Email dates back to the beginnings of the Internet. The SMTP protocol, which is at the heart of email, dates back to 1982. In those days the Internet was a small network of computers that trusted each other. Security wasn’t an issue. That history has caused problems for email ever since. A sender can put any “From” address on a message, and there’s no guarantee it’s authentic. Forged messages are a huge problem today.
Authenticating the sender
Several protocols have been developed to improve the situation. Nothing can stop someone from using any address, but there are ways to check the authenticity of the address a message uses. Two popular protocols for this are SPF (Sender Policy Framework) and DKIM (Domain Keys Identified Mail). SPF uses DNS records to designate servers which are authorized to send email for a given domain. DKIM supports adding a digital signature to a message to confirm its authenticity.
DMARC builds on DKIM and SPF. Senders can use one or both with their messages. What DMARC does is to let domain owners tell mail recipients which of the protocols (either or both) they use and how they should treat messages that aren’t authenticated.
It requires adding certain fields to the domain’s DNS records. These fields tell receivers what policy to apply to unauthenticated messages. They ask the receiving server to “reject” or “quarantine” them. They can also specify a “none” policy, which says to treat the messages normally, for testing purposes. The instruction is only advisory; the receiving server can treat messages however its administrators want. A receiving server that doesn’t support DMARC will just treat mail normally.
DMARC’s importance to businesses
Spammers don’t just spam every address they discover; they use them as forged sender addresses. If your address is publicly known, it’s almost certain that it’s in the “From” field of some spam email. While the creators of email filters understand this, individuals who get the messages may not. Mail with spoofed addresses will damage a business’s reputation if they reach a lot of people.
Targeted forgeries are another threat. Someone with a grudge against a business can send a wave of threatening or insulting mail impersonating its CEO or collections department. “Phishing” email often impersonates a business while sending out a fake invoice that links to a malicious website.
Some criminals use a high-ranking officer’s email address in messages to deceive the company’s employees. If they’re successful, the employee may do something that will cost the company a large amount of money. This trick is known as business email compromise, or informally as “spearphishing.”
DMARC can’t eliminate all forgeries, but it can help mail servers to catch and block them. This means fewer chances of damage to a business’s reputation and blacklisting of mail.
The consequences of not using DMARC
The value of DMARC has grown rapidly as more sending and receiving servers use it. Filters raise a message’s spam likelihood score if the sender’s domain doesn’t implement it. Messages are more likely to be incorrectly flagged as spam.
Using DMARC protects a business from incoming spam and forgeries as well. Spammers rarely use the system, since it would only help to identify them for what they are. That’s one more tool for flagging and blocking incoming spam. Without that protection, employees are more likely to click on or reply to forgeries.
DMARC in government
A large number of government agencies have adopted DMARC. DHS has mandated its use in many cases, effective October 16, 2018. Reports disagree on the exact adoption rate, but at least 62 percent of the affected agencies have adopted it as of the deadline. This includes not just having the records in place but specifying a policy of rejecting mail from unauthenticated sources.
Fraud operators include irs.gov and fbi.gov among their favorite domains to forge, since a message from there looks very intimidating. Mail servers that enforce DMARC policies can now block all of those messages.
The adoption policy also affects messages sent to government agencies. Messages to them from domains that don’t have any forgery protection are more likely to be blocked as spam.
Other governments have adopted similar requirements. All domains under gov.uk are required to have anti-forgery records.
Setting up the records requires considerable care. A mistake could result in the blocking of legitimate mail. The records need to include all domains from which employees are allowed to send out mail, including independent mailing list services. If they use their personal accounts with their work addresses, they may have to change their habits.
DMARC reports are available from many service providers. They contain information on what domains are sending mail using your addresses. The list will inevitably include forgers, but it could also include legitimate domains which your records have omitted.
The amount of data is large and not very readable in its native form. Fortunately, software tools are available to simplify the analysis. They turn the information into graphic form with a variety of views. You can see how much of the traffic to the reporting sites is compliant, non-compliant, or unknown.
Such tools help in identifying unauthorized servers which consistently send mail using addresses from your domain. Some may be persistent forgers, but others could be legitimate sources that you need to add to your list of authorized senders.
Kraft Technology Group provides expert IT services to businesses in Nashville and beyond to help improve all aspects of your operations. We can help to ensure that your email gets through while reducing the impact of forgers. Contact us for more information.
CISA Cyber Essentials Toolkits: Yourself, The Leader – Part One
Business Leadership Is First On CISA Cyber Essentials Toolkits Following their Cyber Essentials resource, CISA has rolled out an additional… Learn more
Why Are You Not Defending Your Business From Ransomware?
Ransomware Is A Threat To Your Business - Why Aren’t You Defending Against It? Is your head in the sand… Learn more
New Louisiana Legislation Launches MSP Registration
Louisiana Legislation Signs Louisiana Act 117 - Senate Bill 273, Requiring MSP Registration Louisiana Act 117 – Senate Bill 273… Learn more