EU and US-based e-retailers lack a DMARC policy, and only 23% of companies in the Fortune 500 have some form of DMARC policy in place.
Some risks of not implementing DMARC include:
- Lack of accurate information about the company’s domain. Without DMARC reporting processes in place, organizational leaders can easily find themselves in the dark as to where legitimate emails are originating from.
- Loss of brand reputation. Customers and prospective customers that receive shady messages professing to originate from a particular company will likely shy away from doing business with the organization in question – even if the company is not at fault. Such a blow to a small to midsize business’ reputation can be devastating.
- Inability to effectively defend against threats. Without the detailed information that DMARC reporting can provide, company leaders may not be able to pinpoint threats against their brand until it is too late. Instead of taking proactive measures to guard their business and their customers against phishing and spoofing attacks, these owners and managers will likely find themselves two steps behind when an attack occurs.
As more and more companies begin to implement DMARC protocols, those organizations that refuse to adapt will be more frequently attacked by scammers and other malicious users looking for easy targets. In fact, one email-centric cyber-attack known as Business Email Compromise (BEC) was leveraged by impostors approximately 40,000 times between October 2013 and December 2016, and resulted in losses of millions of dollars.
How Dmarcian and KTG can Help
For many SMBs, lack of knowledge and inexperience in executing DMARC protocols can be major concerns when deciding on which email security measures to implement. Thus, many business owners have found that SaaS platforms designed to streamline and simplify DMARC usage provide an excellent alternative to managing DMARC in-house, without any external support.
Dmarcian is one such SaaS platform. It offers several key benefits for small to midsize businesses, including the following features:
- Dmarcian’s easy to understand XML feedback contains a wealth of useful information, presented in a clear and logical manner.
- A Domain Overview contains a summary of the status of all your domains and sources.
- An easily accessible and visually intuitive database compiles and stores the geographical locations of recent abuse.
- Dmarcian’s Detail Viewer shows a timeline of your data before and after DMARC, along with search parameters such as From and To date selectors, and a filter option to indicate what would have happened had a DMARC policy been executed.
- The Detail Viewer also groups your data into four high-level categories: DMARC-capable, Non-compliant, Forwarding, and Threat/Unknown, all of which you can explore in more detail.
- For Enterprise plans, dmarcian’s Domain Discovery feature can automatically discover your digital assets and add them to your catalog.
- Additionally, Enterprise plans offer Single Sign-On capabilities to define, manage and simplify access requirements.
At Kraft Technology Group, we are committed to providing world-class cyber-security to each of our clients, which is one reason why we’ve partnered with Dmarcian. Listed below are some other reasons for our partnership, including:
- Dmarcian’s CEO, Tim Draegen, is one of the original contributing authors of the DMARC standard.
- Dmarcian is extremely scalable. They work well with SMBs and Fortune 100 companies alike.
- Dmarcian makes comprehensive DMARC implementation intuitive and user-friendly.
We believe that a combination of in-depth employee training and comprehensive security protocols, including Dmarcian’s SaaS platform, will result in a safe experience for customers, an enhanced reputation for the company, and ultimately increased revenue.
If you’d like to learn more about how we can help you to implement a robust DMARC solution for your email authentication management, reach out to us at Kraft Technology Group today.
Brian Gray, MCP, is the President at Kraft Technology Group, LLC (KTG), an affiliate of KraftCPAs PLLC. Within his role, Brian is responsible for all aspects of service delivery to our clients. Brian has a decade of experience working for managed service providers. He has worked with clients in a variety of industries, including financial services, accounting, legal, healthcare, manufacturing, and retail.